From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp81.iad3a.emailsrvr.com (smtp81.iad3a.emailsrvr.com [173.203.187.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id BC7893CB38 for ; Thu, 4 Jan 2018 17:02:56 -0500 (EST) Received: from smtp3.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp3.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 330A724A64; Thu, 4 Jan 2018 17:02:56 -0500 (EST) X-SMTPDoctor-Processed: csmtpprox beta Received: from smtp3.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp3.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 2BC4E24AA5; Thu, 4 Jan 2018 17:02:56 -0500 (EST) Received: from app58.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by smtp3.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 1226724A64; Thu, 4 Jan 2018 17:02:56 -0500 (EST) X-Sender-Id: dpreed@deepplum.com Received: from app58.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by 0.0.0.0:25 (trex/5.7.12); Thu, 04 Jan 2018 17:02:56 -0500 Received: from deepplum.com (localhost.localdomain [127.0.0.1]) by app58.wa-webapps.iad3a (Postfix) with ESMTP id 01749A0063; Thu, 4 Jan 2018 17:02:56 -0500 (EST) Received: by apps.rackspace.com (Authenticated sender: dpreed@deepplum.com, from: dpreed@deepplum.com) with HTTP; Thu, 4 Jan 2018 17:02:56 -0500 (EST) X-Auth-ID: dpreed@deepplum.com Date: Thu, 4 Jan 2018 17:02:56 -0500 (EST) From: "dpreed@deepplum.com" To: "=?utf-8?Q?Joel_Wir=C4=81mu_Pauling?=" Cc: "Dave Taht" , "Jonathan Morton" , cerowrt-devel@lists.bufferbloat.net MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_20180104170256000000_69355" Importance: Normal X-Priority: 3 (Normal) X-Type: html Message-ID: <1515103376.00366530@apps.rackspace.com> X-Mailer: webmail/12.9.10-RC Subject: Re: [Cerowrt-devel] =?utf-8?q?KASLR=3A_Do_we_have_to_worry_about_othe?= =?utf-8?q?r_arches_than_x86=3F?= X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 22:02:56 -0000 ------=_20180104170256000000_69355 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable =0AContainers and kernel namespaces, and so forth are MEANINGLESS against t= he Meltdown and Sceptre problems. It's a hardware bug that lets any userspa= ce process access anything the kernel can address.=0A =0A-----Original Mess= age-----=0AFrom: "Joel Wir=C4=81mu Pauling" =0ASent: Thu= rsday, January 4, 2018 4:52pm=0ATo: "Dave Taht" =0ACc:= "Jonathan Morton" , cerowrt-devel@lists.bufferbloat= .net=0ASubject: Re: [Cerowrt-devel] KASLR: Do we have to worry about other = arches than x86?=0A=0A=0A=0A=0AWell as I've argued before Lede ideally shou= ld be using to Kernel Namespaces (poor mans containers) for at a minimum th= e firewall and per-interface routing instances.=0A=0A=0AThe stuff I am runn= ing at home is mostly on cheap Atom board, so it's a matter of squeezing ou= t unneeded cruft on the platform. Also I don't want to be admining centos/r= hel servers at home.=0A=0A=0AOn 5 January 2018 at 10:47, Dave Taht <[ dave.= taht@gmail.com ]( mailto:dave.taht@gmail.com )> wrote:=0A=0A=0AOn Thu, Jan = 4, 2018 at 1:44 PM, Joel Wir=C4=81mu Pauling <[ joel@aenertia.net ]( mailto= :joel@aenertia.net )> wrote:=0A >=0A >=0A > On 5 January 2018 at 01:09, Jon= athan Morton <[ chromatix99@gmail.com ]( mailto:chromatix99@gmail.com )> wr= ote:=0A >>=0A >>=0A >>=0A >> I don't think we need to worry about it too mu= ch in a router context.=0A >> Virtual server folks, OTOH...=0A >>=0A >> - = Jonathan Morton=0A >>=0A > Disagree - The Router is pretty much synonymous = with NFV=0A >=0A > ; I run my lede instances at home on hypervisors - and t= his is definitely=0A > the norm in Datacentres now. We need to work through= this quite carefully.=0A=0AYes, the NFV case is serious and what I conclud= ed we had most to worry=0A about - before starting to worry about the lower= end router chips=0A themselves. But I wasn't aware that people were actual= ly trying to run=0A lede in that, I'd kind of expected=0A a more server-lik= e distro to be used there. Why lede in a NFV? Ease of=0A configuration? Red= uced attack surface? (hah)=0A=0A The only x86 chip I use (aside from simula= tions) is the AMD one in the=0A apu2, which I don't know enough about as pe= r speculation...=0A=0A=0A=0A --=0A=0A Dave T=C3=A4ht=0A CEO, TekLibre, LLC= =0A[ http://www.teklibre.com ]( http://www.teklibre.com )=0A Tel: 1-669-226= -2619 ------=_20180104170256000000_69355 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Containers and kernel namespaces, and so forth are MEANINGLESS against the= Meltdown and Sceptre problems. It's a hardware bug that lets any userspace= process access anything the kernel can address.

=0A

 

=0A

-----Original Message-----
From: "Joel Wir=C4=81mu Pauling" <= joel@aenertia.net>
Sent: Thursday, January 4, 2018 4:52pm
To: = "Dave Taht" <dave.taht@gmail.com>
Cc: "Jonathan Morton" <chro= matix99@gmail.com>, cerowrt-devel@lists.bufferbloat.net
Subject: Re= : [Cerowrt-devel] KASLR: Do we have to worry about other arches than x86?

=0A
=0A
=0AWell = as I've argued before Lede ideally should be using to Kernel Namespaces (po= or mans containers) for at a minimum the firewall and per-interface routing= instances.

=0A
The stuff I am running at home is mostly on ch= eap Atom board, so it's a matter of squeezing out unneeded cruft on the pla= tform. Also I don't want to be admining centos/rhel servers at home.
= =0A
=0A

=0A
= On 5 January 2018 at 10:47, Dave Taht <dave.taht@gmail.com> wrote:
=0A
=0A
=0A
On Thu, Jan 4, 2018 at 1:44 PM, Joel Wir=C4=81mu P= auling <joel@aenertia.net> w= rote:
>
>
> On 5 January 2018 at 01:09, Jonathan= Morton <chromatix99@gmail.com<= /a>> wrote:
>>
>>
>>
>> = I don't think we need to worry about it too much in a router context.
= >> Virtual server folks, OTOH...
>>
>> = - Jonathan Morton
>>
> Disagree - The Router is prett= y much synonymous with NFV
>
> ; I run my lede instances = at home on hypervisors - and this is definitely
> the norm in Data= centres now. We need to work through this quite carefully.

=0A
=0AYes, the NFV case is serious and what I concluded we had most = to worry
about - before starting to worry about the lower end router = chips
themselves. But I wasn't aware that people were actually trying= to run
lede in that, I'd kind of expected
a more server-like d= istro to be used there. Why lede in a NFV? Ease of
configuration? Red= uced attack surface? (hah)

The only x86 chip I use (aside from = simulations) is the AMD one in the
apu2, which I don't know enough ab= out as per speculation...
=0A
=0A

--

Dave T=C3=A4ht
CEO, TekLibre, LLC
http://w= ww.teklibre.com
Tel: 1-669-226-2619
=0A
=0A=0A
=0A
=0A
 ------=_20180104170256000000_69355--