Re: [RFC] kconfig: add hardened defconfig helpers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



2018-07-20 14:15 GMT+09:00 Kees Cook <keescook@xxxxxxxxxxxx>:
> +lkml, Masahiro, and linux-doc, just for wider review/thoughts.


I do not subscribe to kernel-hardening ML.

I do not see the original patch in lkml or kbuild/kconfig ML.


> On Wed, Jul 18, 2018 at 10:38 AM, Salvatore Mesoraca
> <s.mesoraca16@xxxxxxxxx> wrote:
>> Adds 4 new defconfig helpers (hardenedlowconfig,
>> hardenedmediumconfig, hardenedhighconfig,
>> hardenedextremeconfig) to enable various hardening
>> features.
>> The list of config options to enable is based on
>> KSPP's Recommended Settings[1] and on
>> kconfig-hardened-check[2], with some modifications.
>> These options are divided into 4 levels (low, medium,
>> high, extreme) based on their negative side effects, not
>> on their usefulness.
>> 'Low' level collects all those protections that have
>> (almost) no negative side effects.
>
> Likely the "Low" should be on-by-default already, but it's easier to
> bike-shed that separately. :)
>
>> 'Extreme' level collects those protections that may have
>> some many negative side effects that most people
>> wouldn't want to enable them.
>> Every feature in each level is briefly documented in
>> Documentation/security/hardenedconfig.rst, this file
>> also contain a better explanation of what every level
>> means.
>> To prevent this file from drifting from what the various
>> defconfigs actually do, it is used to dynamically
>> generate the config fragments.
>
> I like that the configs are generated from the docs! This makes things
> very sane to update.
>
>>
>> [1] http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
>> [2] https://github.com/a13xp0p0v/kconfig-hardened-check
>>
>> Signed-off-by: Salvatore Mesoraca <s.mesoraca16@xxxxxxxxx>
>> ---
>>  .gitignore                                 |    6 +
>>  Documentation/security/hardenedconfig.rst  | 1027 ++++++++++++++++++++++++++++
>>  Documentation/security/index.rst           |    1 +
>>  Makefile                                   |    6 +-
>>  scripts/kconfig/Makefile                   |   72 +-
>>  scripts/kconfig/build_hardened_fragment.sh |   54 ++
>>  6 files changed, 1143 insertions(+), 23 deletions(-)
>>  create mode 100644 Documentation/security/hardenedconfig.rst
>>  create mode 100755 scripts/kconfig/build_hardened_fragment.sh
>>

-- 
Best Regards
Masahiro Yamada
--
To unsubscribe from this list: send the line "unsubscribe linux-doc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]     [Linux Resources]

  Powered by Linux