Hi,
as will be able to see in todays rawhide, we're experimenting with
adding a patch for gpg-signed kernel modules. The idea behind this is
for the administrator to *optionally* [1] restrict the set of modules
that can be linked into the kernel. In selinux context one can even
eventually allow different security contexts to load different subsets
of modules, by restricting certain contexts to a predefined gpg keys
only.
The work isn't complete yet by far, this is just a heads up. Input for
creative uses of this infrastructure is welcome :)
Greetings,
Arjan van de Ven
[1] And I repeat *optionally*.