Comments for codeblog

Happy to see a new entry here! Looking forward to all the missing entries for 5.1{1..8} ;-) Thanks for these summaries, I didn't know about nosymfollow before.

https://outflux.net/blog/archives/2022/04/04/security-things-in-linux-v5-10/comment-page-1/#comment-4200

Oops! Thank you both. I've fixed that now. :)

https://outflux.net/blog/archives/2022/04/04/security-things-in-linux-v5-10/comment-page-1/#comment-4199

The very first item appears both in the list for 5.9 and 5.10: ie, its at the top of both posts.

https://outflux.net/blog/archives/2022/04/04/security-things-in-linux-v5-10/comment-page-1/#comment-4198

Your first entry is duplicated from v5.9!

https://outflux.net/blog/archives/2022/04/04/security-things-in-linux-v5-10/comment-page-1/#comment-4197

I'm sad that these ended or are on hiatus as they are great!

https://outflux.net/blog/archives/2021/04/05/security-things-in-linux-v5-9/comment-page-1/#comment-4192

Hi Cook, thanks for the article! We implemented a KCFI fine-grained forward edge protection (refer to the open source implementation of PAX RAP) and scs back edge protection based on the gcc plug...

https://outflux.net/blog/archives/2021/04/05/security-things-in-linux-v5-9/comment-page-1/#comment-4191

Thanks so much for essential posts and articles, they are a wonderful resource for security engineer. Now that v5.12 has been released, do you have any pla to post 'security things in Linux v5.12...

https://outflux.net/blog/archives/2021/04/05/security-things-in-linux-v5-9/comment-page-1/#comment-4190

With the arm64 arch extensions we might see some implementations on earlier revisions of the architecture - an implementation can provide some features from newer architecture revisions without i...

https://outflux.net/blog/archives/2020/09/02/security-things-in-linux-v5-6/comment-page-1/#comment-4189

o/ Thanks for catching up on those summaries :-D With so many code additions per release, it's good to see some folks focusing on security as well.

https://outflux.net/blog/archives/2020/05/27/security-things-in-linux-v5-5/comment-page-1/#comment-4077

Yeah, I'm a bit behind. Currently working on fixing that. :) Thanks for your patience!

https://outflux.net/blog/archives/2020/02/18/security-things-in-linux-v5-4/comment-page-1/#comment-4059

Thank you Kees for summarizing all-things-security for each kernel release. I always enjoyed these articles. Maybe I (and others?) should have said so before, because now...I'm missing these entr...

https://outflux.net/blog/archives/2020/02/18/security-things-in-linux-v5-4/comment-page-1/#comment-4055

I'm sorry you consider Alexander's work to be plagiarism; I think it is clearly not. I agree it's a similar idea, but even that idea already existed in the kernel (e.g. CONFIG_PAGE_POISONING), bu...

https://outflux.net/blog/archives/2019/11/14/security-things-in-linux-v5-3/comment-page-1/#comment-3652

No mention to previous work implementing exactly the same such as https://lkml.org/lkml/2009/5/24/284 (or the PaX project). Part of it was also formally copyrighted in 2015. How long is this kind...

https://outflux.net/blog/archives/2019/11/14/security-things-in-linux-v5-3/comment-page-1/#comment-3646

I'm not aware of a CFI implementation in gcc. Hopefully this will change soon, but for now it's just Clang.

https://outflux.net/blog/archives/2019/11/20/experimenting-with-clang-cfi-on-upstream-linux/comment-page-1/#comment-3539

For recommended CONFIGs, see here: http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

https://outflux.net/blog/archives/2019/11/14/security-things-in-linux-v5-3/comment-page-1/#comment-3534

Whoops! Thanks (to many people) for catching the CONFIG_SLAB_FREELIST_HARDENED typo! I've fixed it now. :)

https://outflux.net/blog/archives/2019/11/14/security-things-in-linux-v5-3/comment-page-1/#comment-3533

Hello Kees, thanks for the article! I want to ask if the linux kernel has plans to support CFI based on gcc in the future, or if I want to use CFI, I must use clang to compile the kernel. Best re...

https://outflux.net/blog/archives/2019/11/20/experimenting-with-clang-cfi-on-upstream-linux/comment-page-1/#comment-3531

Is there a list of recommended CONFIG* settings for security somewhere on your blog, so that I can verify them and recompile my kernel? E.g. on the Ubuntu bug tracker you recommended setting CONF...

https://outflux.net/blog/archives/2019/11/14/security-things-in-linux-v5-3/comment-page-1/#comment-3529

Shouldn't be there CONFIG_SLAB_FREELIST_HARDENED instead of CONFIG_SLAB_FREELIST_HARDENING?

https://outflux.net/blog/archives/2019/11/14/security-things-in-linux-v5-3/comment-page-1/#comment-3520

Kees, you hero! Thank you for updating the blog post! :)

https://outflux.net/blog/archives/2019/07/17/security-things-in-linux-v5-2/comment-page-1/#comment-3273

Oops, yes; I've added CLONE_PIDFD now. I was thinking too much about P_PIDFD in v5.3 that I forgot CLONE_PIDFD was in v5.2. :) Thanks for the reminder!

https://outflux.net/blog/archives/2019/07/17/security-things-in-linux-v5-2/comment-page-1/#comment-3265

Thanks for producing these summaries each release.

https://outflux.net/blog/archives/2019/07/17/security-things-in-linux-v5-2/comment-page-1/#comment-3217

We also landed CLONE_PIDFD with clone(). :)

https://outflux.net/blog/archives/2019/07/17/security-things-in-linux-v5-2/comment-page-1/#comment-3207

Very cool charts! Just having the knowledge out there that some flags compiler features could be enabled to improve quality and performance is likely to help drive more adoption of these features...

https://outflux.net/blog/archives/2019/06/27/package-hardening-asymptote/comment-page-1/#comment-3186

Hello Kees, thanks for the article! Let me add two brief remarks: 1. The STACKLEAK plugin adds stack tracking to functions with a big stack frame (>=CONFIG_STACKLEAK_TRACK_MIN_SIZE), not to leaf ...

https://outflux.net/blog/archives/2018/12/24/security-things-in-linux-v4-20/comment-page-1/#comment-2966

I'm not sure I know what you mean. Do you mean Kernel Page Table Isolation? That would be entirely unrelated. Normal (non-buggy) callers of kmalloc() and kmalloc_array() will get the same memory ...

https://outflux.net/blog/archives/2018/08/20/security-things-in-linux-v4-18/comment-page-1/#comment-2910

Variable Length Array removals, part 2 -What would be impact of KPI for this Kernel hardening feature i.e kmalloc(m*n,GFP_XXX )assign memory of m items of n size or directly calling kmalloc_array...

https://outflux.net/blog/archives/2018/08/20/security-things-in-linux-v4-18/comment-page-1/#comment-2875

Reading between the lines, my UEFI firmware has Intel Matrix Raid driver built-in hence it can read ESP off RAID. So all we need is a clean-room BSD-2 implementation of an mdadm driver for OVMF/E...

https://outflux.net/blog/archives/2018/04/19/uefi-booting-and-raid1/comment-page-1/#comment-2794

> With UEFI, the boot firmware is actually examining the GPT partition table, looking for the partition marked with the “EFI System Partition” (ESP) UUID. The UEFI specification doesn't requi...

https://outflux.net/blog/archives/2018/04/19/uefi-booting-and-raid1/comment-page-1/#comment-1922

It looks like the UEFI thinktank completely sidestepped the issue of ESP redundancy and left it all to the hardware vendors. Which predictably leads to vendor specific (often braindead) solutions...

https://outflux.net/blog/archives/2018/04/19/uefi-booting-and-raid1/comment-page-1/#comment-1921