• 1

Doesn't seem to be at odds...

It doesn't seem to be at odds, because if your kernel is signed, the update could be signed as well. You just need to maintain the chain of trust for the Ksplice updates.

Re: Doesn't seem to be at odds...

Ideally ksplice would hook into something like the IMA framework to measure whatever patches they're applying to your kernel. You could then get these measurements from a log like they do for loaded modules. Then you'd be reasoning over measurements from your kernel and the modifications made to it at run time.

Not simple by any stretch but it would be pretty complete.

  • 1

Log in