From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qk0-x242.google.com (mail-qk0-x242.google.com [IPv6:2607:f8b0:400d:c09::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id DC5923B2A4 for ; Thu, 4 Jan 2018 17:04:47 -0500 (EST) Received: by mail-qk0-x242.google.com with SMTP id g123so3771229qka.3 for ; Thu, 04 Jan 2018 14:04:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=84XAD74p46qIgRysSdR5g/zCSPVH3Kpt0YNKBdeptsQ=; b=FrHVzD/2PIlPNkrbmRPcm3KQkXSfOFehOr+Z0KVeGGw3GtbkmWr6cWNcki1D3hC+zi FvflN1iCscylLhaTrNLbCj/aD+fX4DXOUoUadntHvJOXfmF+l6sq7me9j/fdVpOXsKeQ i6Yo5KWIG7HZsdtSQo40PMOcK/XE33rh1yaiC1FJLCnUeecNBtqPDtecPxSAAKQDxg7N OqazCkJWs7IIalh4sVutXeG4a+hUmtC/nR2bU2/rXXJ49yALp/7N1Cx7a1kBKOF/tgPx 1ZHxcgGx8GI9ytfrMizFgvVAfahbKQt8MkBO5ixiGfsCGBc7oF2X8d2Nvu6Zs0/qd69C ZJvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=84XAD74p46qIgRysSdR5g/zCSPVH3Kpt0YNKBdeptsQ=; b=d/AeanIjcz71wq1SQDt8KpXzRJ0IJd/xOq2TvwraQJLQ/oZMYos/kO8lXEhYCoa2Xc 0hW+ishaBG4g94o6I/vrr0mQvAIm4M9FGlRtiYZaZyFTuz/YUjDfSVG+HEBKSvrfmsBd RDNwlCDcAbNyfUEyli59aGeIraJhYGTRANDBxty940A7ptjtDyES9vNaOPB6fDNnkYO2 PBxdJMsiWJFf7d9kg4/PSCu9JHZUYH1ZzySXAfvPjf34uMu63d6U3d4RqCqp5Kf20XBe 22W1uMw1fgd9z0/hEu4Zc1ey2lTMWCZtqHarSCwDSRO4uZ8EGUHDhWTy2n/fUfpK5yK3 jp2g== X-Gm-Message-State: AKGB3mLENtYyh3Uuuu4fKUlzenyEaIpOLfcQrgGjQIdzKK5pk7UG3B2+ a1VXZJT3OWKe6neJAbVkGwv5UzXkrp9VHPNNz5s= X-Google-Smtp-Source: ACJfBosIKjoiwA0wXuK9H+lYZNyImELDdiVmlFjrdQBx6H+QtfHxtZiLzy4XyTMHcnEF8qwtzrOADTCfY0rpViPqd6c= X-Received: by 10.55.102.216 with SMTP id a207mr1450105qkc.75.1515103487504; Thu, 04 Jan 2018 14:04:47 -0800 (PST) MIME-Version: 1.0 Received: by 10.12.193.93 with HTTP; Thu, 4 Jan 2018 14:04:46 -0800 (PST) In-Reply-To: <1515103376.00366530@apps.rackspace.com> References: <1515103376.00366530@apps.rackspace.com> From: Dave Taht Date: Thu, 4 Jan 2018 14:04:46 -0800 Message-ID: To: "dpreed@deepplum.com" Cc: =?UTF-8?Q?Joel_Wir=C4=81mu_Pauling?= , Jonathan Morton , cerowrt-devel@lists.bufferbloat.net Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Subject: Re: [Cerowrt-devel] KASLR: Do we have to worry about other arches than x86? X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 22:04:48 -0000 On Thu, Jan 4, 2018 at 2:02 PM, dpreed@deepplum.com w= rote: > Containers and kernel namespaces, and so forth are MEANINGLESS against th= e > Meltdown and Sceptre problems. It's a hardware bug that lets any userspac= e > process access anything the kernel can address. Just to be clear, I was merely agreeing with joel that containers had matured enough to be potentially usuable for some level of process isolation and firewalling, not that it applied to coping with MeltRe. > > > > -----Original Message----- > From: "Joel Wir=C4=81mu Pauling" > Sent: Thursday, January 4, 2018 4:52pm > To: "Dave Taht" > Cc: "Jonathan Morton" , > cerowrt-devel@lists.bufferbloat.net > Subject: Re: [Cerowrt-devel] KASLR: Do we have to worry about other arche= s > than x86? > > Well as I've argued before Lede ideally should be using to Kernel Namespa= ces > (poor mans containers) for at a minimum the firewall and per-interface > routing instances. > > The stuff I am running at home is mostly on cheap Atom board, so it's a > matter of squeezing out unneeded cruft on the platform. Also I don't want= to > be admining centos/rhel servers at home. > > On 5 January 2018 at 10:47, Dave Taht wrote: >> >> On Thu, Jan 4, 2018 at 1:44 PM, Joel Wir=C4=81mu Pauling >> wrote: >> > >> > >> > On 5 January 2018 at 01:09, Jonathan Morton >> > wrote: >> >> >> >> >> >> >> >> I don't think we need to worry about it too much in a router context. >> >> Virtual server folks, OTOH... >> >> >> >> - Jonathan Morton >> >> >> > Disagree - The Router is pretty much synonymous with NFV >> > >> > ; I run my lede instances at home on hypervisors - and this is >> > definitely >> > the norm in Datacentres now. We need to work through this quite >> > carefully. >> >> Yes, the NFV case is serious and what I concluded we had most to worry >> about - before starting to worry about the lower end router chips >> themselves. But I wasn't aware that people were actually trying to run >> lede in that, I'd kind of expected >> a more server-like distro to be used there. Why lede in a NFV? Ease of >> configuration? Reduced attack surface? (hah) >> >> The only x86 chip I use (aside from simulations) is the AMD one in the >> apu2, which I don't know enough about as per speculation... >> >> -- >> >> Dave T=C3=A4ht >> CEO, TekLibre, LLC >> http://www.teklibre.com >> Tel: 1-669-226-2619 --=20 Dave T=C3=A4ht CEO, TekLibre, LLC http://www.teklibre.com Tel: 1-669-226-2619