From: Josh Poimboeuf
redhat/configs: Enable CONFIG_INIT_STACK_ALL_ZERO for RHEL
CONFIG_INIT_STACK_ALL_ZERO is a hardening feature which is "intended to
eliminate all classes of uninitialized stack variable exploits and
information exposures."
Recent internal benchmark testing has shown
From: Josh Poimboeuf
redhat/configs: Enable CONFIG_INIT_STACK_ALL_ZERO for RHEL
CONFIG_INIT_STACK_ALL_ZERO is a hardening feature which is "intended to
eliminate all classes of uninitialized stack variable exploits and
information exposures."
Recent internal benchmark testing has shown
From: Josh Poimboeuf on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2346#note_1352294823
After more upstream discussion, the dwarves workaround looks good enough. I
still have an upstream patch under review but it doesn't need to block this
MR.
From: Josh Poimboeuf on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2346#note_1348699575
Hm, if I understand correctly the dwarves change is a workaround, whereas my
patch is fixing the root cause. If it's working with the dwarves change then
I think it should be fine
From: Josh Poimboeuf on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2346#note_1347649524
This combination of newer toolchain with kernel IBT seems to be uncovering a
bug in the kernel's ELF note section alignment. I'm working on a fix to post
upstream.
From: Josh Poimboeuf on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2358#note_1313730296
@joe.lawrence right. CONFIG_GCC_PLUGINS only affects whether any of the
kernel GCC plugins can be built. It doesn't affect kpatch-build's plugin at
all.
From: Josh Poimboeuf
redhat/configs: Enable CONFIG_X86_KERNEL_IBT for Fedora and ARK
Kernel IBT is a nice kernel hardening feature with virtually no
performance impact. Since commit 4fd5f70ce14d ("x86/Kconfig: Enable
kernel IBT by default"), its now enabled by default upstream. Enable it
in
From: Josh Poimboeuf on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1362#note_669116171
Acked-by: Josh Poimboeuf
___
kernel mailing list -- kernel@lists.fedoraproject.org
To unsubscribe send an email to
From: Josh Poimboeuf on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/961#note_536920780
Thanks for the merge. It looks like the commits were squashed into a
single commit? It would have been better to preserve the individual
changes.
From: Josh Poimboeuf on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/799#note_532733670
CONFIG_HARDLOCKUP_DETECTOR is enabled for RHEL8, I'd say enable it for
Fedora and ARK.
___
kernel mailing list --
From: Josh Poimboeuf on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/961#note_526387406
Linus and Kees have acknowledged it's a valid problem, so I'm thinking
we'll get it fixed relatively soon.
___
kernel mailing list --
From: Josh Poimboeuf on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/961#note_526313989
Removed the stackleak plugin from the bunch, and reverted the previous
structleak plugin.
___
kernel mailing list --
From: Josh Poimboeuf
Revert "redhat/configs: Enable CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL"
Disable GCC plugins until it becomes possible to build them with a
slight GCC mismatch.
This reverts commit 2fd1e830288d6a727fa4d02152db9527151697a6.
diff
From: Josh Poimboeuf
redhat/configs: Enable CONFIG_PAGE_POISONING for Fedora and ARK
CONFIG_PAGE_POISONING adds page poisoning to harden against information
leaks from freed data. In our internal testing, it had no measurable
performance impact.
Enable it for Fedora and ARK.
Bugzilla:
From: Josh Poimboeuf
Revert "redhat/configs: Enable CONFIG_GCC_PLUGIN_STRUCTLEAK"
Disable plugins until it becomes possible to build them with a slight
GCC mismatch.
This reverts commit 489e997819d13f528ad91c5c4264ec34bca5bba7.
diff a/redhat/configs/common/generic/CONFIG_GCC_PLUGIN_STRUCTLEAK
From: Josh Poimboeuf
redhat/configs: Enable CONFIG_BUG_ON_DATA_CORRUPTION for Fedora and ARK
CONFIG_BUG_ON_DATA_CORRUPTION turns on corruption detection for all
linked lists. In our internal testing, it had no measurable impact on
performance.
Enable it for Fedora and ARK.
Bugzilla:
From: Josh Poimboeuf
redhat/configs: Enable CONFIG_SLAB_FREELIST_HARDENED for ARK
CONFIG_SLAB_FREELIST_HARDENED adds hardening to the slab allocator.
In our internal testing, it had no measurable performance impact.
It's already enabled for Fedora; enable it for ARK as well.
Bugzilla:
From: Josh Poimboeuf
redhat/configs: Enable CONFIG_SCHED_STACK_END_CHECK for Fedora and ARK
CONFIG_SCHED_STACK_END_CHECK checks for stack overrun in calls to
schedule(). In internal testing, it had no measurable performance
impact.
Enable it for Fedora and ARK.
Bugzilla:
From: Josh Poimboeuf on gitlab.com
Merge Request: https://gitlab.com/cki-project/kernel-ark/-/merge_requests/961
Improve Fedora and ARK kernel hardening by enabling the following
configs:
CONFIG_GCC_PLUGIN_STACKLEAK
CONFIG_SCHED_STACK_END_CHECK
CONFIG_BUG_ON_DATA_CORRUPTION
From: Josh Poimboeuf on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/961#note_526305805
Fair enough. I can disable all the GCC_PLUGIN options for now, until we
get the issue sorted upstream.
___
kernel mailing list --
From: Josh Poimboeuf on gitlab.com
Merge Request: https://gitlab.com/cki-project/kernel-ark/-/merge_requests/961
Improve Fedora and ARK kernel hardening by enabling the following
configs:
CONFIG_GCC_PLUGIN_STACKLEAK
CONFIG_SCHED_STACK_END_CHECK
CONFIG_BUG_ON_DATA_CORRUPTION
From: Josh Poimboeuf
redhat/configs: Enable CONFIG_PAGE_POISONING for Fedora and ARK
CONFIG_PAGE_POISONING adds page poisoning to harden against information
leaks from freed data. In our internal testing, it had no measurable
performance impact.
Enable it for Fedora and ARK.
Bugzilla:
From: Josh Poimboeuf
redhat/configs: Enable CONFIG_SLAB_FREELIST_HARDENED for ARK
CONFIG_SLAB_FREELIST_HARDENED adds hardening to the slab allocator.
In our internal testing, it had no measurable performance impact.
It's already enabled for Fedora; enable it for ARK as well.
Bugzilla:
From: Josh Poimboeuf
redhat/configs: Enable CONFIG_SCHED_STACK_END_CHECK for Fedora and ARK
CONFIG_SCHED_STACK_END_CHECK checks for stack overrun in calls to
schedule(). In internal testing, it had no measurable performance
impact.
Enable it for Fedora and ARK.
Signed-off-by: Josh Poimboeuf
From: Josh Poimboeuf
redhat/configs: Enable CONFIG_BUG_ON_DATA_CORRUPTION for Fedora and ARK
CONFIG_BUG_ON_DATA_CORRUPTION turns on corruption detection for all
linked lists. In our internal testing, it had no measurable impact on
performance.
Enable it for Fedora and ARK.
Signed-off-by:
From: Josh Poimboeuf
redhat/configs: Enable CONFIG_GCC_PLUGIN_STACKLEAK for Fedora and ARK
CONFIG_GCC_PLUGIN_STACKLEAK poisons the kernel stack before returning
from syscalls. In our internal testing, it had no measurable
performance impact.
Enable it for Fedora and ARK.
Bugzilla:
26 matches
Mail list logo
