From ec3be7780dfde34b6fa10d194d47b21c7f017daf Mon Sep 17 00:00:00 2001 From: Matthew Mondor Date: Thu, 9 Jul 2015 03:33:23 +0000 Subject: [PATCH] *** empty log message *** --- netbsd/netbsd_improvements.txt | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/netbsd/netbsd_improvements.txt b/netbsd/netbsd_improvements.txt index 616088f..bf6dc2e 100644 --- a/netbsd/netbsd_improvements.txt +++ b/netbsd/netbsd_improvements.txt @@ -10,6 +10,15 @@ Status, defined by the first column: * The fix that was submitted via PR was accepted and commited. +- Signed kernel modules + With ability to manage kernel keys; with keys locked in read-only non-exec + pages after boot + +- Signed shared libraries and executables + VeriExec not far from that, but it's still different as it does not verify + signatures, it instead verifies a checksum. + The signatures should be added as a new special ELF section. + - NPF - Lack of proper diagnostics/stats - Lacks various old ipfilter features which are necessary @@ -20,6 +29,8 @@ Status, defined by the first column: - npfctl show bogus - npfctl stop may lock in a busy loop, unkillable process - npfctl stats cannot show per-rule hits + - npflog0 logging lacks needed metadata like rule number/reason and + direction - Annoying syntax changes between versions - Appears too immature on netbsd-6, to recheck on netbsd-7 -- 2.9.0