Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create a tool that changes kconfig options according to the recommendations #67

Closed
a13xp0p0v opened this issue Jul 4, 2022 · 3 comments
Closed

Create a tool that changes kconfig options according to the recommendations #67

a13xp0p0v opened this issue Jul 4, 2022 · 3 comments
Labels
enhancement New feature or request

Comments

@a13xp0p0v
Copy link
Owner

It should use the JSON output of kconfig-hardened-check.
@a13xp0p0v a13xp0p0v added the enhancement New feature or request label Jul 4, 2022
@a13xp0p0v
Copy link
Owner Author

See https://pypi.org/project/kconfiglib/

@a13xp0p0v a13xp0p0v mentioned this issue Jul 22, 2022
Closed
@a13xp0p0v a13xp0p0v changed the title Create a tool that changes kconfig options according the recommendations Create a tool that changes kconfig options according to the recommendations Jul 22, 2022
@a13xp0p0v a13xp0p0v mentioned this issue Dec 8, 2022
Open
@a13xp0p0v
Copy link
Owner Author

That tool would also help to filter out the kconfig options that can't be enabled for the given kernel version.

a13xp0p0v added a commit that referenced this issue Jun 12, 2023
@a13xp0p0v
Add a new feature --generate
c6db991 
With this argument the tool generates a Kconfig fragment with the security
hardening options for the selected microarchitecture.

Refers to #67.

This Kconfig fragment can be merged with the existing Linux kernel config:

$ ./bin/kconfig-hardened-check -g X86_64 > /tmp/fragment
$ cd ~/linux-src/
$ ./scripts/kconfig/merge_config.sh .config /tmp/fragment
Using .config as base
Merging /tmp/fragment
Value of CONFIG_BUG_ON_DATA_CORRUPTION is redefined by fragment /tmp/fragment:
Previous value: # CONFIG_BUG_ON_DATA_CORRUPTION is not set
New value: CONFIG_BUG_ON_DATA_CORRUPTION=y
...
a13xp0p0v added a commit that referenced this issue Jun 12, 2023
@a13xp0p0v
Update the README
eec1747 
Refers to #67.
a13xp0p0v added a commit that referenced this issue Jun 12, 2023
@a13xp0p0v
Add functional tests for --generate
d50851e 
Refers to #67.
@a13xp0p0v
Copy link
Owner Author

This feature is implemented as a part of the kconfig-hardened-check tool.

With the -g argument, the tool generates a Kconfig fragment with the security hardening options for the selected microarchitecture.

This Kconfig fragment can be merged with the existing Linux kernel config:

$ ./bin/kconfig-hardened-check -g X86_64 > /tmp/fragment
$ cd ~/linux-src/
$ ./scripts/kconfig/merge_config.sh .config /tmp/fragment
Using .config as base
Merging /tmp/fragment
Value of CONFIG_BUG_ON_DATA_CORRUPTION is redefined by fragment /tmp/fragment:
Previous value: # CONFIG_BUG_ON_DATA_CORRUPTION is not set
New value: CONFIG_BUG_ON_DATA_CORRUPTION=y
 ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@a13xp0p0v