From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 3D9A9CA0FF8 for ; Sat, 2 Sep 2023 06:37:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:In-reply-to: Date:Subject:Cc:To:From:References:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=fytMha1yotuWAc5ripg7fKB2+zY+V0rCyLYdNWqotI4=; b=r79fmb+QkZpfGU U3kZ1dmTxEIKbcxdkqN8yIwsuw802xMwREYK79/mbSURuyiKKqI8ZZDYacLb44nCSD5DYe+l/Vwb5 c31ArKxsB9leOshLeTWDnlyWor+izqtw/zKdpFurOpB8fqtzs58JpzcQr8ree/07c9RKLQkRhohUH ysTMUHtbuR/AoGb3xvoqzKqI2xdf51qbh08GvDbak/N8kIVpYETJuzZg4em3xzYtnJRz3GV577KXk VbdcTJJi+HMkyfGFbk3yxEDfKZYLdjQr/559gY+5oWs1ghgg6EgGInFEp9Fs/FvPZuuwT0jsA+6W6 fA8OAXaAc6cMbGt7jWlA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1qcKFZ-0017sV-11; Sat, 02 Sep 2023 06:36:53 +0000 Received: from woodpecker.gentoo.org ([140.211.166.183] helo=smtp.gentoo.org) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1qcKFW-0017ry-2r for linux-arm-kernel@lists.infradead.org; Sat, 02 Sep 2023 06:36:52 +0000 References: <20230825050618.never.197-kees@kernel.org> User-agent: mu4e 1.10.6; emacs 30.0.50 From: Sam James To: Kees Cook Cc: Salvatore Mesoraca , x86@kernel.org, linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org, linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, kernel@gentoo.org Subject: Re: [PATCH] hardening: Provide Kconfig fragments for basic options Date: Sat, 02 Sep 2023 07:35:07 +0100 Organization: Gentoo In-reply-to: <20230825050618.never.197-kees@kernel.org> Message-ID: <87ledpcc92.fsf@gentoo.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230901_233650_963300_2781651B X-CRM114-Status: UNSURE ( 8.95 ) X-CRM114-Notice: Please train this message. X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Kees Cook writes: > Inspired by Salvatore Mesoraca's earlier[1] efforts to provide some > in-tree guidance for kernel hardening Kconfig options, add a new fragment > named "hardening-basic.config" (along with some arch-specific fragments) > that enable a basic set of kernel hardening options that have the least > (or no) performance impact and remove a reasonable set of legacy APIs. > > Using this fragment is as simple as running "make hardening.config". > > More extreme fragments can be added[2] in the future to cover all the > recognized hardening options, and more per-architecture files can be > added too. > > For now, document the fragments directly via comments. Perhaps .rst > documentation can be generated from them in the future (rather than the > other way around). > This is likely to make life a bit easier for us downstream in Gentoo, where we currently supply a patch for KSPP: https://gitweb.gentoo.org/proj/linux-patches.git/tree/4567_distro-Gentoo-Kconfig.patch?h=6.4#n237. > [1] https://lore.kernel.org/kernel-hardening/1536516257-30871-1-git-send-email-s.mesoraca16@gmail.com/ > [2] https://github.com/KSPP/linux/issues/14 best, sam _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel