https://marc.info/?l=openbsd-tech&m=149732026405941
Looks like KARL is done offline and the generated kernel applies on the next reboot. The upside is better randomness opportunities. The downside is that your kernel is mutable, and its layout may be discoverable locally which could be used for local kernel exploit attempts. (Not that it isn't a huge effort to get rid of local pointer/info leaks in kernels that use KASLR at boot.) Haven't thought too hard about it yet, so not sure how it looks in practice compared to other techniques. On Thu, Jul 6, 2017 at 7:03 AM, Tilghman Lesher <[email protected]> wrote: > One thing that I would be careful of is that cold-booted computers are > known to be, shall we say, less than optimal when it comes to seeding > their PRNG. In fact, I wouldn't be surprised to learn that > cold-booted computers of the same model/manufacturer would have either > the same or nearly the same "randomized" kernel locations. > > It's only later, after boot, when the kernel has had a chance to start > collecting random seeding from user input that the PRNG becomes more > random. This is not an issue for computers going through a warm > reboot. > > Of course, without closer examination of the code and testing a bit, > it's impossible to know whether Theo has addressed this possible > problem. > > On Wed, Jul 5, 2017 at 5:30 PM, Howard White <[email protected]> wrote: > > A posting from a favorite web site of mine: > > > > <https://www.bleepingcomputer.com/news/security/openbsd- > will-get-unique-kernels-on-each-reboot-do-you-hear-that-linux-windows/> > > > > Howard > > > > -- > > -- > > You received this message because you are subscribed to the Google Groups > > "NLUG" group. > > To post to this group, send email to [email protected] > > To unsubscribe from this group, send email to > > [email protected] > > For more options, visit this group at > > http://groups.google.com/group/nlug-talk?hl=en > > > > --- You received this message because you are subscribed to the Google > > Groups "NLUG" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > > > -- > Tilghman > > -- > -- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to nlug-talk+unsubscribe@ > googlegroups.com > For more options, visit this group at http://groups.google.com/ > group/nlug-talk?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en --- You received this message because you are subscribed to the Google Groups "NLUG" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
