On 2017-08-24 9:23 AM, Sandy Harris wrote: > At some point, these patches may become unnecessary & perhaps some of > them already are. There is ongoing work aimed at getting related > patches into the mainline Linux kernel. > > Wiki: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project > Mailing list: http://www.openwall.com/lists/kernel-hardening/ > > It is possible that in the long term helping with that work would be a > better use of time than the porting effort. On the other hand it seems > likely that the port is a good idea for now. >
Just an FYI, but most of the KSPP recommended kernel options that aren't enabled by default (that exist in the 4.9 branch; not all of them do since others debut in 4.10+) are enabled in the 4.9 Qubes kernel that's already been pushed out. It isn't much, but it's better than nothing and if it's already included in there for free, then why not use it? Also, later kernel versions (4.11+) have already included some of the work from the Linux Hardened project, and if people are compiling newer kernels, people can include the patches that haven't yet made it into upstream from here in their own builds if they like: https://github.com/copperhead/linux-hardened/releases I used to keep track of that in my devel-4.11-hard branch, but when newer kernel versions are released, the Linux Hardened project abandons the old branch in favor of the newer branch and stops releasing patches for it, even though the older version will be supported for another two releases. So I just stopped doing it since the last 4.11 version doesn't work with the last 4.11 hardened patch set, nor the first 4.12 patch set, and it isn't worth it to migrate the new stuff since 4.11 is EOL anyway, which is why my branch of that isn't as up-to-date as it could or should be. Instead, people can decide for themselves if they want to include them in their kernel builds or not; it's easy to add your own patches with the Qubes kernel build system (just add the path to the patch to the series.conf file). -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ono3s0%249hk%241%40blaine.gmane.org. For more options, visit https://groups.google.com/d/optout.