Re: CVS commit: src/sys/uvm

To: Taylor R Campbell <riastradh%netbsd.org@localhost>
Subject: Re: CVS commit: src/sys/uvm
From: Alexander Nasonov <alnsn%yandex.ru@localhost>
Date: Sun, 10 May 2020 23:53:00 +0100

Taylor R Campbell wrote:
> Log Message:
> Implement swap encryption.
> 
> Enabled by sysctl -w vm.swap_encrypt=1.

If secmodel_securelevel(9) is still a thing, locking down this sysctl
at high securelevel may improve our security. Prior to this change,
swap devices were readable (even if enrypted with cgd).  With this
sysctl set to 1, all new swap devices will be encrypted, the only
thing to worry about is if it's set back to 0 on a compromised host.

Not sure if this makes sense because all files on a compromised
host can be read and processes' memory can be probably dumped.

Alex

Follow-Ups:
- Re: CVS commit: src/sys/uvm
  - From: Joerg Sonnenberger
- Re: CVS commit: src/sys/uvm
  - From: Taylor R Campbell

Prev by Date: Re: CVS commit: src/sys
Next by Date: Re: CVS commit: src/sys/uvm
Previous by Thread: Re: CVS commit: src/sys
Next by Thread: Re: CVS commit: src/sys/uvm
Indexes:

Home | Main Index | Thread Index | Old Index