On Sat, Sep 14 2013, Henrique de Moraes Holschuh wrote: > Package: kernel-package > Version: 12.036+nmu3 > Severity: important > > /usr/share/kernel-package/ruleset/targets/image.mk does this: > > find $(TMPTOP)$(DEBUGDIR) -type f -name \*.ko | \ > while read file; do > origfile=`echo $$file | sed -e 's,$(DEBUGDIR),,g'`; > echo $(OBJCOPY) --only-keep-debug $$file; > $(OBJCOPY) --only-keep-debug $$file; > echo $(OBJCOPY) --add-gnu-debuglink=$$file $$origfile; > $(OBJCOPY) --add-gnu-debuglink=$$file $$origfile; > done > > which corrupts module signatures.
True. But it does add a link to the dbg paths that ill be
populated if you install that. Incodentally, this is what the upsteam
make deb-pkg does
> Module signatures are important, there are several rootkits that are
> neutralized when the kernel refuses to load unsigned modules.
It is a 5trade off. Being able to debug vs signed modules. I
suspect the trade off goes differently for vendor kernel packages and
home brewed ones. Even without the objcopy, would the signed modules
have the same signatures as the self compiled version? Is this a
hypothetical, or do we have a concrete degradation in security?
manoj
--
"If you want to eat hippopatomus, you've got to pay the freight."
attributed to an IBM guy, about why IBM software uses so much memory
Manoj Srivastava <sriva...@acm.org> <http://www.golden-gryphon.com/>
4096R/C5779A1C E37E 5EC5 2A01 DA25 AD20 05B6 CF48 9438 C577 9A1C
signature.asc
Description: PGP signature
