Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAGXu5jLyegoCA4cBDyOWvcsV3_wE8BBFRnuhkbORdFHTswGpoA@mail.gmail.com>
Date: Wed, 16 Aug 2017 21:58:26 -0700
From: Kees Cook <keescook@...omium.org>
To: Nick Kralevich <nnk@...gle.com>
Cc: Laura Abbott <labbott@...hat.com>, Daniel Micay <danielmicay@...il.com>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, lkml <linux-kernel@...r.kernel.org>, 
	Linux-MM <linux-mm@...ck.org>, Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [PATCHv2 2/2] extract early boot entropy from
 the passed cmdline

On Wed, Aug 16, 2017 at 9:56 PM, Nick Kralevich <nnk@...gle.com> wrote:
> On Wed, Aug 16, 2017 at 3:46 PM, Laura Abbott <labbott@...hat.com> wrote:
>> From: Daniel Micay <danielmicay@...il.com>
>>
>> Existing Android bootloaders usually pass data useful as early entropy
>> on the kernel command-line. It may also be the case on other embedded
>> systems. Sample command-line from a Google Pixel running CopperheadOS:
>>
>
> Why is it better to put this into the kernel, rather than just rely on
> the existing userspace functionality which does exactly the same
> thing? This is what Android already does today:
> https://android-review.googlesource.com/198113

That's too late for setting up the kernel stack canary, among other
things. The kernel will also be generating some early secrets for slab
cache canaries, etc. That all needs to happen well before init is
started.

-Kees

-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.