Re: CVS commit: src/sys/uvm

To: source-changes-d%NetBSD.org@localhost
Subject: Re: CVS commit: src/sys/uvm
From: Joerg Sonnenberger <joerg%bec.de@localhost>
Date: Mon, 11 May 2020 17:03:13 +0200

On Sun, May 10, 2020 at 11:53:00PM +0100, Alexander Nasonov wrote:
> Taylor R Campbell wrote:
> > Log Message:
> > Implement swap encryption.
> > 
> > Enabled by sysctl -w vm.swap_encrypt=1.
> 
> If secmodel_securelevel(9) is still a thing, locking down this sysctl
> at high securelevel may improve our security. Prior to this change,
> swap devices were readable (even if enrypted with cgd).  With this
> sysctl set to 1, all new swap devices will be encrypted, the only
> thing to worry about is if it's set back to 0 on a compromised host.

Well, the ability to turn it off should be locked down. Enabling it for
securelevel>0 seems fine?

Joerg

References:
- Re: CVS commit: src/sys/uvm
  - From: Alexander Nasonov

Prev by Date: Re: CVS commit: src/tests/lib/libc/sys
Next by Date: Re: CVS commit: src
Previous by Thread: Re: CVS commit: src/sys/uvm
Next by Thread: Re: CVS commit: src/sys/uvm
Indexes:

Home | Main Index | Thread Index | Old Index