On Fri, Oct 26, 2012 at 12:21 PM, Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: > On Fri, Oct 26, 2012 at 11:50 AM, Kees Cook <keescook@xxxxxxxxxxxx> wrote: >> There are situations where devices running without initrds may need >> very early protection from link vulnerabilities > > I really don't see what this argument is all about. > > If you don't have initrd, you still have early bootup scripts etc. > > If your early bootup has security problems, you have security > problems. It has nothing to do with initrd, or with restricted links, > or anything else. I think there's value in being able to enable these protections at build-time so there's no need for a distro to have to ship extra files/lines, spend time setting it, etc. This isn't like other tunables, IMO. > I also refuse to add these kinds of micro-management config options > and ask any kind of normal person these kinds of "do you want this > random crazy feature". A config option would need to be way more sane, > not this kind of micro-management. Would a single config item be acceptable? What would be an agreeable way to enable this at build-time? -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
