Bug#605090: Updated patch

To: Yves-Alexis Perez <yves-alexis.perez@ssi.gouv.fr>
Cc: Bastian Blank <waldi@debian.org>, 605090@bugs.debian.org
Subject: Bug#605090: Updated patch
From: Kees Cook <kees@debian.org>
Date: Wed, 26 Jan 2011 10:07:15 -0800
Message-id: <[🔎] 20110126180715.GB4981@outflux.net>
Reply-to: Kees Cook <kees@debian.org>, 605090@bugs.debian.org
In-reply-to: <[🔎] 1296044954.2314.54.camel@oban>
References: <[🔎] 1294140329.2909.69.camel@oban> <[🔎] 1295371970.2130.4.camel@oban> <[🔎] 20110126072548.GA27541@wavehammer.waldi.eu.org> <[🔎] 1296044954.2314.54.camel@oban>

Hi,

On Wed, Jan 26, 2011 at 01:29:14PM +0100, Yves-Alexis Perez wrote:
> Due to the performances concerns, I've decided to keep UDEREF and
> KERNEXEC disabled on amd64 for now anyway, so those will disappear
> (independently of the i386 decision).

This doesn't seem like a good idea. The bulk of heavy-duty kernel hardening
is with KERNEXEC and UDEREF. If someone is interested in speed, they can
choose i386. But if someone wants a hardened kernel and amd64, they should
have the option. I'd leave those on for both.

-Kees

-- 
Kees Cook                                            @debian.org

Reply to:

References:
- Bug#605090: Updated patch
  - From: Yves-Alexis Perez <yves-alexis.perez@ssi.gouv.fr>
- Bug#605090: Updated patch
  - From: Yves-Alexis Perez <yves-alexis.perez@ssi.gouv.fr>
- Bug#605090: Updated patch
  - From: Bastian Blank <waldi@debian.org>
- Bug#605090: Updated patch
  - From: Yves-Alexis Perez <yves-alexis.perez@ssi.gouv.fr>

Prev by Date: Bug#611126: Yes, this is recent
Next by Date: Possible bug in kernel 2.6.37
Previous by thread: Bug#605090: Updated patch
Next by thread: Bug#605090: Updated patch
Index(es):
- Date
- Thread