lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <D4WQ58T5O21X.CGFKGFKV630K@kernel.org>
Date: Wed, 16 Oct 2024 01:14:22 +0300
From: "Jarkko Sakkinen" <jarkko@...nel.org>
To: "Mimi Zohar" <zohar@...ux.ibm.com>, "Roberto Sassu"
 <roberto.sassu@...weicloud.com>, <linux-integrity@...r.kernel.org>
Cc: <James.Bottomley@...senPartnership.com>, <roberto.sassu@...wei.com>,
 <mapengyu@...il.com>, "David Howells" <dhowells@...hat.com>, "Paul Moore"
 <paul@...l-moore.com>, "James Morris" <jmorris@...ei.org>, "Serge E.
 Hallyn" <serge@...lyn.com>, "Peter Huewe" <peterhuewe@....de>, "Jason
 Gunthorpe" <jgg@...pe.ca>, <keyrings@...r.kernel.org>,
 <linux-security-module@...r.kernel.org>, <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v5 0/5] Lazy flush for the auth session

On Tue Oct 15, 2024 at 11:08 PM EEST, Mimi Zohar wrote:
> > > > since the feature itself is useful objectively, and make sure
> > > > that those fixes bring the wanted results.
>
> The right thing would have been to listen to my concerns when this was initially
> being discussed.  The right thing wasn't enabling TCG_TPM2_HMAC by default.

This is debatable as for laptops and desktops having hard drive
encryption do benefit with this. If systemd hadn't added
systemd-cryptenroll I would agree with this. I learned about this
feature two years after its inception in that project, so we needed to
address this as a priority (I did not and will not follow systemd
development proactively, as don't have time for that).

I feel more safe using my laptop with the feature in place at least.

Besides, it is complicated feature enough that it would have been
impossible ever "zero glitch" land it. I don't think there is any
rigid "data centers first" rule really, except maybe for those
businesses that run data centers (and I'm not one of those
businesses).

BR, Jarkko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ