compile time flags hardening

[adrelanos]

hardening-check lkrg.ko 

 Position Independent Executable: not a known ELF type!? ()
 Stack protected: yes
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: no, non-ELF (ignored)
 Immediate binding: no, non-ELF (ignored)
 Stack clash protection: unknown, no -fstack-clash-protection instructions found
 Control flow integrity: no, not found!

Would it make sense to add some compile time hardening flags to the Makefile?

[solardiz]

hardening-check lkrg.ko

You've checked a kernel module mostly for properties expected from a userspace program.

Would it make sense to add some compile time hardening flags to the Makefile?

Maybe, but like what? We generally need to build with the same flags that the kernel builds with, but maybe some compilers have specific desirable flags that we could reasonably detect and override in just one module. Do you have specific well-reasoned suggestions?

As things currently are, we actually have the opposite kind of problem - LKRG fails to work on kernels built with CFI enforcement (ARM BTI #183, Intel CET #272).

[solardiz]

As far as I'm aware, there's currently nothing for us to do on this issue, so I'll close it. If it ever becomes actionable, we can reopen.