Re: Proposing amd64-hardened architecture for Debian

[Paul Wise <pabs@debian.org>]

On Tue, Apr 15, 2014 at 8:15 PM, Christian Hofstaedtler wrote:

> I think that as of today it would help more to fix various upstream
> build tools to actually honor the build flags we (using
> dpkg-buildflags) set. This would benefit both the regular
> architectures and any hypothetical hardened archs.

Also necessary is for them to support being built with other compilers.

> Regarding a special hardened arch, I think on amd64 there's almost
> no benefit of making a seperate arch: just turn on all the hardening
> stuff in amd64, the hardware is fast enough to tolerate some
> slowdown as a tradeoff for better security.
> No ideas for/about the other archs.

You need a separate architecture if your security enhancements are
going to give a 50% speed hit.

https://events.ccc.de/congress/2013/Fahrplan/events/5412.html
https://media.ccc.de/browse/congress/2013/30C3_-_5412_-_en_-_saal_1_-_201312271830_-_bug_class_genocide_-_andreas_bogk.html

-- 
bye,
pabs

http://wiki.debian.org/PaulWise