[indiana-discuss] Free (freelist) 1717987020927 pages

Tue Jul 1 15:22:35 PDT 2008

On 1 Jul 2008, at 23:58, Dennis Clarke wrote:

> On Tue, Jul 1, 2008 at 9:40 PM, Mike Gerdts <mgerdts at gmail.com> wrote:
>> On Tue, Jul 1, 2008 at 11:53 AM, Dennis Clarke  
>> <blastwave at gmail.com> wrote:
>>> As a side note, and tangential to this discussion, I have long felt
>>> that we need a md5hash database in the system that would prevent  
>>> this
>>> sort of hackery from taking place and making a change to a system
>>> state via some hacked up binary. Making a change to the kernel  
>>> should
>>> be a strict no no .. but it is possible.
>>
>> Excellent idea!
>>
>> $ elfsign verify /kernel/kmdb/sparcv9/genunix
>> elfsign: verification of /kernel/kmdb/sparcv9/genunix passed.
>
> # ls -lap /etc/crypto/certs
> total 20
> drwxr-xr-x   2 root     sys          512 Apr 16 17:14 ./
> drwxr-xr-x   4 root     sys          512 Apr 16 17:48 ../
> -rw-r--r--   1 root     sys         1194 Jan 21  2005 CA
> -rw-r--r--   2 root     sys         1761 Mar 12 04:12 SUNWObjectCA
> -rw-r--r--   1 root     sys         1665 Jan 21  2005 SUNW_SunOS_5.10
> -rw-r--r--   1 root     sys         1591 Aug  9  2007  
> SUNW_SunOS_5.11_Limited
> # elfsign verify -v /kernel/kmdb/sparcv9/genunix
> elfsign: verification of /kernel/kmdb/sparcv9/genunix passed.
> format: rsa_md5_sha1.
> signer: CN=SunOS 5.10, OU=Solaris Signed Execution, O=Sun  
> Microsystems Inc.
> #
>
> I'm not sure how that works but I can only guess that it does. If I
> hack up the kernel with a hex editor I don't see how GRUB ( on x86 )
> is going to catch that and stop the boot process.

If the x86 machine has a TPM then it should be catch'able...

http://opensolaris.org/os/project/valex/
is the project you're after.

-Mark