Author: Jurre van Bergen Date: To: The Tails public development discussion list CC: info Subject: [Tails-dev] Removing or blacklist kernel modules
Hi,
By default Debian ships a beautiful kernel with a ton of features to
work outside of the box. With features I mean modules, whether that's
support for some really obscure network protocol or bluetooth(random
example) drivers. While that comes in handy for a lot of things, I feel
that it's important to reconsider what we would like to ship in Tails as
the more kernel modules we load and/or ship we also increase the attack
vector.
So I would like to discuss whether it's a good idea to either remove
and/or blacklist certain modules for the kernel. What the reasoning
might be to remove those specific modules from the kernel and whether we
can come to a consensus of some sorts so we can research on how to
achieve this.
I feel that actually _removing_ modules is a better way to achieve a
slightly safer kernel as the code could not be reached anymore. Less
attack vector!
Blacklisting kernel modules allows you to compile them in, but not use
them, however, *perhaps* code could still be reached which might be
exploitable with some crazy exploit.
I wonder if SubgraphOS has removed modules as well and what their
reasoning is for removing them, if any.