Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20151109210700.GE20491@io.lakedaemon.net>
Date: Mon, 9 Nov 2015 21:07:00 +0000
From: Jason Cooper <kernel-hardening@...edaemon.net>
To: Josh Triplett <josh@...htriplett.org>
Cc: Theodore Tso <tytso@...gle.com>, kernel-hardening@...ts.openwall.com,
	Emese Revfy <re.emese@...il.com>, Kees Cook <keescook@...omium.org>,
	PaX Team <pageexec@...email.hu>,
	Brad Spengler <spender@...ecurity.net>,
	Greg KH <gregkh@...uxfoundation.org>
Subject: Re: Re: Proposal for kernel self protection
 features

On Mon, Nov 09, 2015 at 12:06:23PM -0800, Josh Triplett wrote:
> On Mon, Nov 09, 2015 at 02:11:35PM -0500, Theodore Tso wrote:
> > On Mon, Nov 9, 2015 at 2:02 PM, Jason Cooper <
> > kernel-hardening@...edaemon.net> wrote:
> > 
> > > /var/lib/misc/random-seed has served that role for years, I'm only
> > > advocating loading it earlier in the boot process.  It's *much* harder
> > > to guess the state of random-seed than the dtb or mac address(es)...
> > >
> > 
> > If the bootloader is willing to reach into the file system, which means (a)
> > having a minimal file system layer, like Grub does, and (b) can find the
> > block device where the file is found, that's a perfectly *fine*
> > implementation.    I'm not sure mobile handset vendors will be all that
> > psyched into either using or replicating all of Grub's functionality so it
> > could do that, though....
> 
> How crazy would it be to append it to the end of the initramfs, as we've
> started making possible for critical firmware/microcode/tables?

Well, my main goal was to strengthen KASLR on ARM.  Which means the code
needs to reside in the decompressor...

thx,

Jason.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.