From: Daniel Axtens <dja@axtens.net>
To: Michael Ellerman <mpe@ellerman.id.au>, linuxppc-dev@ozlabs.org
Cc: nayna@linux.ibm.com, oohall@gmail.com, joel@jms.id.au
Subject: Re: [PATCH 7/9] powerpc/configs/skiroot: Enable security features
Date: Thu, 16 Jan 2020 16:00:32 +1100 [thread overview]
Message-ID: <871rs0knbj.fsf@dja-thinkpad.axtens.net> (raw)
In-Reply-To: <20200116014808.15756-7-mpe@ellerman.id.au>
Michael Ellerman <mpe@ellerman.id.au> writes:
> From: Joel Stanley <joel@jms.id.au>
>
> This turns on HARDENED_USERCOPY with HARDENED_USERCOPY_PAGESPAN, and
> FORTIFY_SOURCE.
>
> It also enables SECURITY_LOCKDOWN_LSM with _EARLY and
> LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY options enabled.
>
As I said before, this will disable xmon entirely. If we want to set
this, we should compile out xmon. But if we want xmon in read-only mode
to be an option, we should pick integrity mode.
I don't really mind, because I don't work with skiroot very
much. Oliver, Joel, Nayna, you all do stuff around this sort of level -
is this a problem for any of you?
Regards,
Daniel
> MODULE_SIG is selected by lockdown, so it is still enabled.
>
> Signed-off-by: Joel Stanley <joel@jms.id.au>
> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
> ---
> arch/powerpc/configs/skiroot_defconfig | 11 ++++++++++-
> 1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/arch/powerpc/configs/skiroot_defconfig b/arch/powerpc/configs/skiroot_defconfig
> index 24a210fe0049..bd661a9a9410 100644
> --- a/arch/powerpc/configs/skiroot_defconfig
> +++ b/arch/powerpc/configs/skiroot_defconfig
> @@ -49,7 +49,6 @@ CONFIG_JUMP_LABEL=y
> CONFIG_STRICT_KERNEL_RWX=y
> CONFIG_MODULES=y
> CONFIG_MODULE_UNLOAD=y
> -CONFIG_MODULE_SIG=y
> CONFIG_MODULE_SIG_FORCE=y
> CONFIG_MODULE_SIG_SHA512=y
> CONFIG_PARTITION_ADVANCED=y
> @@ -272,6 +271,16 @@ CONFIG_NLS_ASCII=y
> CONFIG_NLS_ISO8859_1=y
> CONFIG_NLS_UTF8=y
> CONFIG_ENCRYPTED_KEYS=y
> +CONFIG_SECURITY=y
> +CONFIG_HARDENED_USERCOPY=y
> +# CONFIG_HARDENED_USERCOPY_FALLBACK is not set
> +CONFIG_HARDENED_USERCOPY_PAGESPAN=y
> +CONFIG_FORTIFY_SOURCE=y
> +CONFIG_SECURITY_LOCKDOWN_LSM=y
> +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
> +CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y
> +# CONFIG_INTEGRITY is not set
> +CONFIG_LSM="yama,loadpin,safesetid,integrity"
> # CONFIG_CRYPTO_HW is not set
> CONFIG_CRC16=y
> CONFIG_CRC_ITU_T=y
> --
> 2.21.1
next prev parent reply other threads:[~2020-01-16 5:04 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-16 1:48 [PATCH 1/9] powerpc/configs: Drop CONFIG_QLGE which moved to staging Michael Ellerman
2020-01-16 1:48 ` [PATCH 2/9] powerpc/configs: NET_CADENCE became NET_VENDOR_CADENCE Michael Ellerman
2020-01-16 1:54 ` Joel Stanley
2020-01-16 1:48 ` [PATCH 3/9] powerpc/configs: Drop NET_VENDOR_HP which moved to staging Michael Ellerman
2020-01-16 1:54 ` Joel Stanley
2020-01-16 1:48 ` [PATCH 4/9] powerpc/configs/skiroot: Drop HID_LOGITECH Michael Ellerman
2020-01-16 1:55 ` Joel Stanley
2020-01-16 1:48 ` [PATCH 5/9] powerpc/configs/skiroot: Drop default n CONFIG_CRYPTO_ECHAINIV Michael Ellerman
2020-01-16 1:55 ` Joel Stanley
2020-01-16 1:48 ` [PATCH 6/9] powerpc/configs/skiroot: Update for symbol movement only Michael Ellerman
2020-01-16 1:52 ` Joel Stanley
2020-01-16 1:48 ` [PATCH 7/9] powerpc/configs/skiroot: Enable security features Michael Ellerman
2020-01-16 5:00 ` Daniel Axtens [this message]
2020-01-16 7:10 ` Oliver O'Halloran
2020-01-16 7:14 ` Joel Stanley
2020-01-16 1:48 ` [RFC PATCH 8/9] powerpc/configs/skiroot: Disable xmon default & enable reboot on panic Michael Ellerman
2020-01-16 1:53 ` Joel Stanley
2020-01-16 1:48 ` [RFC PATCH 9/9] powerpc/configs/skiroot: Enable some more hardening options Michael Ellerman
2020-01-16 1:51 ` Joel Stanley
2020-01-21 4:21 ` Michael Ellerman
2020-01-16 1:54 ` [PATCH 1/9] powerpc/configs: Drop CONFIG_QLGE which moved to staging Joel Stanley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871rs0knbj.fsf@dja-thinkpad.axtens.net \
--to=dja@axtens.net \
--cc=joel@jms.id.au \
--cc=linuxppc-dev@ozlabs.org \
--cc=mpe@ellerman.id.au \
--cc=nayna@linux.ibm.com \
--cc=oohall@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).