public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Ingo Molnar <mingo@elte.hu>
To: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: Vivek Goyal <vgoyal@redhat.com>, Tony Luck <tony.luck@gmail.com>,
	linux-kernel@vger.kernel.org, davej@redhat.com,
	kees.cook@canonical.com, davem@davemloft.net, eranian@google.com,
	torvalds@linux-foundation.org, adobriyan@gmail.com,
	penberg@kernel.org, hpa@zytor.com,
	Arjan van de Ven <arjan@infradead.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Valdis.Kletnieks@vt.edu, pageexec@freemail.hu
Subject: Re: [RFC][PATCH] Randomize kernel base address on boot
Date: Fri, 27 May 2011 15:46:17 +0200	[thread overview]
Message-ID: <20110527134617.GD23626@elte.hu> (raw)
In-Reply-To: <1306502492.3339.2.camel@dan>


* Dan Rosenberg <drosenberg@vsecurity.com> wrote:

> > And if this randomization is also to protect information from 
> > root user then /proc/iomem exporting the physical address of 
> > kernel is still a valid question in that context.
> 
> I think we can deal with unprivileged users first, and if we want 
> to truly prevent root from finding this out, we can introduce a 
> separate toggle that locks things down further.

Correct, the case of unprivileged users should be handled first and 
it should be handled separately from any root-restrictions.

I only raised this to have a rough record of what would have to 
happen there.

Once all is said, done, committed and tested (the last two not 
necessarily in that order), we can look at any open root-restrict 
questions. It's a lot less clear-cut from a system usability POV.

If we do it we probably want one central one-shot 'restrict root from 
now on' toggle, not the separate switches that kill kexec and module 
loading separately.

Some shops might even want to disable root from being able to reboot 
the system and restrict reboots to physically performed (and 
crash/panic/hang induced) reboots only.

Some shops might want to make reboots dependent on the provision of a 
secret key. That key would not be stored on that system.

So there's lots of details to sort out in the "keep root from being 
able to break into the kernel and hide a rootkit out and disappear" 
area.

Thanks,

	Ingo

  reply	other threads:[~2011-05-27 13:46 UTC|newest]

Thread overview: 95+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-05-24 20:31 [RFC][PATCH] Randomize kernel base address on boot Dan Rosenberg
2011-05-24 21:02 ` Ingo Molnar
2011-05-24 22:55   ` Dan Rosenberg
2011-05-24 21:16 ` Ingo Molnar
2011-05-24 23:00   ` Dan Rosenberg
2011-05-25 11:23     ` Ingo Molnar
2011-05-25 14:20       ` Dan Rosenberg
2011-05-25 14:29         ` Ingo Molnar
2011-05-24 23:06   ` H. Peter Anvin
2011-05-25 14:03     ` Dan Rosenberg
2011-05-25 14:14       ` Ingo Molnar
2011-05-25 15:48       ` H. Peter Anvin
2011-05-25 16:15         ` Dan Rosenberg
2011-05-25 16:24           ` H. Peter Anvin
2011-05-24 21:46 ` Brian Gerst
2011-05-24 23:01   ` Dan Rosenberg
2011-05-24 22:31 ` H. Peter Anvin
2011-05-24 23:04   ` Dan Rosenberg
2011-05-24 23:07     ` H. Peter Anvin
2011-05-24 23:34       ` Dan Rosenberg
2011-05-24 23:36         ` H. Peter Anvin
2011-05-24 23:14   ` H. Peter Anvin
2011-05-24 23:08 ` Dan Rosenberg
2011-05-25  2:05   ` Dan Rosenberg
2011-05-26 20:01 ` Vivek Goyal
2011-05-26 20:06   ` Dan Rosenberg
2011-05-26 20:16   ` Valdis.Kletnieks
2011-05-26 20:31     ` Vivek Goyal
2011-05-27  9:36       ` Ingo Molnar
2011-05-26 20:35 ` Vivek Goyal
2011-05-26 20:40   ` Vivek Goyal
2011-05-26 20:44     ` Dan Rosenberg
2011-05-26 20:55       ` Vivek Goyal
2011-05-27  9:38         ` Ingo Molnar
2011-05-27 13:07           ` Vivek Goyal
2011-05-27 13:38             ` Ingo Molnar
2011-05-27 13:13       ` Vivek Goyal
2011-05-27 13:21         ` Dan Rosenberg
2011-05-27 13:46           ` Ingo Molnar [this message]
2011-05-27 13:50           ` Vivek Goyal
2011-05-26 20:39 ` Dan Rosenberg
2011-05-27  7:15   ` Ingo Molnar
2011-05-31 16:52   ` Matthew Garrett
2011-05-31 18:40     ` H. Peter Anvin
2011-05-31 18:51       ` Matthew Garrett
2011-05-31 19:03         ` Dan Rosenberg
2011-05-31 19:07           ` H. Peter Anvin
2011-05-31 19:50           ` Ingo Molnar
2011-05-31 19:55           ` Ingo Molnar
2011-05-31 20:15             ` H. Peter Anvin
2011-05-31 20:27               ` Ingo Molnar
2011-05-31 20:30                 ` H. Peter Anvin
2011-06-01  6:18                   ` Ingo Molnar
2011-06-01 15:44                     ` H. Peter Anvin
2011-05-31 20:17             ` Dan Rosenberg
2011-05-26 22:18 ` Rafael J. Wysocki
2011-05-26 22:32   ` H. Peter Anvin
2011-05-27  0:26     ` Dan Rosenberg
2011-05-27 16:21       ` Rafael J. Wysocki
2011-05-27  2:45     ` Dave Jones
2011-05-27  9:40       ` Ingo Molnar
2011-05-27 16:11         ` Rafael J. Wysocki
2011-05-27 16:07     ` Rafael J. Wysocki
2011-05-27 15:42   ` Linus Torvalds
2011-05-27 16:11     ` Dan Rosenberg
2011-05-27 17:00     ` Ingo Molnar
2011-05-27 17:06       ` H. Peter Anvin
2011-05-27 17:10       ` Dan Rosenberg
2011-05-27 17:13         ` H. Peter Anvin
2011-05-27 17:16           ` Linus Torvalds
2011-05-27 17:38             ` Ingo Molnar
2011-05-27 17:20           ` Kees Cook
2011-05-27 17:16         ` Ingo Molnar
2011-05-27 17:21           ` Linus Torvalds
2011-05-27 17:46             ` Ingo Molnar
2011-05-27 17:53               ` H. Peter Anvin
2011-05-27 18:05                 ` Linus Torvalds
2011-05-27 19:15                   ` Vivek Goyal
2011-05-27 21:37                   ` H. Peter Anvin
2011-05-27 23:51                     ` H. Peter Anvin
2011-05-28 12:18                   ` Ingo Molnar
2011-05-29  1:13                     ` H. Peter Anvin
2011-05-29 12:47                       ` Ingo Molnar
2011-05-29 18:19                         ` H. Peter Anvin
2011-05-29 18:44                           ` Ingo Molnar
2011-05-29 18:52                             ` H. Peter Anvin
2011-05-29 19:56                               ` Ingo Molnar
2011-05-27 17:57               ` Linus Torvalds
2011-05-27 18:17                 ` Ingo Molnar
2011-05-27 18:43                   ` Kees Cook
2011-05-27 18:48                   ` david
2011-05-27 21:51                   ` Olivier Galibert
2011-05-27 22:11                     ` Valdis.Kletnieks
2011-05-28  0:50                     ` H. Peter Anvin
2011-05-28  6:32                     ` Ingo Molnar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110527134617.GD23626@elte.hu \
    --to=mingo@elte.hu \
    --cc=Valdis.Kletnieks@vt.edu \
    --cc=adobriyan@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=arjan@infradead.org \
    --cc=davej@redhat.com \
    --cc=davem@davemloft.net \
    --cc=drosenberg@vsecurity.com \
    --cc=eranian@google.com \
    --cc=hpa@zytor.com \
    --cc=kees.cook@canonical.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pageexec@freemail.hu \
    --cc=penberg@kernel.org \
    --cc=tony.luck@gmail.com \
    --cc=torvalds@linux-foundation.org \
    --cc=vgoyal@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox