git.kernel.dk Git - linux-2.6-block.git/commit

author	Kees Cook <keescook@chromium.org>
	Fri, 25 Aug 2023 04:25:55 +0000 (21:25 -0700)
committer	Kees Cook <keescook@chromium.org>
	Fri, 22 Sep 2023 16:50:55 +0000 (09:50 -0700)
commit	215199e3d9f3dc01a6d10b8229891e6f7f1085e7
tree	c9556972bf81693b8ddc2596c703e5cdeed3b032	tree \| snapshot
parent	ce9ecca0238b140b88f43859b211c9fdfd8e5b70	commit \| diff

hardening: Provide Kconfig fragments for basic options

Inspired by Salvatore Mesoraca's earlier[1] efforts to provide some
in-tree guidance for kernel hardening Kconfig options, add a new fragment
named "hardening-basic.config" (along with some arch-specific fragments)
that enable a basic set of kernel hardening options that have the least
(or no) performance impact and remove a reasonable set of legacy APIs.

Using this fragment is as simple as running "make hardening.config".

More extreme fragments can be added[2] in the future to cover all the
recognized hardening options, and more per-architecture files can be
added too.

For now, document the fragments directly via comments. Perhaps .rst
documentation can be generated from them in the future (rather than the
other way around).

[1] https://lore.kernel.org/kernel-hardening/1536516257-30871-1-git-send-email-s.mesoraca16@gmail.com/
[2] https://github.com/KSPP/linux/issues/14

Cc: Salvatore Mesoraca <s.mesoraca16@gmail.com>
Cc: x86@kernel.org
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-doc@vger.kernel.org
Cc: linux-kbuild@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>

MAINTAINERS		diff \| blob \| blame \| history
arch/arm/configs/hardening.config	[new file with mode: 0644]	blob
arch/arm64/configs/hardening.config	[new file with mode: 0644]	blob
arch/powerpc/configs/hardening.config	[new file with mode: 0644]	blob
arch/x86/configs/hardening.config	[new file with mode: 0644]	blob
kernel/configs/hardening.config	[new file with mode: 0644]	blob