From owner-freebsd-security@freebsd.org  Thu Jan  4 16:20:20 2018
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2CF0EEC0E9C
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Thu,  4 Jan 2018 16:20:20 +0000 (UTC)
 (envelope-from eric@metricspace.net)
Received: from mail.metricspace.net (mail.metricspace.net
 [IPv6:2001:470:1f11:617::107])
 by mx1.freebsd.org (Postfix) with ESMTP id 079B2719C4
 for <freebsd-security@freebsd.org>; Thu,  4 Jan 2018 16:20:20 +0000 (UTC)
 (envelope-from eric@metricspace.net)
Received: from [192.168.43.57] (mobile-166-171-187-140.mycingular.net
 [166.171.187.140])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client did not present a certificate) (Authenticated sender: eric)
 by mail.metricspace.net (Postfix) with ESMTPSA id 6329A85BA;
 Thu,  4 Jan 2018 16:20:19 +0000 (UTC)
Subject: Re: Potential band-aid for Meltdown
To: Mike Tancsa <mike@sentex.net>,
 "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
References: <30300a34-d0d9-efbf-c9b3-6375703f65a0@metricspace.net>
 <599c8fe0-3745-2fa8-4bd6-d89f061f29f4@sentex.net>
From: Eric McCorkle <eric@metricspace.net>
Message-ID: <b117d7af-868f-3a7a-a84b-7b9f45bce464@metricspace.net>
Date: Thu, 4 Jan 2018 11:20:18 -0500
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101
 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <599c8fe0-3745-2fa8-4bd6-d89f061f29f4@sentex.net>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jan 2018 16:20:20 -0000

On 01/04/2018 10:58, Mike Tancsa wrote:
> On 1/4/2018 10:27 AM, Eric McCorkle wrote:
>> I was thinking over meltdown mitigations this morning, and a thought
>> occurred to me (which falls in line with general ideas I've been pursuing)
> 
> A pretty neat idea.  But in terms of keeping crypto keys safe, why not
> something behind a pkcs11 interface (e.g. eToken) or tpm ?

If you have them (and trust the vendors), sure.  My thinking here is for
folks with laptops or commodity hardware, who want some measure of
security while waiting for fixed hardware to come out.