Re: [PATCH v7 0/9] x86/mm: memory area address KASLR

2016-07-07 Thread Kees Cook
On Tue, Jun 21, 2016 at 8:46 PM, Kees Cook wrote: > This is v7 of Thomas Garnier's KASLR for memory areas (physical memory > mapping, vmalloc, vmemmap). It expects to be applied on top of the > x86/boot tip. > > The current implementation of KASLR randomizes only the base

Re: devicetree random-seed properties, was: "Re: [PATCH v7 0/9] x86/mm: memory area address KASLR"

2016-06-30 Thread Jason Cooper
On Fri, Jun 24, 2016 at 01:40:41PM -0700, Andy Lutomirski wrote: > On Fri, Jun 24, 2016 at 12:04 PM, Kees Cook wrote: > > On Fri, Jun 24, 2016 at 9:02 AM, Jason Cooper wrote: > >> Thomas, > >> > >> Sorry for wandering off the topic of your series.

Re: devicetree random-seed properties, was: "Re: [PATCH v7 0/9] x86/mm: memory area address KASLR"

2016-06-30 Thread Jason Cooper
Hi Kees, On Fri, Jun 24, 2016 at 12:04:32PM -0700, Kees Cook wrote: > On Fri, Jun 24, 2016 at 9:02 AM, Jason Cooper wrote: > > Thomas, > > > > Sorry for wandering off the topic of your series. The big take away for > > me is that you and Kees are concerned about x86

Re: devicetree random-seed properties, was: "Re: [PATCH v7 0/9] x86/mm: memory area address KASLR"

2016-06-24 Thread Andy Lutomirski
On Fri, Jun 24, 2016 at 12:04 PM, Kees Cook wrote: > On Fri, Jun 24, 2016 at 9:02 AM, Jason Cooper wrote: >> Thomas, >> >> Sorry for wandering off the topic of your series. The big take away for >> me is that you and Kees are concerned about x86

Re: devicetree random-seed properties, was: "Re: [PATCH v7 0/9] x86/mm: memory area address KASLR"

2016-06-24 Thread Kees Cook
On Fri, Jun 24, 2016 at 9:02 AM, Jason Cooper wrote: > Thomas, > > Sorry for wandering off the topic of your series. The big take away for > me is that you and Kees are concerned about x86 systems pre-RDRAND. > Just as I'm concerned about deployed embedded systems without

devicetree random-seed properties, was: "Re: [PATCH v7 0/9] x86/mm: memory area address KASLR"

2016-06-24 Thread Jason Cooper
Thomas, Sorry for wandering off the topic of your series. The big take away for me is that you and Kees are concerned about x86 systems pre-RDRAND. Just as I'm concerned about deployed embedded systems without bootloader support for hw-rngs and so forth. Whatever final form the approach takes

Re: [kernel-hardening] [PATCH v7 0/9] x86/mm: memory area address KASLR

2016-06-24 Thread Ard Biesheuvel
On 24 June 2016 at 03:11, Jason Cooper wrote: > Hi Ard, > > On Thu, Jun 23, 2016 at 10:05:53PM +0200, Ard Biesheuvel wrote: >> On 23 June 2016 at 21:58, Kees Cook wrote: >> > On Thu, Jun 23, 2016 at 12:33 PM, Jason Cooper >> >

Re: [kernel-hardening] [PATCH v7 0/9] x86/mm: memory area address KASLR

2016-06-23 Thread Jason Cooper
Hi Ard, On Thu, Jun 23, 2016 at 10:05:53PM +0200, Ard Biesheuvel wrote: > On 23 June 2016 at 21:58, Kees Cook wrote: > > On Thu, Jun 23, 2016 at 12:33 PM, Jason Cooper wrote: > >> On Wed, Jun 22, 2016 at 10:05:51AM -0700, Kees Cook wrote: > >>> On

Re: [kernel-hardening] [PATCH v7 0/9] x86/mm: memory area address KASLR

2016-06-23 Thread Jason Cooper
Hey Sandy, On Thu, Jun 23, 2016 at 03:45:54PM -0400, Sandy Harris wrote: > Jason Cooper wrote: > > > Modern systems that receive a seed from the bootloader via the > > random-seed property (typically from the hw-rng) can mix both sources > > for increased resilience. > > >

Re: [kernel-hardening] [PATCH v7 0/9] x86/mm: memory area address KASLR

2016-06-23 Thread Jason Cooper
On Thu, Jun 23, 2016 at 12:59:07PM -0700, Kees Cook wrote: > On Thu, Jun 23, 2016 at 12:45 PM, Sandy Harris wrote: > > Jason Cooper wrote: > > > >> Modern systems that receive a seed from the bootloader via the > >> random-seed property (typically

Re: [kernel-hardening] [PATCH v7 0/9] x86/mm: memory area address KASLR

2016-06-23 Thread Ard Biesheuvel
On 23 June 2016 at 21:58, Kees Cook wrote: > On Thu, Jun 23, 2016 at 12:33 PM, Jason Cooper wrote: >> Hey Kees, Thomas, >> >> On Wed, Jun 22, 2016 at 10:05:51AM -0700, Kees Cook wrote: >>> On Wed, Jun 22, 2016 at 8:59 AM, Thomas Garnier

Re: [kernel-hardening] [PATCH v7 0/9] x86/mm: memory area address KASLR

2016-06-23 Thread Kees Cook
On Thu, Jun 23, 2016 at 12:45 PM, Sandy Harris wrote: > Jason Cooper wrote: > >> Modern systems that receive a seed from the bootloader via the >> random-seed property (typically from the hw-rng) can mix both sources >> for increased resilience. >>

Re: [kernel-hardening] [PATCH v7 0/9] x86/mm: memory area address KASLR

2016-06-23 Thread Kees Cook
On Thu, Jun 23, 2016 at 12:33 PM, Jason Cooper wrote: > Hey Kees, Thomas, > > On Wed, Jun 22, 2016 at 10:05:51AM -0700, Kees Cook wrote: >> On Wed, Jun 22, 2016 at 8:59 AM, Thomas Garnier wrote: >> > On Wed, Jun 22, 2016 at 5:47 AM, Jason Cooper

Re: [kernel-hardening] [PATCH v7 0/9] x86/mm: memory area address KASLR

2016-06-23 Thread Jason Cooper
Hey Kees, Thomas, On Wed, Jun 22, 2016 at 10:05:51AM -0700, Kees Cook wrote: > On Wed, Jun 22, 2016 at 8:59 AM, Thomas Garnier wrote: > > On Wed, Jun 22, 2016 at 5:47 AM, Jason Cooper wrote: > >> Hey Kees, > >> > >> On Tue, Jun 21, 2016 at 05:46:57PM

Re: [kernel-hardening] [PATCH v7 0/9] x86/mm: memory area address KASLR

2016-06-23 Thread Sandy Harris
Jason Cooper wrote: > Modern systems that receive a seed from the bootloader via the > random-seed property (typically from the hw-rng) can mix both sources > for increased resilience. > > Unfortunately, I'm not very familiar with the internals of x86 > bootstrapping.

Re: [kernel-hardening] [PATCH v7 0/9] x86/mm: memory area address KASLR

2016-06-22 Thread Kees Cook
On Wed, Jun 22, 2016 at 8:59 AM, Thomas Garnier wrote: > On Wed, Jun 22, 2016 at 5:47 AM, Jason Cooper wrote: >> Hey Kees, >> >> On Tue, Jun 21, 2016 at 05:46:57PM -0700, Kees Cook wrote: >>> Notable problems that needed solving: >> ... >>> -

Re: [kernel-hardening] [PATCH v7 0/9] x86/mm: memory area address KASLR

2016-06-22 Thread Thomas Garnier
On Wed, Jun 22, 2016 at 5:47 AM, Jason Cooper wrote: > Hey Kees, > > On Tue, Jun 21, 2016 at 05:46:57PM -0700, Kees Cook wrote: >> Notable problems that needed solving: > ... >> - Reasonable entropy is needed early at boot before get_random_bytes() >>is available. > >

Re: [kernel-hardening] [PATCH v7 0/9] x86/mm: memory area address KASLR

2016-06-22 Thread Jason Cooper
Hey Kees, On Tue, Jun 21, 2016 at 05:46:57PM -0700, Kees Cook wrote: > Notable problems that needed solving: ... > - Reasonable entropy is needed early at boot before get_random_bytes() >is available. This series is targetting x86, which typically has RDRAND/RDSEED instructions. Are you

[PATCH v7 0/9] x86/mm: memory area address KASLR

2016-06-21 Thread Kees Cook
This is v7 of Thomas Garnier's KASLR for memory areas (physical memory mapping, vmalloc, vmemmap). It expects to be applied on top of the x86/boot tip. The current implementation of KASLR randomizes only the base address of the kernel and its modules. Research was published showing that static