Add Kconfig fragments hardened CONFIG_*s #14
Labels
[Linux] v6.7
Released in Linux kernel v6.7
Comments
|
See commit ed2bbd2 for a tiny example. |
kees
changed the title
akiyks
pushed a commit
to akiyks/linux
that referenced
this issue
Sep 25, 2023
Inspired by Salvatore Mesoraca's earlier[1] efforts to provide some in-tree guidance for kernel hardening Kconfig options, add a new fragment named "hardening-basic.config" (along with some arch-specific fragments) that enable a basic set of kernel hardening options that have the least (or no) performance impact and remove a reasonable set of legacy APIs. Using this fragment is as simple as running "make hardening.config". More extreme fragments can be added[2] in the future to cover all the recognized hardening options, and more per-architecture files can be added too. For now, document the fragments directly via comments. Perhaps .rst documentation can be generated from them in the future (rather than the other way around). [1] https://lore.kernel.org/kernel-hardening/1536516257-30871-1-git-send-email-s.mesoraca16@gmail.com/ [2] KSPP#14 Cc: Salvatore Mesoraca <s.mesoraca16@gmail.com> Cc: x86@kernel.org Cc: linux-arm-kernel@lists.infradead.org Cc: linux-doc@vger.kernel.org Cc: linux-kbuild@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org>
kees
added
[Linux] v6.7
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Many people have asked for a way to get a default CONFIG* set for a given kernel build. Right now these suggestions have lived externally:
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
Having this in the main kernel tree would be much nicer. There have been proposals made, but they need to be finalized:
https://lore.kernel.org/kernel-hardening/1536516257-30871-1-git-send-email-s.mesoraca16@gmail.com/
The text was updated successfully, but these errors were encountered: