Age | Commit message (Collapse) | Author |
|
According to the kernel self protection page[1], add recommended options to
features/security for aarch64/arm64.
Ref:
[1] https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings#arm64
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
|
CONFIG_DEBUG_CREDENTIALS
kernel upstream already removed the CONFIG_DEBUG_CREDENTIALS[1],
this causes do_kernel_configcheck report warnings:
[INFO]: the following symbols were not found in the active configuration:
- CONFIG_DEBUG_CREDENTIALS
[1] https://git.kernel.org/linus/ae191417
Kernel's 6.7+ need this change.
Signed-off-by: Yogesh Tyagi <yogesh.tyagi@intel.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
|
Add some configs to harden protection:
CONFIG_HW_RANDOM_TPM=y Exposing the TPM's Random Number Generator as a hwrng device.
CONFIG_DEBUG_WX=y Warn on W+X mappings at boot.
CONFIG_SECURITY_DMESG_RESTRICT=y Restrict unprivileged access to the kernel syslog.
CONFIG_LDISC_AUTOLOAD=n Disable automatically load TTY Line Disciplines.
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
|
CONFIG_DEVMEM was mistakenly not enabled, which defeats
CONFIG_STRICT_DEVMEM and friends, as it completely removes all
/dev/mem support.
Signed-off-by: C. Andy Martin <cam@myfastmail.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
|
[INFO]: the following symbols were not found in the active configuration:
- CONFIG_HARDENED_USERCOPY_FALLBACK
- CONFIG_LEGACY_VSYSCALL_EMULATE
Ref:
https://github.com/torvalds/linux/commit/bf00745e7791fe2ba7941aeead8528075a158bbe
https://github.com/torvalds/linux/commit/53944f171a89dff4e2a3d76f42e6eedb551bb861
Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
|
Upstream is dropping support for is not set, so we adjust our
configs accordingly.
Commit:
https://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild.git/commit/?h=for-next&id=55de8686df7ed2b5237867b130e30c728bbd9db4
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
|
This patch removes the warning message, that pops up if kernel config
'security.scc' is enabled for other architectures than x86_64, e.g. arm64:
WARNING: linux-yocto-${PV}-r0 do_kernel_configcheck: \
[kernel config]: This BSP contains fragments with warnings:
[INFO]: the following symbols were not found in the active configuration:
- CONFIG_LEGACY_VSYSCALL_EMULATE
- CONFIG_LEGACY_VSYSCALL_NONE
Configs 'LEGACY_VSYSCALL_*' are valid only for x86_64 architecture.
Signed-off-by: Kamil Dziezyk <kamil.dziezyk@arm.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
|
Upstream is dropping support for is not set, so we adjust our
configs accordingly.
Commit:
https://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild.git/commit/?h=for-next&id=55de8686df7ed2b5237867b130e30c728bbd9db4
kconfig: change .config format to use =n instead of "is not set"
The .config file uses "# CONFIG_FOO is not set" form to represent
disabled options. In the old days, it was useful because the .config
was directly included from Makefiles. For example, you can use
"ifdef CONFIG_FOO" in Makefiles to check if the option is enabled.
Commit c955ccafc38e ("kconfig: fix .config dependencies") introduced
include/config/auto.conf, which mirrors the .config, but trims down
all disabled options.
Since then, include/config/auto.conf defines CONFIG options during the
build. The .config is used just for storing the user's configuration.
I do not see a strong reason to use a particular pattern of comment
for disabled options.
With this commit, Kconfig will output disable options in a more natural
form, "CONFIG_FOO=n".
Kconfig accepts both "# CONFIG_FOO is not set" and "CONFIG_FOO=n" as a
valid input. You do not need to update arch/*/configs/*_defconfig files
for now. "git bisect" should be able to cross the commit in both ways
without any issue.
A problem may occur if you parse the .config for the "# ... is not set"
patterns.
I adjusted streamline_config.pl, merge_config.sh,
scripts/kconfig/tests/.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Boris Kolpackov <boris@codesynthesis.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
|
This is no longer available since v5.5:
https://github.com/torvalds/linux/commit/fb041bb7c0a918b95c6889fc965cdc4a75b4c0ca
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
|
Signed-off-by: Yann CARDAILLAC <ycnakajsph@gmail.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
|
Disable fallback to gain full whitelist enforcement.
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
|
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
|
Rename and let kernel config determine the right option to enable as per:
https://github.com/torvalds/linux/commit/2a61f4747eeaa85ce26ca9fbd81421b15facd018
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
|
Add a feature that enables/disables configurations that impact kernel
security with an aim of decreasing the attack surface.
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|