On Mon, Apr 15, 2019 at 11:44 AM Alexander Popov <alex.popov@xxxxxxxxx> wrote: > > On 11.04.2019 21:01, Kees Cook wrote: > > Right now kernel hardening options are scattered around various Kconfig > > files. This can be a central place to collect these kinds of options > > going forward. This is initially populated with the memory initialization > > options from the gcc-plugins. > > > > Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> > > Hello Kees, hello everyone! > > After applying this series the kernel config looks like that: > > ... > ... > CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" > > # > # Kernel hardening options > # > > # > # Memory initialization > # > CONFIG_INIT_STACK_NONE=y > # CONFIG_GCC_PLUGIN_STRUCTLEAK_USER is not set > # CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF is not set > # CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL is not set > # CONFIG_GCC_PLUGIN_STACKLEAK is not set > CONFIG_CRYPTO=y > > # > # Crypto core or helper > # > CONFIG_CRYPTO_ALGAPI=y > ... > ... > > What do you think about some separator between memory initialization options and > CONFIG_CRYPTO? This was true before too: ... # CONFIG_DEFAULT_SECURITY_DAC is not set CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" CONFIG_XOR_BLOCKS=y CONFIG_ASYNC_CORE=y CONFIG_ASYNC_MEMCPY=y CONFIG_ASYNC_XOR=y CONFIG_ASYNC_PQ=y CONFIG_ASYNC_RAID6_RECOV=y CONFIG_CRYPTO=y ... Perhaps crypto/Kconfig's comment line could move to the top of the file? comment "Crypto core or helper" is what generates the separator... -- Kees Cook