Re: [RFC] kconfig: add hardened defconfig helpers

From: Masahiro Yamada
Date: Sun Jul 22 2018 - 21:57:00 EST

Next message: AKASHI Takahiro: "[PATCH v4 0/5] arm64: kexec,kdump: fix boot failures on acpi-only system"
Previous message: NeilBrown: "[PATCH net-next] rhashtable: detect when object movement between tables might have invalidated a lookup"
In reply to: Eric W. Biederman: "Re: [RFC] kconfig: add hardened defconfig helpers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2018-07-20 14:15 GMT+09:00 Kees Cook <keescook@xxxxxxxxxxxx>:
> +lkml, Masahiro, and linux-doc, just for wider review/thoughts.

I do not subscribe to kernel-hardening ML.

I do not see the original patch in lkml or kbuild/kconfig ML.

> On Wed, Jul 18, 2018 at 10:38 AM, Salvatore Mesoraca
> <s.mesoraca16@xxxxxxxxx> wrote:
>> Adds 4 new defconfig helpers (hardenedlowconfig,
>> hardenedmediumconfig, hardenedhighconfig,
>> hardenedextremeconfig) to enable various hardening
>> features.
>> The list of config options to enable is based on
>> KSPP's Recommended Settings[1] and on
>> kconfig-hardened-check[2], with some modifications.
>> These options are divided into 4 levels (low, medium,
>> high, extreme) based on their negative side effects, not
>> on their usefulness.
>> 'Low' level collects all those protections that have
>> (almost) no negative side effects.
>
> Likely the "Low" should be on-by-default already, but it's easier to
> bike-shed that separately. :)
>
>> 'Extreme' level collects those protections that may have
>> some many negative side effects that most people
>> wouldn't want to enable them.
>> Every feature in each level is briefly documented in
>> Documentation/security/hardenedconfig.rst, this file
>> also contain a better explanation of what every level
>> means.
>> To prevent this file from drifting from what the various
>> defconfigs actually do, it is used to dynamically
>> generate the config fragments.
>
> I like that the configs are generated from the docs! This makes things
> very sane to update.
>
>>
>> [1] http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
>> [2] https://github.com/a13xp0p0v/kconfig-hardened-check
>>
>> Signed-off-by: Salvatore Mesoraca <s.mesoraca16@xxxxxxxxx>
>> ---
>> .gitignore | 6 +
>> Documentation/security/hardenedconfig.rst | 1027 ++++++++++++++++++++++++++++
>> Documentation/security/index.rst | 1 +
>> Makefile | 6 +-
>> scripts/kconfig/Makefile | 72 +-
>> scripts/kconfig/build_hardened_fragment.sh | 54 ++
>> 6 files changed, 1143 insertions(+), 23 deletions(-)
>> create mode 100644 Documentation/security/hardenedconfig.rst
>> create mode 100755 scripts/kconfig/build_hardened_fragment.sh
>>

--
Best Regards
Masahiro Yamada

Next message: AKASHI Takahiro: "[PATCH v4 0/5] arm64: kexec,kdump: fix boot failures on acpi-only system"
Previous message: NeilBrown: "[PATCH net-next] rhashtable: detect when object movement between tables might have invalidated a lookup"
In reply to: Eric W. Biederman: "Re: [RFC] kconfig: add hardened defconfig helpers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]