You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The kernel has CONFIG_PROC_KCORE enabled so that all physical memory can be examined
Impact
If sensitive data or keys to run an encrypted container are used they will be present in memory allowing anyone with access to the to capture the keys
Ideal future situation
Can flatcar run with /pro/kcore disabled? Also it might be valuable to disable /proc/[pid]/mem which also provides access to a single process's memory (kernel patch needed)
Implementation options
Also would insure CONFIG_CROSS_MEMORY_ATTACH=n as well as CONFIG_STRICT_DEVMEM=y and maybe some others
Additional information
Why am I asking? All existing system assume every user trusts the root user when in fact we often don't know them.
Closing direct memory access eliminates the need to trust them.
They can kill the system but that is very different from compromising sensitive data
The text was updated successfully, but these errors were encountered:
Also it might be valuable to disable /proc/[pid]/mem which also provides access to a single process's memory (kernel patch needed)
We generally tend to not carry out of tree patches that change behavior from upstream.
Why am I asking? All existing system assume every user trusts the root user when in fact we often don't know them.
Closing direct memory access eliminates the need to trust them.
They can kill the system but that is very different from compromising sensitive data
As someone working on "confidential containers" I would say: if you want full confidentiality you need to run your containers with something like Kata containers and using confidential computing hardware to get the guarantees you mention.
Current situation
The kernel has CONFIG_PROC_KCORE enabled so that all physical memory can be examined
Impact
If sensitive data or keys to run an encrypted container are used they will be present in memory allowing anyone with access to the to capture the keys
Ideal future situation
Can flatcar run with /pro/kcore disabled? Also it might be valuable to disable /proc/[pid]/mem which also provides access to a single process's memory (kernel patch needed)
Implementation options
Also would insure CONFIG_CROSS_MEMORY_ATTACH=n as well as CONFIG_STRICT_DEVMEM=y and maybe some others
Additional information
Why am I asking? All existing system assume every user trusts the root user when in fact we often don't know them.
Closing direct memory access eliminates the need to trust them.
They can kill the system but that is very different from compromising sensitive data
The text was updated successfully, but these errors were encountered: