From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-yw0-x234.google.com (mail-yw0-x234.google.com [IPv6:2607:f8b0:4002:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id C86B03B2A4 for ; Thu, 4 Jan 2018 17:02:27 -0500 (EST) Received: by mail-yw0-x234.google.com with SMTP id m129so1114104ywb.11 for ; Thu, 04 Jan 2018 14:02:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aenertia.net; s=dkimaenertianet; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=dwSWfkL4I8UaaPSNcTYdeGMrkiRGkYq6L18OtTH97fE=; b=XIftB+gluJuK2+y2oCkOU7AmDHaOzMEgj52pilZUkUKNSXZeekfwZAumS8tZa+sVqA opo6qWmxCltMnj8iMWpq6nzniWUlxJrL/3VOpqk4RWOy3JxyDS1yPvCrVZhpVit+FI0L pVyMprmHXtWwiJqh5qHKmw5q3RUPC1cPgbAUg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=dwSWfkL4I8UaaPSNcTYdeGMrkiRGkYq6L18OtTH97fE=; b=ejZbvHJi2MSPl3IjGWYNsgjJ41FIe06z8+z/QSvqAwsrzxNmBh4QS7fcvGt5LzsBhh zejzEsS45ff56MeyPgke/ZphyKop7qJvqT+BAS8bWnXgEbZhT2E87R6DoOMXpNEtpVZ8 u/ab8o7CHjgQnFd5yOoFH1avEw7VZ3azmcAyUD83QTug4Gmq7pN4LmATEvmJx7QVDuBV DqcrXQhAWN1IHeu++X3kVL8zqRO72PU829/+5eOdILpRNfNK2GOIba9L3hmR6rTAMfrZ k2S2ZrAUVdqgOp2qqd71A8v1ijWLY0OXb+3a6clYN+I3xYnvUvoPjjCzfS27H8N2HwHO 6+yQ== X-Gm-Message-State: AKGB3mI7uXrRdl/rmK+zE6NBv/kYb5E2k1zuhEBCKuqMz12SgXUQRf0g bhhx/XoUq7P0iY8mOfzRYxqoMbF1740+CU7c9ZkQaQ== X-Google-Smtp-Source: ACJfBot2M2N3mf6Vev1I/SOLE02d/neqEEMPJQVFeMGygP6DOIymE2tNQbYBIPL0CnDyX8tGgr3kjKATRmxFxDrzHfA= X-Received: by 10.129.120.81 with SMTP id t78mr994662ywc.448.1515103346922; Thu, 04 Jan 2018 14:02:26 -0800 (PST) MIME-Version: 1.0 Sender: aenertia@aenertia.net Received: by 10.37.132.135 with HTTP; Thu, 4 Jan 2018 14:02:06 -0800 (PST) In-Reply-To: <1515103187.670416570@apps.rackspace.com> References: <1515103187.670416570@apps.rackspace.com> From: =?UTF-8?Q?Joel_Wir=C4=81mu_Pauling?= Date: Fri, 5 Jan 2018 11:02:06 +1300 X-Google-Sender-Auth: K6uV_HXrydOGvQ3FuwCZnrywhhU Message-ID: To: "dpreed@deepplum.com" Cc: Dave Taht , Jonathan Morton , cerowrt-devel@lists.bufferbloat.net Content-Type: multipart/alternative; boundary="94eb2c0b07aacaad580561fa7ce1" Subject: Re: [Cerowrt-devel] KASLR: Do we have to worry about other arches than x86? X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 22:02:27 -0000 --94eb2c0b07aacaad580561fa7ce1 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable If you are using name-spaces to provide a level of context separation between your processes ... it's a problem. On 5 January 2018 at 10:59, dpreed@deepplum.com wrote= : > Containers and kernel namespaces, and so forth are MEANINGLESS against th= e > Meltdown and Sceptre problems. It's a hardware bug that lets any userspac= e > process access anything the kernel can address. > > > > -----Original Message----- > From: "Joel Wir=C4=81mu Pauling" > Sent: Thursday, January 4, 2018 4:52pm > To: "Dave Taht" > Cc: "Jonathan Morton" , cerowrt-devel@lists. > bufferbloat.net > Subject: Re: [Cerowrt-devel] KASLR: Do we have to worry about other arche= s > than x86? > > Well as I've argued before Lede ideally should be using to Kernel > Namespaces (poor mans containers) for at a minimum the firewall and > per-interface routing instances. > > The stuff I am running at home is mostly on cheap Atom board, so it's a > matter of squeezing out unneeded cruft on the platform. Also I don't want > to be admining centos/rhel servers at home. > > On 5 January 2018 at 10:47, Dave Taht wrote: > >> On Thu, Jan 4, 2018 at 1:44 PM, Joel Wir=C4=81mu Pauling >> wrote: >> > >> > >> > On 5 January 2018 at 01:09, Jonathan Morton >> wrote: >> >> >> >> >> >> >> >> I don't think we need to worry about it too much in a router context. >> >> Virtual server folks, OTOH... >> >> >> >> - Jonathan Morton >> >> >> > Disagree - The Router is pretty much synonymous with NFV >> > >> > ; I run my lede instances at home on hypervisors - and this is >> definitely >> > the norm in Datacentres now. We need to work through this quite >> carefully. >> >> Yes, the NFV case is serious and what I concluded we had most to worry >> about - before starting to worry about the lower end router chips >> themselves. But I wasn't aware that people were actually trying to run >> lede in that, I'd kind of expected >> a more server-like distro to be used there. Why lede in a NFV? Ease of >> configuration? Reduced attack surface? (hah) >> >> The only x86 chip I use (aside from simulations) is the AMD one in the >> apu2, which I don't know enough about as per speculation... >> >> -- >> >> Dave T=C3=A4ht >> CEO, TekLibre, LLC >> http://www.teklibre.com >> Tel: 1-669-226-2619 >> > --94eb2c0b07aacaad580561fa7ce1 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
If you are using name-spaces to provide a level of context sepa= ration between your processes ... it's a problem.




<= /div>

On 5 J= anuary 2018 at 10:59, dpreed@deepplu= m.com <dpreed@deepplum.com> wrote:

Containers and kernel namespaces, and = so forth are MEANINGLESS against the Meltdown and Sceptre problems. It'= s a hardware bug that lets any userspace process access anything the kernel= can address.

=C2=A0

-----Original Message-----
From: "Joel Wir=C4=81mu Pauling&q= uot; <joel@aenert= ia.net>
Sent: Thursday, January 4, 2018 4= :52pm
To: "Dave Taht" <dave.taht@gmail.com>
Cc: "Jonathan Mort= on" <chr= omatix99@gmail.com>, cerowrt-devel@lists.bufferbloat.net
S= ubject: Re: [Cerowrt-devel] KASLR: Do we have to worry about other arches t= han x86?

Well = as I've argued before Lede ideally should be using to Kernel Namespaces= (poor mans containers) for at a minimum the firewall and per-interface rou= ting instances.

The s= tuff I am running at home is mostly on cheap Atom board, so it's a matt= er of squeezing out unneeded cruft on the platform. Also I don't want t= o be admining centos/rhel servers at home.

On 5 January 2018 at 10:47, Dave Taht <dave.= taht@gmail.com> wrote:
On Thu, Jan 4, 2018 at 1:44 PM, Joel= Wir=C4=81mu Pauling <joel@aenertia.net> wrote:
>
>
> On 5 Janua= ry 2018 at 01:09, Jonathan Morton <chromatix99@gmail.com> wrote:
>>
= >>
>>
>> I don't think we need to worry abou= t it too much in a router context.
>> Virtual server folks, OTOH.= ..
>>
>>=C2=A0 - Jonathan Morton
>>
> = Disagree - The Router is pretty much synonymous with NFV
>
> = ; I run my lede instances at home on hypervisors - and this is definitely > the norm in Datacentres now. We need to work through this quite car= efully.

Yes, the NFV case is serious and what I concluded we had most to worry
= about - before starting to worry about the lower end router chips
thems= elves. But I wasn't aware that people were actually trying to run
l= ede in that, I'd kind of expected
a more server-like distro to be u= sed there. Why lede in a NFV? Ease of
configuration? Reduced attack sur= face? (hah)

The only x86 chip I use (aside from simulations) is the= AMD one in the
apu2, which I don't know enough about as per specul= ation...

--

Dave T=C3=A4ht
C= EO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-669-226-2619

--94eb2c0b07aacaad580561fa7ce1--