Demi Marie Obenour
Demi Marie Obenour
Clients should _always_ be locally verifying the signature chain, unless user or machine configuration explicitly marks the DNS resolver as trusted. DNSSEC should be mandatory: without DNSSEC this whole mechanism...
@ayushr2 What about directfs mode? That’s what I expect most non-Google uses of gVisor to be using.
> > strict validation to ensure that `/dev/kvm` is only used in valid ways > > Can you describe what that would look like? Are you thinking of something like...
> This is problematic for us, since we crash deep inside a regular expression match that involves a bunch of backtracking. This seems to be somewhat of an antipattern to...
Would it be possible to modify the engine so that it allocates on the heap instead of using recursion?
One alternative might be to use hardware encryption. I don’t know if this is considered sufficiently trustworthy, though.
> To implement this I need to know if the code can be moved from OvmfPkg and SecurityPkg into a common library, like MdePkg. If it cannot, two implementations will...
> I am not sure why OvmfPkg doesn't use the function from Security? That is what I am trying to figure out. If they should use the same function, how...
Should this use assembly for the ML-DSA operations to prevent side-channel attacks? Or is that not an issue because production users will use an HSM?
I think it is important to mention that `poll` is _asymptotically_ worse than `epoll` in high-concurrency environments.