Changeset View
Standalone View
sys/conf/NOTES
Show First 20 Lines • Show All 2,983 Lines • ▼ Show 20 Lines | |||||
# Random number generator | # Random number generator | ||||
options RANDOM_YARROW # Yarrow RNG | options RANDOM_YARROW # Yarrow RNG | ||||
##options RANDOM_FORTUNA # Fortuna RNG - not yet implemented | ##options RANDOM_FORTUNA # Fortuna RNG - not yet implemented | ||||
options RANDOM_DEBUG # Debugging messages | options RANDOM_DEBUG # Debugging messages | ||||
options RANDOM_RWFILE # Read and write entropy cache | options RANDOM_RWFILE # Read and write entropy cache | ||||
# Module to enable execution of application via emulators like QEMU | # Module to enable execution of application via emulators like QEMU | ||||
options IMAGACT_BINMISC | options IMAGACT_BINMISC | ||||
rwatson: Should this heading be PAX-related rather than ASLR-related. | |||||
# Address Space Layout Randomization (ASLR) | |||||
Not Done Inline ActionsIt would be useful I think to have a bit of explanation of the background behind PAX (the name and history). Right now the archiver man page for pax(1) may be the first/only thing people find. emaste: It would be useful I think to have a bit of explanation of the background behind PAX (the name… | |||||
Not Done Inline ActionsSure, we should write more about the origin. Shawn currently writing the ASLR's man page: https://github.com/HardenedBSD/hardenedBSD/commit/73b0448c3531e5a2e869a0c6a602d64c441c49a7 op: Sure, we should write more about the origin. Shawn currently writing the ASLR's man page: https… | |||||
options PAX_ASLR | |||||
Not Done Inline ActionsI would like to see the change to frob read-write vs. read-only sysctls made before commit. Compiling the sysctls out seems unhelpful. That said, I'm not convinced by this argument regarding Bastion systems. Should the sysctls instead be controlled by securelevel? rwatson: I would like to see the change to frob read-write vs. read-only sysctls made before commit. | |||||
options PAX_SYSCTLS | |||||
Not Done Inline ActionsShould this be named PAX_DEBUG, PAX_TEST, or similar? rwatson: Should this be named PAX_DEBUG, PAX_TEST, or similar? | |||||
Not Done Inline ActionsNo. Setting this kernel option exposes extra sysctls that the user can modify at runtime. lattera-gmail.com: No. Setting this kernel option exposes extra sysctls that the user can modify at runtime. | |||||
Not Done Inline ActionsIs there a reason to ifdef them if they aren't limited to debugging? rwatson: Is there a reason to ifdef them if they aren't limited to debugging? | |||||
Not Done Inline ActionsYes. If we should restrict the system, then we just remove this knobs, and the ASLR status enforced by boot time settings, and able to change them on the fly. This is required by some bastion system. op: Yes. If we should restrict the system, then we just remove this knobs, and the ASLR status… | |||||
Not Done Inline ActionsDoes it make more sense to leave the monitoring sysctls but instead twiddle them to be read-only? This allows checking the conditions and configuration of ASLR even though it can't be changed. rwatson: Does it make more sense to leave the monitoring sysctls but instead twiddle them to be read… | |||||
Not Done Inline Actionsop: https://github.com/HardenedBSD/hardenedBSD/issues/21 |
Should this heading be PAX-related rather than ASLR-related.