Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 6 Feb 2017 15:36:10 -0500
From: David Windsor <dwindsor@...il.com>
To: Kees Cook <keescook@...omium.org>
Cc: Mark Rutland <mark.rutland@....com>, Greg KH <gregkh@...uxfoundation.org>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, 
	"Reshetova, Elena" <elena.reshetova@...el.com>, Hans Liljestrand <ishkamiel@...il.com>, 
	Peter Zijlstra <peterz@...radead.org>
Subject: Re: Re: HARDENED_ATOMIC documentation

On Mon, Feb 6, 2017 at 3:08 PM, Kees Cook <keescook@...omium.org> wrote:
> On Mon, Feb 6, 2017 at 8:09 AM, Mark Rutland <mark.rutland@....com> wrote:
>> On Mon, Feb 06, 2017 at 11:02:56AM -0500, David Windsor wrote:
>>> > Why not put the documentation right into the kernel tree?  That way it
>>> > is always up to date with the code (well, hopefully), it will get built
>>> > and hosted all over the internet at different sites (including
>>> > kernel.org) and is much easier to search and people can modify easier.
>>> >
>>>
>>> Fair enough, I'll re-submit as a patch against something in
>>> Documentation/.  It doesn't appear that there's currently a good
>>> landing spot for this, as Documentation/security/self-protection.txt
>>> already looks fairly crowded.  Individual KSPP sub-project details
>>> would impossibly complicate this file.  Maybe a kspp/ or
>>> self-protection/ sub-directory with files for individual KSPP
>>> features?
>>
>> It would be better to mirror our documentation of atomics; i.e. place
>> this in Documentation/core-api/refcount_ops.rst.
>
> Yeah, this is likely the best place. (And since it's not strictly
> "hardened atomic" any more: it's just "safe refcounting".)
>
>> Developers don't care if this is part of KSPP, they care about the API.
>
> Right. I think changes could be made to
> Documentation/security/self-protection.txt to point to the
> refcount_ops.rst file, though, since security folks would like
> pointers from that doc to the refcount API.
>

Understood.  I'll take the API reference I just created on kernsec.org
and move its contents to Documentation/core-api/refcount_ops.rst.
Then, update Documentation/security/self-protection.txt with some
language about this feature's justification, etc. and point to
refcount_ops.rst.

Thanks!

> -Kees
>
> --
> Kees Cook
> Pixel Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.