| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20190512153105.GA25254@light.dominikbrodowski.net>
Date: Sun, 12 May 2019 17:31:05 +0200
From: Dominik Brodowski <linux@...inikbrodowski.net>
To: hpa@...or.com, Mimi Zohar <zohar@...ux.ibm.com>
Cc: Roberto Sassu <roberto.sassu@...wei.com>, viro@...iv.linux.org.uk,
linux-security-module@...r.kernel.org,
linux-integrity@...r.kernel.org, initramfs@...r.kernel.org,
linux-api@...r.kernel.org, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org, zohar@...ux.vnet.ibm.com,
silviu.vlasceanu@...wei.com, dmitry.kasatkin@...wei.com,
takondra@...co.com, kamensky@...co.com, arnd@...db.de,
rob@...dley.net, james.w.mcmechan@...il.com
Subject: Re: [PATCH v2 0/3] initramfs: add support for xattrs in the initial
ram disk
On Sun, May 12, 2019 at 03:18:16AM -0700, hpa@...or.com wrote:
> > Couldn't this parsing of the .xattr-list file and the setting of the xattrs
> > be done equivalently by the initramfs' /init? Why is kernel involvement
> > actually required here?
>
> There are a lot of things that could/should be done that way...
Indeed... so why not try to avoid adding more such "things", and keeping
them in userspace (or in a fork_usermode_blob)?
On Sun, May 12, 2019 at 08:52:47AM -0400, Mimi Zohar wrote:
> It's too late. The /init itself should be signed and verified.
Could you elaborate a bit more about the threat model, and why deferring
this to the initramfs is too late?
Thanks,
Dominik
Powered by blists - more mailing lists