On Mon 2017-01-02 14:46:30 -0500, intrigeri wrote:
> Now, taking a step back, I wonder: why does why GRKERNSEC_KMEM
> disables kexec?
>
> Is it because it's deemed dangerous in itself? Then perhaps it's be
> worth asking grsec people if they'd be open to controlling the kexec
> part with a more atomic setting.
>
> Or because it's broken by other protections brought by this feature?
> If it is so, how hard would it be to fix that?
I'd suspect (based on no concrete knowledge, sorry!) that it's the
former -- kexec gives complete control over the system to some other
kernel, which is bad news if you can't trust that other kernel to do
safe things.
I think reaching out to the grsec folks here and explaining the Tails
use case is a good idea.
--dkg