lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20090506202517.GA27544@elte.hu>
Date:	Wed, 6 May 2009 22:25:17 +0200
From:	Ingo Molnar <mingo@...e.hu>
To:	Matt Mackall <mpm@...enic.com>
Cc:	"Eric W. Biederman" <ebiederm@...ssion.com>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Arjan van de Ven <arjan@...radead.org>,
	Jake Edge <jake@....net>, security@...nel.org,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	James Morris <jmorris@...ei.org>,
	linux-security-module@...r.kernel.org,
	Eric Paris <eparis@...hat.com>,
	Alan Cox <alan@...rguk.ukuu.org.uk>,
	Roland McGrath <roland@...hat.com>, mingo@...hat.com,
	Andrew Morton <akpm@...ux-foundation.org>,
	Greg KH <greg@...ah.com>, Dave Jones <davej@...hat.com>
Subject: Re: [Security] [PATCH] proc: avoid information leaks to
	non-privileged processes


* Matt Mackall <mpm@...enic.com> wrote:

> On Wed, May 06, 2009 at 12:30:34PM +0200, Ingo Molnar wrote:
> > (Also, obviously "only" covering 95% of the Linux systems has its 
> > use as well. Most other architectures have their own cycle counters 
> > as well.)
> 
> X86 might be 95% of desktop. But it's a small fraction of Linux 
> systems once you count cell phones, video players, TVs, cameras, 
> GPS devices, cars, routers, etc. almost none of which are 
> x86-based. In fact, just Linux cell phones (with about an 8% share 
> of a 1.2billion devices per year market) dwarf Linux desktops 
> (maybe 5% of a 200m/y market).

Firstly, the cycle counter is just one out of several layers there. 
So it's a hyperbole to suggest that i'm somehow not caring about 
architectures that dont have a cycle counter. I'm simply making use 
of a cheaply accessed and fast-changing variable on hw that has it.

Also, are those systems really going to be attacked locally, 
brute-forcing a PRNG? Servers and desktops are the more likely 
targets. They both have the necessary computing power to run 
statistical analysis locally fast enough and have an actual value to 
be attacked.

And, even if we ignored those factors, ad argumendo, you would still 
be wrong IMHO: what matters really in this context isnt even any 
artificial 'share' metric - but the people willing to improve and 
fix the upstream kernel, and the reasons why they do that, and the 
platforms they use.

And amongst our contributors and testers, willing to run and improve 
the latest upstream kernel, x86 has a larger than 95% share. Look at 
kerneloops.org stats. Or bugzilla. Or lkml.

If embedded matters that much, make it show up as a real factor on 
those upstream forums. Lets call this Ingo's Law: if something 
doesnt improve the upstream kernel, directly or indirectly, it does 
not exist ;-)

	Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ