In message: [linux-yocto][yocto-kernel-cache][yocto-6.1 master][PATCH 0/1] feature/security: add configs to harden protection on 16/01/2024 Xiangyu Chen wrote:
> From: Xiangyu Chen <xiangyu.c...@windriver.com> > > Hi Bruce, > > After using kernel-hardening-checker[1] utils to check current configs, we > picked up some configs from failure case to > feature/security/security.cfg to improve the kernel security. > > Following configs no impact on performance but can improve kernel security: > > CONFIG_HW_RANDOM_TPM=y Exposing the TPM's Random Number Generator(if have) as > a hwrng device. > CONFIG_DEBUG_WX=y Warn on W+X mappings at boot. > CONFIG_SECURITY_DMESG_RESTRICT=y Restrict unprivileged access to the kernel > syslog. > CONFIG_LDISC_AUTOLOAD=n Disable automatically load TTY Line Disciplines. Since these aren't on by default in the standard / preempt-rt kernel configuration, I have no objections to them being added to the fragment. I've merged them to all branches 6.1+ Bruce > > > Thanks! > > Ref: > [1] https://github.com/a13xp0p0v/kernel-hardening-checker > > Xiangyu Chen (1): > feature/security: add configs to harden protection > > features/security/security.cfg | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > > -- > 2.35.5 >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#13496): https://lists.yoctoproject.org/g/linux-yocto/message/13496 Mute This Topic: https://lists.yoctoproject.org/mt/103758931/21656 Group Owner: linux-yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/linux-yocto/leave/6687884/21656/624485779/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-