> On 3 Jan 2017, at 21:40, PaX Team <pagee...@freemail.hu> wrote: > > in other words, if you were to kexec into a SANITIZE enabled kernel, > you'd get your memory clearing for free automatically, earlier than > any initramfs would execute even and it'd cover most kernel memory > that the kernel ever cares about (or cared in its previous incarnation > at least). > > now this brings us to the other topic you raised about grsecurity's > KMEM hardening. technically it's not incompatible with kexec, so you > can re-enable kexec, however note that until some signed kexec mechanism > enters the kernel, it carries a risk of executing potentially malicious > kernels (but maybe that's not a problem in your use cases). perhaps > embedding or loading the kexec kernel from initramfs would get around > those concerns for good.
Can you kexec from a running kernel into itself? If so, then this single use case could be enabled without opening a hole for arbitrary code. It would crash when it discovers the boot disk is missing, but by that time sanitize should have done its job. A. _______________________________________________ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
