Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <1496854825.10825.24.camel@gmail.com>
Date: Wed, 07 Jun 2017 13:00:25 -0400
From: Daniel Micay <danielmicay@...il.com>
To: Henrique de Moraes Holschuh <hmh@....eng.br>, Theodore Ts'o
 <tytso@....edu>
Cc: "Jason A. Donenfeld" <Jason@...c4.com>, Eric Biggers
 <ebiggers3@...il.com>,  Linux Crypto Mailing List
 <linux-crypto@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>,
 kernel-hardening@...ts.openwall.com,  Greg Kroah-Hartman
 <gregkh@...uxfoundation.org>, David Miller <davem@...emloft.net>, Herbert
 Xu <herbert@...dor.apana.org.au>, Stephan Mueller <smueller@...onox.de>
Subject: Re: Re: [PATCH v3 04/13] crypto/rng: ensure that
 the RNG is ready before using

> On the better bootloaders, an initramfs segment can be loaded
> independently (and you can have as many as required), which makes an
> early_initramfs a more palatable vector to inject large amounts of
> entropy into the next boot than, say, modifying the kernel image
> directly at every boot/shutdown to stash entropy in there somewhere.

Modifying the kernel image on storage isn't compatible with verified
boot so it's not really a solution. The kernel, initrd and rest of the
OS are signed and verified on operating systems like Android, Android
Things, ChromeOS and many embedded devices, etc. putting some basic
effort into security. I didn't really understand the device tree
approach and mentioned a few times before. Passing via the kernel
cmdline is a lot simpler than modifying the device tree in-memory and
persistent modification isn't an option unless verified boot is missing
anyway.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.