Re: [linux-yocto] [PATCH v2] features/security: Add more kernel hardening fragments

2019-06-27 Thread Bruce Ashfield
On Wed, Jun 26, 2019 at 11:02 PM  wrote:
>
> From: He Zhe 
>
> Signed-off-by: He Zhe 
> ---
> v2: Add a note for people using uvesafb or other similar things.
>

merged.

Bruce

>  features/security/security.cfg | 18 ++
>  1 file changed, 18 insertions(+)
>
> diff --git a/features/security/security.cfg b/features/security/security.cfg
> index 87408b6..0a4e246 100644
> --- a/features/security/security.cfg
> +++ b/features/security/security.cfg
> @@ -11,6 +11,7 @@ CONFIG_SLAB_FREELIST_HARDENED=y
>
>  # Stack Protector is for buffer overflow detection and hardening
>  CONFIG_STACKPROTECTOR=y
> +CONFIG_STACKPROTECTOR_STRONG=y
>
>  # Perform extensive checks on reference counting
>  CONFIG_REFCOUNT_FULL=y
> @@ -34,6 +35,8 @@ CONFIG_LEGACY_VSYSCALL_NONE=y
>  # CONFIG_INET_DIAG is not set
>
>  # Do not allow direct physical memory access (enable only STRICT mode...)
> +# Note that drivers like uvesafb/v86d depending on direct physical memory
> +# access would be affected.
>  # CONFIG_DEVMEM is not set
>  CONFIG_STRICT_DEVMEM=y
>  CONFIG_IO_STRICT_DEVMEM=y
> @@ -44,3 +47,18 @@ CONFIG_DEBUG_LIST=y
>  CONFIG_DEBUG_SG=y
>  CONFIG_DEBUG_NOTIFIERS=y
>  CONFIG_DEBUG_CREDENTIALS=y
> +
> +# Information exposure
> +CONFIG_PAGE_POISONING=y
> +
> +# Kernel Address Space Layout Randomization (KASLR)
> +CONFIG_RANDOMIZE_BASE=y
> +CONFIG_RANDOMIZE_MEMORY=y
> +
> +# Direct kernel overwrite
> +CONFIG_STRICT_KERNEL_RWX=y
> +CONFIG_STRICT_MODULE_RWX=y
> +
> +# Meltdown and Spectre
> +CONFIG_PAGE_TABLE_ISOLATION=y
> +CONFIG_RETPOLINE=y
> --
> 2.7.4
>


-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II
-- 
___
linux-yocto mailing list
linux-yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/linux-yocto


[linux-yocto] [PATCH v2] features/security: Add more kernel hardening fragments

2019-06-26 Thread zhe.he
From: He Zhe 

Signed-off-by: He Zhe 
---
v2: Add a note for people using uvesafb or other similar things.

 features/security/security.cfg | 18 ++
 1 file changed, 18 insertions(+)

diff --git a/features/security/security.cfg b/features/security/security.cfg
index 87408b6..0a4e246 100644
--- a/features/security/security.cfg
+++ b/features/security/security.cfg
@@ -11,6 +11,7 @@ CONFIG_SLAB_FREELIST_HARDENED=y
 
 # Stack Protector is for buffer overflow detection and hardening
 CONFIG_STACKPROTECTOR=y
+CONFIG_STACKPROTECTOR_STRONG=y
 
 # Perform extensive checks on reference counting
 CONFIG_REFCOUNT_FULL=y
@@ -34,6 +35,8 @@ CONFIG_LEGACY_VSYSCALL_NONE=y
 # CONFIG_INET_DIAG is not set
 
 # Do not allow direct physical memory access (enable only STRICT mode...)
+# Note that drivers like uvesafb/v86d depending on direct physical memory
+# access would be affected.
 # CONFIG_DEVMEM is not set
 CONFIG_STRICT_DEVMEM=y
 CONFIG_IO_STRICT_DEVMEM=y
@@ -44,3 +47,18 @@ CONFIG_DEBUG_LIST=y
 CONFIG_DEBUG_SG=y
 CONFIG_DEBUG_NOTIFIERS=y
 CONFIG_DEBUG_CREDENTIALS=y
+
+# Information exposure
+CONFIG_PAGE_POISONING=y
+
+# Kernel Address Space Layout Randomization (KASLR)
+CONFIG_RANDOMIZE_BASE=y
+CONFIG_RANDOMIZE_MEMORY=y
+
+# Direct kernel overwrite
+CONFIG_STRICT_KERNEL_RWX=y
+CONFIG_STRICT_MODULE_RWX=y
+
+# Meltdown and Spectre
+CONFIG_PAGE_TABLE_ISOLATION=y
+CONFIG_RETPOLINE=y
-- 
2.7.4

-- 
___
linux-yocto mailing list
linux-yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/linux-yocto