All of lore.kernel.org
 help / color / mirror / Atom feed
From: Josh Triplett <josh@joshtriplett.org>
To: Theodore Tso <tytso@google.com>
Cc: Jason Cooper <kernel-hardening@lakedaemon.net>,
	kernel-hardening@lists.openwall.com,
	Emese Revfy <re.emese@gmail.com>,
	Kees Cook <keescook@chromium.org>,
	PaX Team <pageexec@freemail.hu>,
	Brad Spengler <spender@grsecurity.net>,
	Greg KH <gregkh@linuxfoundation.org>
Subject: Re: [kernel-hardening] Re: Proposal for kernel self protection features
Date: Mon, 9 Nov 2015 12:06:23 -0800	[thread overview]
Message-ID: <20151109200623.GA24788@cloud> (raw)
In-Reply-To: <CAGagf4d4A8ZN2hVDDUFge78D_AZKFwkh6ZCV9faEZe=DO_fwKQ@mail.gmail.com>

On Mon, Nov 09, 2015 at 02:11:35PM -0500, Theodore Tso wrote:
> On Mon, Nov 9, 2015 at 2:02 PM, Jason Cooper <
> kernel-hardening@lakedaemon.net> wrote:
> 
> > /var/lib/misc/random-seed has served that role for years, I'm only
> > advocating loading it earlier in the boot process.  It's *much* harder
> > to guess the state of random-seed than the dtb or mac address(es)...
> >
> 
> If the bootloader is willing to reach into the file system, which means (a)
> having a minimal file system layer, like Grub does, and (b) can find the
> block device where the file is found, that's a perfectly *fine*
> implementation.    I'm not sure mobile handset vendors will be all that
> psyched into either using or replicating all of Grub's functionality so it
> could do that, though....

How crazy would it be to append it to the end of the initramfs, as we've
started making possible for critical firmware/microcode/tables?

- Josh Triplett

  reply	other threads:[~2015-11-09 20:06 UTC|newest]

Thread overview: 45+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-11-06 22:55 [kernel-hardening] Proposal for kernel self protection features Emese Revfy
2015-11-06 23:30 ` [kernel-hardening] " Kees Cook
2015-11-07  0:25   ` Josh Triplett
2015-11-07  2:46     ` Greg KH
2015-11-07  4:16       ` Kees Cook
2015-11-07  5:42         ` Josh Triplett
2015-11-07 22:07           ` Emese Revfy
2015-11-08  8:21             ` Josh Triplett
2015-11-08 11:28               ` Emese Revfy
2015-11-08  9:27           ` Alyssa Milburn
2015-11-08 14:09             ` PaX Team
2015-11-07 21:58       ` Emese Revfy
2015-11-08  9:58         ` David Sterba
2015-11-08 17:15         ` Greg KH
2015-11-07 12:41     ` Ard Biesheuvel
2015-11-08 10:09       ` Mathias Krause
2015-11-07 21:42     ` Emese Revfy
2015-11-08  8:37       ` Josh Triplett
2015-11-07 21:34   ` Emese Revfy
2015-11-08  6:40     ` Kees Cook
2015-11-11 13:32     ` Paolo Bonzini
2015-11-12 12:22       ` PaX Team
2015-11-12 12:36         ` Paolo Bonzini
2015-11-13  2:08           ` Emese Revfy
2015-11-08 13:13   ` PaX Team
2015-11-09 18:07     ` Laura Abbott
2015-11-09 18:28       ` Jason Cooper
2015-11-09 18:33         ` Jason Cooper
2015-11-09 18:57         ` Valdis.Kletnieks
2015-11-09 19:02           ` Jason Cooper
2015-11-09 19:11             ` Theodore Tso
2015-11-09 20:06               ` Josh Triplett [this message]
2015-11-09 21:07                 ` Jason Cooper
2015-11-09 21:09               ` Jason Cooper
2015-11-09 21:13                 ` Matthew Garrett
2015-11-10 10:42                   ` Yves-Alexis Perez
2015-11-10 10:47                     ` Marcus Meissner
2015-11-10 11:24                       ` Yves-Alexis Perez
2015-11-09 18:32       ` Theodore Tso
2015-11-11  3:41       ` PaX Team
2015-11-09 21:52     ` Kees Cook
2015-11-09 23:09       ` PaX Team
2016-01-19 18:11 ` Kees Cook
2016-01-19 21:20   ` Emese Revfy
2016-01-19 23:08     ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20151109200623.GA24788@cloud \
    --to=josh@joshtriplett.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lakedaemon.net \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=pageexec@freemail.hu \
    --cc=re.emese@gmail.com \
    --cc=spender@grsecurity.net \
    --cc=tytso@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.