From mboxrd@z Thu Jan 1 00:00:00 1970 Reply-To: kernel-hardening@lists.openwall.com Date: Mon, 9 Nov 2015 21:07:00 +0000 From: Jason Cooper Message-ID: <20151109210700.GE20491@io.lakedaemon.net> References: <20151106235545.97d0e86a5f1f80c98e0e9de6@gmail.com> <563F4A78.21151.23C6852D@pageexec.freemail.hu> <5640E0DD.6040107@labbott.name> <20151109182832.GB20491@io.lakedaemon.net> <13041.1447095477@turing-police.cc.vt.edu> <20151109190224.GD20491@io.lakedaemon.net> <20151109200623.GA24788@cloud> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20151109200623.GA24788@cloud> Subject: Re: [kernel-hardening] Re: Proposal for kernel self protection features To: Josh Triplett Cc: Theodore Tso , kernel-hardening@lists.openwall.com, Emese Revfy , Kees Cook , PaX Team , Brad Spengler , Greg KH List-ID: On Mon, Nov 09, 2015 at 12:06:23PM -0800, Josh Triplett wrote: > On Mon, Nov 09, 2015 at 02:11:35PM -0500, Theodore Tso wrote: > > On Mon, Nov 9, 2015 at 2:02 PM, Jason Cooper < > > kernel-hardening@lakedaemon.net> wrote: > > > > > /var/lib/misc/random-seed has served that role for years, I'm only > > > advocating loading it earlier in the boot process. It's *much* harder > > > to guess the state of random-seed than the dtb or mac address(es)... > > > > > > > If the bootloader is willing to reach into the file system, which means (a) > > having a minimal file system layer, like Grub does, and (b) can find the > > block device where the file is found, that's a perfectly *fine* > > implementation. I'm not sure mobile handset vendors will be all that > > psyched into either using or replicating all of Grub's functionality so it > > could do that, though.... > > How crazy would it be to append it to the end of the initramfs, as we've > started making possible for critical firmware/microcode/tables? Well, my main goal was to strengthen KASLR on ARM. Which means the code needs to reside in the decompressor... thx, Jason.