Date: Mon, 23 Jul 2018 10:55:55 +0900 From: Masahiro Yamada <yamada.masahiro@...ionext.com> To: Kees Cook <keescook@...omium.org> Cc: Salvatore Mesoraca <s.mesoraca16@...il.com>, Kernel Hardening <kernel-hardening@...ts.openwall.com>, Laura Abbott <labbott@...hat.com>, LKML <linux-kernel@...r.kernel.org>, "open list:DOCUMENTATION" <linux-doc@...r.kernel.org> Subject: Re: [RFC] kconfig: add hardened defconfig helpers 2018-07-20 14:15 GMT+09:00 Kees Cook <keescook@...omium.org>: > +lkml, Masahiro, and linux-doc, just for wider review/thoughts. I do not subscribe to kernel-hardening ML. I do not see the original patch in lkml or kbuild/kconfig ML. > On Wed, Jul 18, 2018 at 10:38 AM, Salvatore Mesoraca > <s.mesoraca16@...il.com> wrote: >> Adds 4 new defconfig helpers (hardenedlowconfig, >> hardenedmediumconfig, hardenedhighconfig, >> hardenedextremeconfig) to enable various hardening >> features. >> The list of config options to enable is based on >> KSPP's Recommended Settings and on >> kconfig-hardened-check, with some modifications. >> These options are divided into 4 levels (low, medium, >> high, extreme) based on their negative side effects, not >> on their usefulness. >> 'Low' level collects all those protections that have >> (almost) no negative side effects. > > Likely the "Low" should be on-by-default already, but it's easier to > bike-shed that separately. :) > >> 'Extreme' level collects those protections that may have >> some many negative side effects that most people >> wouldn't want to enable them. >> Every feature in each level is briefly documented in >> Documentation/security/hardenedconfig.rst, this file >> also contain a better explanation of what every level >> means. >> To prevent this file from drifting from what the various >> defconfigs actually do, it is used to dynamically >> generate the config fragments. > > I like that the configs are generated from the docs! This makes things > very sane to update. > >> >>  http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings >>  https://github.com/a13xp0p0v/kconfig-hardened-check >> >> Signed-off-by: Salvatore Mesoraca <s.mesoraca16@...il.com> >> --- >> .gitignore | 6 + >> Documentation/security/hardenedconfig.rst | 1027 ++++++++++++++++++++++++++++ >> Documentation/security/index.rst | 1 + >> Makefile | 6 +- >> scripts/kconfig/Makefile | 72 +- >> scripts/kconfig/build_hardened_fragment.sh | 54 ++ >> 6 files changed, 1143 insertions(+), 23 deletions(-) >> create mode 100644 Documentation/security/hardenedconfig.rst >> create mode 100755 scripts/kconfig/build_hardened_fragment.sh >> -- Best Regards Masahiro Yamada
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.