| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 6 May 2009 22:25:17 +0200 From: Ingo Molnar <mingo@...e.hu> To: Matt Mackall <mpm@...enic.com> Cc: "Eric W. Biederman" <ebiederm@...ssion.com>, Linus Torvalds <torvalds@...ux-foundation.org>, Arjan van de Ven <arjan@...radead.org>, Jake Edge <jake@....net>, security@...nel.org, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, James Morris <jmorris@...ei.org>, linux-security-module@...r.kernel.org, Eric Paris <eparis@...hat.com>, Alan Cox <alan@...rguk.ukuu.org.uk>, Roland McGrath <roland@...hat.com>, mingo@...hat.com, Andrew Morton <akpm@...ux-foundation.org>, Greg KH <greg@...ah.com>, Dave Jones <davej@...hat.com> Subject: Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes * Matt Mackall <mpm@...enic.com> wrote: > On Wed, May 06, 2009 at 12:30:34PM +0200, Ingo Molnar wrote: > > (Also, obviously "only" covering 95% of the Linux systems has its > > use as well. Most other architectures have their own cycle counters > > as well.) > > X86 might be 95% of desktop. But it's a small fraction of Linux > systems once you count cell phones, video players, TVs, cameras, > GPS devices, cars, routers, etc. almost none of which are > x86-based. In fact, just Linux cell phones (with about an 8% share > of a 1.2billion devices per year market) dwarf Linux desktops > (maybe 5% of a 200m/y market). Firstly, the cycle counter is just one out of several layers there. So it's a hyperbole to suggest that i'm somehow not caring about architectures that dont have a cycle counter. I'm simply making use of a cheaply accessed and fast-changing variable on hw that has it. Also, are those systems really going to be attacked locally, brute-forcing a PRNG? Servers and desktops are the more likely targets. They both have the necessary computing power to run statistical analysis locally fast enough and have an actual value to be attacked. And, even if we ignored those factors, ad argumendo, you would still be wrong IMHO: what matters really in this context isnt even any artificial 'share' metric - but the people willing to improve and fix the upstream kernel, and the reasons why they do that, and the platforms they use. And amongst our contributors and testers, willing to run and improve the latest upstream kernel, x86 has a larger than 95% share. Look at kerneloops.org stats. Or bugzilla. Or lkml. If embedded matters that much, make it show up as a real factor on those upstream forums. Lets call this Ingo's Law: if something doesnt improve the upstream kernel, directly or indirectly, it does not exist ;-) Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists