Re: [RFC PATCH 0/8] x86_64: Harden compressed kernel, part 1

From: Evgeniy Baskov
Date: Thu Aug 04 2022 - 06:44:42 EST

Next message: Michal Hocko: "Re: [PATCH] mm: mempolicy: fix policy_nodemask() for MPOL_PREFERRED_MANY case"
Previous message: Mickaël Salaün: "Re: [PATCH] selftests/landlock: fix broken include of linux/landlock.h"
In reply to: Dave Hansen: "Re: [RFC PATCH 0/8] x86_64: Harden compressed kernel, part 1"
Next in thread: Greg KH: "Re: [RFC PATCH 0/8] x86_64: Harden compressed kernel, part 1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2022-08-03 17:05, Dave Hansen wrote:

That shows me that it's _possible_ to build a more strict PE loader that
wouldn't load Linux. But, in practice is anyone using a more strict PE
loader? Does anyone actually want that in practice? Or, again, is this
more strict PE loader just an academic demonstration?

The README starts:

This branch demonstrates...

That doesn't seem like something that's _important_ to deal with.
Sounds like a proof-of-concept.

Don't get me wrong, I'm all for improving thing, even if the benefits
are far off. But, let's not fool ourselves.

We have commercial closed-source UEFI firmware implementation at ISP RAS
that follows the behavior of the secure_pe branch. That firmware is used
as a part of [1].

[1] https://www.ispras.ru/en/technologies/asperitas/

Thanks,
Evgeniy Baskov

Next message: Michal Hocko: "Re: [PATCH] mm: mempolicy: fix policy_nodemask() for MPOL_PREFERRED_MANY case"
Previous message: Mickaël Salaün: "Re: [PATCH] selftests/landlock: fix broken include of linux/landlock.h"
In reply to: Dave Hansen: "Re: [RFC PATCH 0/8] x86_64: Harden compressed kernel, part 1"
Next in thread: Greg KH: "Re: [RFC PATCH 0/8] x86_64: Harden compressed kernel, part 1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]