randstruct randomizes on build time? so the security-gain on distribution kernels is rather small, right?
-
-
-
Yes, that has been acknowledged. Still, KSPP considers that it remains a valuable feature for the numerous custom kernels used in many places.
-
Yeah, randstruct is primarily effective for in-house kernel builds, where you can also test the performance results. For distros they'd probably need to enable the "stay in cacheline" toggle and it would just annoy attackers by making them fetch the per-build random value.
-
Now, if distros shipped a package that would build a randstruct kernel locally and threw away the random value afterwards, that might be more interesting. Something like DKMS, but for the whole kernel.
-
Ah I see. Is compiling the whole kernel on every kernel update feasible in terms of compile-time? Maybe shipping a pre-optimized (as much as possible) LLVM bitcode file or similar would reduce compile time.
-
It might be possible. Just takes someone who wants to spend the time to investigate it. Maybe look to Gentoo for hints?
-
OK. Thanks for the answers :)
End of conversation
New conversation -
-
-
Thanks for the mention kees. :) Loved working on it.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.