nV News Forums

 
 

nV News Forums (http://www.nvnews.net/vbulletin/index.php)
-   NVIDIA Linux (http://www.nvnews.net/vbulletin/forumdisplay.php?f=14)
-   -   Security questions... (http://www.nvnews.net/vbulletin/showthread.php?t=141715)

computerix 11-23-09 02:13 PM

Security questions...
 
I'm going to buy a new laptop for linux (x86-64), and I'm currently investigating
if laptops with nvidia graphics are an option or not.

Specifically, the question is whether the nvidia driver conforms to our security guidelines:

* Statically linked kernel with no module loader is a must.
Can the nvidia driver be linked statically into the kernel,
or must it be loaded as a kernel module?

* Strict execute protection (PaX/Grsecurity) is also a must:
All stack and data segments are set to non-executable,
and all mmaps may be either writeable or executable, but never both.

* Textrels could be enabled if really necessary,
but currently they are disallowed (turned off in the kernel).

Is there any chance to meet the above criteria,
or is this impossible with the nvidia driver?

Thunderbird 11-23-09 03:27 PM

Re: Security questions...
 
The first point is already impossible to meet. The nvidia driver must be a loadable module and can't be linked into the kernel. License wise it would also not be legal since the kernel module is not licensed under the GPL.

I can't comment on the second and third points.

P.Kosunen 11-24-09 06:36 AM

Re: Security questions...
 
You can use x.org's nv -driver.

jumjum77 11-24-09 08:43 AM

Re: Security questions...
 
Quote:

Originally Posted by P.Kosunen (Post 2129886)
You can use x.org's nv -driver.

Yes, but that he wouldn't be able to use most of the nice features of the card.

I'd definitely go with an Intel card if I had to meet those requirements!

mooninite 11-24-09 10:34 AM

Re: Security questions...
 
Quote:

Originally Posted by jumjum77 (Post 2129966)
Yes, but that he wouldn't be able to use most of the nice features of the card.

I'd definitely go with an Intel card if I had to meet those requirements!

The nVidia driver doesn't comply with point number two either.

You're best off trying nouveau. If you need 3D though, you won't be using ATI or nVidia. Their binary drivers are not fully secure nor should you expect them to be when you cannot see how they work first hand.

cdrw 11-25-09 07:28 AM

Re: Security questions...
 
shrug,
second point fixes this for you:
you will be able to run only in command line mode (NOEXEC breaks Xorg, also disabling priviledged I/O breaks xorg)

If this is a server, you don't need Xorg/nvidia
If this is desktop you don't really need these hardening options

your requirement regarding "no modules" option is silly, grsec/pax protects against loading/unloading modules after boot. If your system was infected before you installed hardened kernel, then it is too late anyway.


All times are GMT -5. The time now is 08:48 AM.

Powered by vBulletin® Version 3.7.1
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Copyright 1998 - 2014, nV News.