Author: Andrew Gallagher Date: To: pageexec, The Tails public development discussion list CC: spender Subject: Re: [Tails-dev] What is *not* erased (after shutdown) with
PAX_MEMORY_SANITIZE enabled?
> On 3 Jan 2017, at 21:40, PaX Team <pageexec@???> wrote:
>
> in other words, if you were to kexec into a SANITIZE enabled kernel,
> you'd get your memory clearing for free automatically, earlier than
> any initramfs would execute even and it'd cover most kernel memory
> that the kernel ever cares about (or cared in its previous incarnation
> at least).
>
> now this brings us to the other topic you raised about grsecurity's
> KMEM hardening. technically it's not incompatible with kexec, so you
> can re-enable kexec, however note that until some signed kexec mechanism
> enters the kernel, it carries a risk of executing potentially malicious
> kernels (but maybe that's not a problem in your use cases). perhaps
> embedding or loading the kexec kernel from initramfs would get around
> those concerns for good.
Can you kexec from a running kernel into itself? If so, then this single use case could be enabled without opening a hole for arbitrary code. It would crash when it discovers the boot disk is missing, but by that time sanitize should have done its job.
