Created
December 23, 2021 05:42
-
-
Save gyakovlev/315da106a0b855d5559bdbe365b0cdc0 to your computer and use it in GitHub Desktop.
0001-update-distro-Kconfig-with-fresh-security-love.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From 46bd81e435ef37e8e2d977082b73357e257375b9 Mon Sep 17 00:00:00 2001 | |
From: Georgy Yakovlev <gyakovlev@gentoo.org> | |
Date: Wed, 22 Dec 2021 21:40:22 -0800 | |
Subject: [PATCH] update distro Kconfig with fresh security love | |
make top level option simply a menu, without a choice. | |
rename GENTOO_KERNEL_SELF_PROTECTION_COMMON to just be | |
GENTOO_KERNEL_SELF_PROTECTION | |
as this is the guard used to disable or enforce some options. | |
enable couple of slub and stack options. | |
make arch-specific sections to default to enabled if | |
GENTOO_KERNEL_SELF_PROTECTION is enabled. | |
add PPC config section. | |
make some options to be dropped silently if ARCH/toolchain does not support | |
those. | |
support LLVM and do not enforce GCC_PLUGINS. | |
with LLVM/clang we'll prefer INIT_STACK_ALL_ZERO , INIT_STACK_ALL_PATTERN | |
in that order if toolchain supports it, instead of relying on GCC | |
plugins. | |
Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> | |
--- | |
4567_distro-Gentoo-Kconfig.patch | 136 ++++++++++++++++++++++--------- | |
1 file changed, 97 insertions(+), 39 deletions(-) | |
diff --git a/4567_distro-Gentoo-Kconfig.patch b/4567_distro-Gentoo-Kconfig.patch | |
index 24b7509..a68040d 100644 | |
--- a/4567_distro-Gentoo-Kconfig.patch | |
+++ b/4567_distro-Gentoo-Kconfig.patch | |
@@ -6,9 +6,9 @@ | |
source "Documentation/Kconfig" | |
+ | |
+source "distro/Kconfig" | |
---- /dev/null 2021-12-21 08:57:43.779324794 -0500 | |
-+++ b/distro/Kconfig 2021-12-21 14:12:07.964572417 -0500 | |
-@@ -0,0 +1,283 @@ | |
+--- /dev/null 2021-12-17 13:26:41.616000000 -0800 | |
++++ b/distro/Kconfig 2021-12-22 21:17:15.495003651 -0800 | |
+@@ -0,0 +1,294 @@ | |
+menu "Gentoo Linux" | |
+ | |
+config GENTOO_LINUX | |
@@ -77,7 +77,7 @@ | |
+ NET_NS (required for FEATURES=network-sandbox) | |
+ PID_NS (required for FEATURES=pid-sandbox) | |
+ SYSVIPC (required by IPC_NS) | |
-+ | |
++ | |
+ | |
+ It is highly recommended that you leave this enabled as these FEATURES | |
+ are, or will soon be, enabled by default. | |
@@ -124,7 +124,7 @@ | |
+ select BPF_SYSCALL | |
+ select CGROUP_BPF | |
+ select CGROUPS | |
-+ select CRYPTO_HMAC | |
++ select CRYPTO_HMAC | |
+ select CRYPTO_SHA256 | |
+ select CRYPTO_USER_API_HASH | |
+ select DEVPTS_MULTIPLE_INSTANCES | |
@@ -166,24 +166,13 @@ | |
+ | |
+endmenu | |
+ | |
-+menuconfig GENTOO_KERNEL_SELF_PROTECTION | |
-+ bool "Kernel Self Protection Project" | |
-+ depends on GENTOO_LINUX | |
-+ help | |
-+ Recommended Kernel settings based on the suggestions from the Kernel Self Protection Project | |
-+ See: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings | |
-+ Note, there may be additional settings for which the CONFIG_ setting is invisible in menuconfig due | |
-+ to unmet dependencies. Search for GENTOO_KERNEL_SELF_PROTECTION_COMMON and search for | |
-+ GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency information on your | |
-+ specific architecture. | |
-+ Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 | |
-+ for X86_64 | |
++menu "Kernel Self Protection Project" | |
++ visible if GENTOO_LINUX | |
+ | |
-+if GENTOO_KERNEL_SELF_PROTECTION | |
-+config GENTOO_KERNEL_SELF_PROTECTION_COMMON | |
++config GENTOO_KERNEL_SELF_PROTECTION | |
+ bool "Enable Kernel Self Protection Project Recommendations" | |
+ | |
-+ depends on GENTOO_LINUX && !ACPI_CUSTOM_METHOD && !COMPAT_BRK && !DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !X86_X32 && !MODIFY_LDT_SYSCALL && GCC_PLUGINS | |
++ depends on GENTOO_LINUX && !ACPI_CUSTOM_METHOD && !COMPAT_BRK && !DEVKMEM && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !MODIFY_LDT_SYSCALL | |
+ | |
+ select BUG | |
+ select STRICT_KERNEL_RWX | |
@@ -201,11 +190,14 @@ | |
+ select SCHED_STACK_END_CHECK | |
+ select SECCOMP if HAVE_ARCH_SECCOMP | |
+ select SECCOMP_FILTER if HAVE_ARCH_SECCOMP_FILTER | |
++ select SECURITY | |
+ select SECURITY_YAMA | |
++ select HARDENED_USERCOPY if HAVE_HARDENED_USERCOPY_ALLOCATOR | |
+ select SLAB_FREELIST_RANDOM | |
+ select SLAB_FREELIST_HARDENED | |
+ select SHUFFLE_PAGE_ALLOCATOR | |
+ select SLUB_DEBUG | |
++ select SLUB_DEBUG_ON | |
+ select PAGE_POISONING | |
+ select PAGE_POISONING_NO_SANITY | |
+ select PAGE_POISONING_ZERO | |
@@ -215,50 +207,60 @@ | |
+ select FORTIFY_SOURCE | |
+ select SECURITY_DMESG_RESTRICT | |
+ select PANIC_ON_OOPS | |
-+ select GCC_PLUGIN_LATENT_ENTROPY | |
-+ select GCC_PLUGIN_STRUCTLEAK | |
-+ select GCC_PLUGIN_STRUCTLEAK_BYREF_ALL | |
-+ select GCC_PLUGIN_RANDSTRUCT | |
-+ select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE | |
++ select DEBUG_STACKOVERFLOW if DEBUG_KERNEL && HAVE_DEBUG_STACKOVERFLOW | |
++ select VMAP_STACK if HAVE_ARCH_VMAP_STACK | |
++ select STRICT_MODULE_RWX if ARCH_HAS_STRICT_MODULE_RWX && ARCH_OPTIONAL_KERNEL_RWX && MODULES | |
++ select ZERO_CALL_USED_REGS if CC_HAS_ZERO_CALL_USED_REGS | |
++ select INIT_STACK_ALL_PATTERN if CC_HAS_AUTO_VAR_INIT_PATTERN && !CC_HAS_AUTO_VAR_INIT_ZERO | |
++ select INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_ZERO | |
++ select GCC_PLUGINS if HAVE_GCC_PLUGINS && CC_IS_GCC | |
++ select GCC_PLUGIN_LATENT_ENTROPY if GCC_PLUGINS | |
++ select GCC_PLUGIN_STRUCTLEAK if GCC_PLUGINS | |
++ select GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if GCC_PLUGINS | |
++ select GCC_PLUGIN_STRUCTLEAK_VERBOSE if GCC_PLUGINS && GCC_PLUGIN_STRUCTLEAK | |
++ select GCC_PLUGIN_RANDSTRUCT if GCC_PLUGINS | |
++ select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE if GCC_PLUGINS && GCC_PLUGIN_RANDSTRUCT | |
++ select GCC_PLUGIN_STACKLEAK if GCC_PLUGINS && HAVE_ARCH_STACKLEAK | |
+ | |
+ help | |
-+ Search for GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency | |
-+ information on your specific architecture. Note 2: Please see the URL above for | |
-+ numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 for X86_64 | |
++ Recommended Kernel settings based on the suggestions from the Kernel Self Protection Project | |
++ See: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings | |
++ Note, there may be additional settings for which the CONFIG_ setting is invisible in menuconfig due | |
++ to unmet dependencies. Search for GENTOO_KERNEL_SELF_PROTECTION and search for | |
++ GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency information on your | |
++ specific architecture. | |
++ Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 | |
++ for X86_64 | |
+ | |
+config GENTOO_KERNEL_SELF_PROTECTION_X86_64 | |
-+ bool "X86_64 KSPP Settings" if GENTOO_KERNEL_SELF_PROTECTION_COMMON | |
++ bool "X86_64 KSPP Settings" if GENTOO_KERNEL_SELF_PROTECTION | |
+ | |
+ depends on !X86_MSR && X86_64 && GENTOO_KERNEL_SELF_PROTECTION | |
-+ default n | |
-+ | |
++ default y if X86_64 && GENTOO_KERNEL_SELF_PROTECTION | |
++ | |
+ select RANDOMIZE_BASE | |
+ select RANDOMIZE_MEMORY | |
+ select RELOCATABLE | |
+ select LEGACY_VSYSCALL_NONE | |
+ select PAGE_TABLE_ISOLATION | |
-+ select GCC_PLUGIN_STACKLEAK | |
-+ select VMAP_STACK | |
+ | |
+ | |
+config GENTOO_KERNEL_SELF_PROTECTION_ARM64 | |
+ bool "ARM64 KSPP Settings" | |
+ | |
+ depends on ARM64 | |
-+ default n | |
++ default y if ARM64 && GENTOO_KERNEL_SELF_PROTECTION | |
+ | |
+ select RANDOMIZE_BASE | |
+ select RELOCATABLE | |
+ select ARM64_SW_TTBR0_PAN | |
+ select CONFIG_UNMAP_KERNEL_AT_EL0 | |
-+ select GCC_PLUGIN_STACKLEAK | |
-+ select VMAP_STACK | |
+ | |
+config GENTOO_KERNEL_SELF_PROTECTION_X86_32 | |
+ bool "X86_32 KSPP Settings" | |
+ | |
+ depends on !X86_MSR && !MODIFY_LDT_SYSCALL && !M486 && X86_32 | |
-+ default n | |
++ default y if X86_32 && GENTOO_KERNEL_SELF_PROTECTION | |
+ | |
+ select HIGHMEM64G | |
+ select X86_PAE | |
@@ -270,13 +272,22 @@ | |
+ bool "ARM KSPP Settings" | |
+ | |
+ depends on !OABI_COMPAT && ARM | |
-+ default n | |
++ default y if ARM && GENTOO_KERNEL_SELF_PROTECTION | |
+ | |
+ select VMSPLIT_3G | |
+ select STRICT_MEMORY_RWX | |
+ select CPU_SW_DOMAIN_PAN | |
+ | |
-+endif | |
++config GENTOO_KERNEL_SELF_PROTECTION_PPC | |
++ bool "PPC KSPP Settings" | |
++ | |
++ depends on PPC | |
++ default y if PPC && GENTOO_KERNEL_SELF_PROTECTION | |
++ | |
++ select PPC_KUEP if PPC_HAVE_KUEP | |
++ select PPC_KUAP if PPC_HAVE_KUAP | |
++ | |
++endmenu | |
+ | |
+config GENTOO_PRINT_FIRMWARE_INFO | |
+ bool "Print firmware information that the kernel attempts to load" | |
@@ -342,3 +353,50 @@ index 24c045b24..e13fc740c 100644 | |
-- | |
2.31.1 | |
``` | |
+From 36d3e0fe61525a9e43573a2c74723e0ed747965f Mon Sep 17 00:00:00 2001 | |
+From: Georgy Yakovlev <gyakovlev@gentoo.org> | |
+Date: Wed, 22 Dec 2021 21:16:27 -0800 | |
+Subject: [PATCH] Kconfigs: limit more things for gentoo KSPP | |
+ | |
+--- | |
+ init/Kconfig | 2 ++ | |
+ security/Kconfig.hardening | 2 ++ | |
+ 2 files changed, 4 insertions(+) | |
+ | |
+diff --git a/init/Kconfig b/init/Kconfig | |
+index 11f8a84..459706b 100644 | |
+--- a/init/Kconfig | |
++++ b/init/Kconfig | |
+@@ -1925,7 +1925,9 @@ endchoice | |
+ | |
+ config SLAB_MERGE_DEFAULT | |
+ bool "Allow slab caches to be merged" | |
++ default n if GENTOO_KERNEL_SELF_PROTECTION | |
+ default y | |
++ depends on !GENTOO_KERNEL_SELF_PROTECTION | |
+ help | |
+ For reduced kernel memory fragmentation, slab caches can be | |
+ merged when they share the same size and other characteristics. | |
+diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening | |
+index 90cbaff..f2298e5 100644 | |
+--- a/security/Kconfig.hardening | |
++++ b/security/Kconfig.hardening | |
+@@ -30,6 +30,7 @@ choice | |
+ default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS | |
+ default INIT_STACK_ALL_PATTERN if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT_PATTERN | |
+ default INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_PATTERN | |
++ default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if GENTOO_KERNEL_SELF_PROTECTION && GCC_PLUGINS | |
+ default INIT_STACK_NONE | |
+ help | |
+ This option enables initialization of stack variables at | |
+@@ -45,6 +46,7 @@ choice | |
+ | |
+ config INIT_STACK_NONE | |
+ bool "no automatic stack variable initialization (weakest)" | |
++ depends on !GENTOO_KERNEL_SELF_PROTECTION | |
+ help | |
+ Disable automatic stack variable initialization. | |
+ This leaves the kernel vulnerable to the standard | |
+-- | |
+2.34.1 | |
+ | |
-- | |
2.34.1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment