On Wed, 22 Nov 2017, Kevin Chadwick wrote:

I would preffer to run the script for relinking kernel from
time to time manually, and not run it at boot time. The same
for reordering libraries.

Why exactly?

A laptop that does not go to the internet is rebooted more than
a home PC with internet connection behind a router, the home PC
more than a server continously and directly exposed to the internet.
The less you need security, the most you are enjoying the security
benefit of KARL.

Of course, it is senseless to reorder kernel more than one time when
the computer is up. But for the above reason, it is obviously
not necessary to do it after any boot. You can do it manually
from time to time, when the computer is up and you do not need it.

The question that remains, is, if it is not a problem to do it
at any reboot. It depends on your hardware and on how you
use OpenBSD. I like silent, slow computers. reorder_kernel is
disabled when /usr/share is on a nfs mounted, namely, for a diskless
machine, but there are other situations, for example when you
boot from slow flash memory attached to USB and want it also
readonly.

Fair enough but doesn't apply here. Systemd sacrifices in many
usability areas for boot speed which is rarely faster

I mean something else: the complexity of the booting process.
And of course I want to have the computer booted as soon as
possible, and the slow reorder_kernel and library reordering
is now part of the booting process.

The script is in /usr/libexec if you must but to quote Theo to me a
number of times. "You own the pieces"

If I disable KARL changing the file with the checksum, running
/usr/libexec/reorder_kernel.sh has no effect. It remains to
comment out its call in rc. The reordering of libraries can be
disabled, but the definition of the procedure is embedded in rc
and cannot be run manually.

Rodrigo.

Reply via email to