From owner-freebsd-questions Fri Mar 7 15: 4:46 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E81C737B405 for ; Fri, 7 Mar 2003 15:04:44 -0800 (PST) Received: from smtp.acd.net (smtp.acd.net [207.179.102.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id EDA0743F93 for ; Fri, 7 Mar 2003 15:04:43 -0800 (PST) (envelope-from taxman@ACD.NET) Received: from 207.179.85.14 ([207.179.85.14]) by smtp.acd.net with Microsoft SMTPSVC(5.0.2195.5329); Fri, 7 Mar 2003 18:04:39 -0500 From: taxman To: Damien Tougas , freebsd-questions@freebsd.org Subject: Re: A question about kernel modules Date: Fri, 7 Mar 2003 18:07:27 -0500 User-Agent: KMail/1.5 References: <200303071155.43785.damien@tougas.net> In-Reply-To: <200303071155.43785.damien@tougas.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200303071807.27524.taxman@acd.net> X-OriginalArrivalTime: 07 Mar 2003 23:04:39.0863 (UTC) FILETIME=[EE7A0C70:01C2E4FD] Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Friday 07 March 2003 11:55 am, Damien Tougas wrote: > Is there any advantage/disadvantage to using kernel moduls vs. staticly > linking stuff in the kernel? I would like to eliminate everything from my > kernel config that can be loaded as a module, then load them at boot using > loader.conf. Should be possible for a lot of things. Though it seems many need to stay in the kernel, as it is currently written. kld(4) and the pages it refers to should be at least somewhat instructive in figuring out what all can be put in a module. Try reading the developers handbook, it has some of what you're looking for. > Is there any reason I would not want to do that? It seems to > me that it would make things much easier. > > Why does FreeBSD not do this by default for the GENERIC kernel? Only things I can think of as to why most things are compiled in are 1) the costs of running a module, instead of compiled in. I don't know how to quantify those. And I didn't see anything in the developer's handbook to answer that. Maybe checking there more carefully would yield some answers. 2) security. In theory for max security you should minimize the interfaces to the kernel. Any loadable module could be a trojan, packet filter, or compromise security in another way. So optimal security would be have every needed component compiled in, and turn off the ability to load any modules. I have no idea if this can be done or how in FreeBSD. kld manpage didn't seem to say anything about this. Keep in mind this is extreme security which isn't terribly important till you get the practical stuff taken care of first. Here is the (in)famous article on it: http://packetstorm.decepticons.org/papers/unix/bsdkern.htm You may want to check the -hackers mailing list archives, as this has been discussed there. If this is really important for you to figure out, after reading the archives, ask there. Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message