On Mon 2017-01-02 14:46:30 -0500, intrigeri wrote: > Now, taking a step back, I wonder: why does why GRKERNSEC_KMEM > disables kexec? > > Is it because it's deemed dangerous in itself? Then perhaps it's be > worth asking grsec people if they'd be open to controlling the kexec > part with a more atomic setting. > > Or because it's broken by other protections brought by this feature? > If it is so, how hard would it be to fix that?
I'd suspect (based on no concrete knowledge, sorry!) that it's the
former -- kexec gives complete control over the system to some other
kernel, which is bad news if you can't trust that other kernel to do
safe things.
I think reaching out to the grsec folks here and explaining the Tails
use case is a good idea.
--dkg
signature.asc
Description: PGP signature
_______________________________________________ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
