On Thu, Dec 01, 2022 at 09:09:04PM +0100, Stefan Bavendiek wrote:
Some time ago I wrote a thesis about complexity in the Linux kernel and how to reduce it in order to limit the attack surface[1]. While the results are unlikely to bring news to the audience here, it did indicate some possible ways to avoid exposing optional kernel features when they are not needed. The basic idea would be to either build or configure parts of the kernel after or during the installation on a specific host. Distributions are commonly shipping the kernel as one large binary that includes support for nearly every hardware driver and optional feature
Is this really true? Most drivers are built as loadable modules and are only loaded when the hardware is present. Are you suggesting to configure-out the modules that are always static? This sounds like an embedded system build.
Attachment:
signature.asc
Description: PGP signature