Trust system write-up
Eric McCorkle
eric at metricspace.net
Mon Oct 23 22:28:03 UTC 2017
On 10/23/2017 12:14, Ian Lepore wrote:
> Any thoughts on how to validate executables which are not elf binaries,
> such as shell scripts, python programs, etc?
I hadn't really thought in depth about it, as my main initial goal is
signed kernel/modules, but I have given it some thought...
Arguably the "right" way to do it would be to have the signing mechanism
be part of the platform. For example, the JVM has conventions for jar
signing. Not clear how this relates to shell scripts though.
An alternative is something like the NetBSD veriexec framework, where
there's MACs for specific files. That stuff is mostly orthogonal to the
public-key approach I'm working on here, but there's possibly some
interplay.
More information about the freebsd-arch
mailing list