(no title)

If the participant did everything right, one of the only remaining ways that the secrets could be exfiltrated from the machine was by exploiting a theoretical vulnerability in xorriso, the software we use to read/write DVDs for airgapped communication in the ceremony. Even then, it was likely to leave an evidence trail on the DVDs for post-hoc review.

As an extra precaution, we needed to impose strict policies on the xorriso process. Grsec was trivial to employ using off-the-shelf Alpine Linux tools, and didn't require any dependencies which would increase the cost of auditing afterward. Grsec was also not likely to introduce bugs we couldn't catch in post-hoc review due to the evidence trail left on the DVDs.

The hope was to force an adversary to exploit both xorriso and grsec in practice. One important question is: was grsec likely to introduce a category of bugs that would not otherwise exist in Linux already? I think the answer to that question is no. Funny enough, just a day or two before the ceremony the Dirty COW vulnerability was patched in the Linux kernel, and we just managed to update our OS before the scheduled ceremony.