| 1 |
El 08/06/12 09:44, Grant escribió: |
| 2 |
> I started a discussion on gentoo-user about the fact that the hardened |
| 3 |
> profile appears to only be for servers and not desktops. I thought |
| 4 |
> I'd check with you guys on this. Is that the case? |
| 5 |
I have been using Gentoo on Desktop systems for some time, mainly |
| 6 |
because it doesn't makes much sense speaking well to others of something |
| 7 |
without being an example. The Gentoo Hardened system can be used as a |
| 8 |
Desktop for daily use (I do use it) and by that I also mean I have used |
| 9 |
it even on demanding tasks like live video streaming from DV cameras |
| 10 |
(never tried playing games since I'm not that kind of person). |
| 11 |
|
| 12 |
Of course there are some drawbacks, but the team is aware of them and we |
| 13 |
do our best to fix these. Some of the ones that come to mind are: |
| 14 |
* If you plan on using binary drivers you'll need to disable many |
| 15 |
security protections on a most of the programs since the libraries |
| 16 |
bundled with them are not hardened friendly. |
| 17 |
* Some open source graphical drivers (ATI/AMD comes to mind) require JIT |
| 18 |
code in 3D applications (or hacking LLVM so it will always default to |
| 19 |
the slooooow interpreter mode). This is a known issue and can be fixed |
| 20 |
with tools like revdep-pax which allow you to check which are those |
| 21 |
applications. |
| 22 |
* In general JIT code is deemed to fail in hardened systems because of |
| 23 |
mprotect restrictions, this is a known issue and tends to be fixed by |
| 24 |
disabling JIT code generation in the affected packages or removing the |
| 25 |
mprotect restrictions on said binaries. |
| 26 |
* Virtualization is a world in itself, many processors with |
| 27 |
virtualization extensions (specially older ones without hardware nested |
| 28 |
pagetables supports) tend to be rather slow with UDEREF and kernexec |
| 29 |
enabled in kvm. I think this is more of an implementation issue than a |
| 30 |
real hardware issue but I may be wrong here. As for other solutions each |
| 31 |
tends to be a world of its own where is better to just try them and see |
| 32 |
what happens since they tend to be very hardware specific. |
| 33 |
|
| 34 |
@Grant I generally tend to monitor gentoo-user from time to time to |
| 35 |
answer to threads involving hardened (although it is hard to read |
| 36 |
everything so many just pass by ignored), can you please tell me the |
| 37 |
topic of the thread so I can give it a look and contribute as needed? |
Archives