forked from torvalds/linux
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Kconfig fragments hardened CONFIG_*s #14
Labels
[Linux] v6.7
Released in Linux kernel v6.7
Comments
See commit ed2bbd2 for a tiny example. |
kees
changed the title
Add defconfig-like "make" target for by-default hardened CONFIG_*s
Add Kconfig fragments hardened CONFIG_*s
Aug 24, 2023
akiyks
pushed a commit
to akiyks/linux
that referenced
this issue
Sep 25, 2023
Inspired by Salvatore Mesoraca's earlier[1] efforts to provide some in-tree guidance for kernel hardening Kconfig options, add a new fragment named "hardening-basic.config" (along with some arch-specific fragments) that enable a basic set of kernel hardening options that have the least (or no) performance impact and remove a reasonable set of legacy APIs. Using this fragment is as simple as running "make hardening.config". More extreme fragments can be added[2] in the future to cover all the recognized hardening options, and more per-architecture files can be added too. For now, document the fragments directly via comments. Perhaps .rst documentation can be generated from them in the future (rather than the other way around). [1] https://lore.kernel.org/kernel-hardening/1536516257-30871-1-git-send-email-s.mesoraca16@gmail.com/ [2] KSPP#14 Cc: Salvatore Mesoraca <s.mesoraca16@gmail.com> Cc: x86@kernel.org Cc: linux-arm-kernel@lists.infradead.org Cc: linux-doc@vger.kernel.org Cc: linux-kbuild@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org>
kees
added
[Linux] v6.7
Released in Linux kernel v6.7
and removed
[PATCH] Exists
A patch exists to address the issue
labels
Feb 7, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Many people have asked for a way to get a default CONFIG* set for a given kernel build. Right now these suggestions have lived externally:
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
Having this in the main kernel tree would be much nicer. There have been proposals made, but they need to be finalized:
https://lore.kernel.org/kernel-hardening/1536516257-30871-1-git-send-email-s.mesoraca16@gmail.com/
The text was updated successfully, but these errors were encountered: