[Cerowrt-devel] KASLR: Do we have to worry about other arches than x86?
dpreed at deepplum.com
dpreed at deepplum.com
Thu Jan 4 17:02:56 EST 2018
Containers and kernel namespaces, and so forth are MEANINGLESS against the Meltdown and Sceptre problems. It's a hardware bug that lets any userspace process access anything the kernel can address.
-----Original Message-----
From: "Joel Wirāmu Pauling" <joel at aenertia.net>
Sent: Thursday, January 4, 2018 4:52pm
To: "Dave Taht" <dave.taht at gmail.com>
Cc: "Jonathan Morton" <chromatix99 at gmail.com>, cerowrt-devel at lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] KASLR: Do we have to worry about other arches than x86?
Well as I've argued before Lede ideally should be using to Kernel Namespaces (poor mans containers) for at a minimum the firewall and per-interface routing instances.
The stuff I am running at home is mostly on cheap Atom board, so it's a matter of squeezing out unneeded cruft on the platform. Also I don't want to be admining centos/rhel servers at home.
On 5 January 2018 at 10:47, Dave Taht <[ dave.taht at gmail.com ]( mailto:dave.taht at gmail.com )> wrote:
On Thu, Jan 4, 2018 at 1:44 PM, Joel Wirāmu Pauling <[ joel at aenertia.net ]( mailto:joel at aenertia.net )> wrote:
>
>
> On 5 January 2018 at 01:09, Jonathan Morton <[ chromatix99 at gmail.com ]( mailto:chromatix99 at gmail.com )> wrote:
>>
>>
>>
>> I don't think we need to worry about it too much in a router context.
>> Virtual server folks, OTOH...
>>
>> - Jonathan Morton
>>
> Disagree - The Router is pretty much synonymous with NFV
>
> ; I run my lede instances at home on hypervisors - and this is definitely
> the norm in Datacentres now. We need to work through this quite carefully.
Yes, the NFV case is serious and what I concluded we had most to worry
about - before starting to worry about the lower end router chips
themselves. But I wasn't aware that people were actually trying to run
lede in that, I'd kind of expected
a more server-like distro to be used there. Why lede in a NFV? Ease of
configuration? Reduced attack surface? (hah)
The only x86 chip I use (aside from simulations) is the AMD one in the
apu2, which I don't know enough about as per speculation...
--
Dave Täht
CEO, TekLibre, LLC
[ http://www.teklibre.com ]( http://www.teklibre.com )
Tel: 1-669-226-2619
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20180104/56014e18/attachment.html>
More information about the Cerowrt-devel
mailing list