Public
Authored by Yves-Alexis Perez

kconfig-hardened-check

Result of the kconfig-hardened-check script (https://github.com/a13xp0p0v/kconfig-hardened-check)

Edited
8.33 KB
    • CONFIG_SIG_* are WIP and tied to secure boot
    • CONFIG_GCC_PLUGIN* need work because plugins need to be shipped in a binary package (maybe linux-kbuild or a new package) and out-of-tree modules need to be built with the same version the plugins were built with, which can be hard to track in stable and unstable
    • CONFIG_DEBUG_* could maybe be enabled, not sure yet of the impact
    • CONFIG_SLUB_DEBUG_ON is not a good idea, rather use slub_debug=P on command line (see https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings#kernel_command_line_options)
    • CONFIG_PROC_KCORE: not sure it's really more useful than dangerous these days
    • Some features marked as =m might be dangerous in some cases but we can't really disable them in a generic distribution like Debian; preventing autoloading is already nice
    • Other features marked as =y: same thing, not sure we can disable them on Debian
  • Actually CONFIG_SIG is set in debian/rules.gen following the signed-code setting in [build] section of the arch defines. signed-code is enabled in 4.17 (we use SHA256, not SHA512 but it's not really relevant I think).

    Edited by Yves-Alexis Perez
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment