Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp5305594imm; Sun, 22 Jul 2018 18:58:45 -0700 (PDT) X-Google-Smtp-Source: AAOMgpcW2OyWQJEpTcmlTvhjEpRt+WNov0ugg4ql5YGbYn7v68PspT4F0Ep+EjHUvSOWdame/twj X-Received: by 2002:a62:ed5:: with SMTP id 82-v6mr11339093pfo.198.1532311125618; Sun, 22 Jul 2018 18:58:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532311125; cv=none; d=google.com; s=arc-20160816; b=lTzjT3mD3b0UY27kfQzUiPD/ikXL3yKgVSJ//mA+4FIPNdgv8OS042ymiDA7B+nJAP zc19qKZaNb/3zXkYc2KvtXLioyHSSIeecNm9G3hUfIfyYgpYQzupDmcJ6cuugWy64rIo kudnCbqxgTZEkdozB6btGV4GfZp8oxtk7uHO6H5Hu/fmnkE4SKcgIB9dsuOI/8OjoEEn Z9fHV/87LSTWV9I+bVNGLsio7azgoaYHVy6A8/73wq0FjHDhW7gDzGyoui7nWHgCe6vy GfNJElu0g03fpm0fWrODFbp7gpc24SoffHHh1HzyGENdOCigJj0KBpT1/MapZvGKvLNU QDEA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-filter :arc-authentication-results; bh=m+6ekxUrAqgLZfKoB5OPOVwpAQnkaLEUBbnlNdrghVg=; b=FAXHUrYV2yJm4rQ3+MSHZpQsT0f6j1YeBPM53q2Bny/zw2PMHTvhuLKgNHasr6HzFJ HEETP1LS/bcrZxfCC8zxafcmd1WKWLVrF0//VH3c800bxYto80MYGt3MR2ZTM6T8LUcY pOAOqu0XMO2CnBt9fsYvwSmXCZAfVrBlD04TPC7cn3dm7p19X2khiHJKHOt/5qHJ6I6Y /QJCmX6yi8+lzNJ0kxrEoiTaig2Jh64ZP809Ld6DxuxscFA2tE/kDOSvYPi6v+xW8vXN 9NrQ8oreVSPP17nbVkRdY6udwwE/u4IplVVW18vnyeqkCIxYf05Fkb8zBPNegdHr0ZtL HDRA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@nifty.com header.s=dec2015msa header.b=J27Iqbg2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l4-v6si7176045plb.213.2018.07.22.18.58.31; Sun, 22 Jul 2018 18:58:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@nifty.com header.s=dec2015msa header.b=J27Iqbg2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387777AbeGWCzn (ORCPT + 99 others); Sun, 22 Jul 2018 22:55:43 -0400 Received: from conssluserg-02.nifty.com ([210.131.2.81]:44677 "EHLO conssluserg-02.nifty.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387758AbeGWCzn (ORCPT ); Sun, 22 Jul 2018 22:55:43 -0400 X-Greylist: delayed 392 seconds by postgrey-1.27 at vger.kernel.org; Sun, 22 Jul 2018 22:55:41 EDT Received: from mail-ua0-f171.google.com (mail-ua0-f171.google.com [209.85.217.171]) (authenticated) by conssluserg-02.nifty.com with ESMTP id w6N1ubR6003183; Mon, 23 Jul 2018 10:56:37 +0900 DKIM-Filter: OpenDKIM Filter v2.10.3 conssluserg-02.nifty.com w6N1ubR6003183 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nifty.com; s=dec2015msa; t=1532310997; bh=m+6ekxUrAqgLZfKoB5OPOVwpAQnkaLEUBbnlNdrghVg=; h=In-Reply-To:References:From:Date:Subject:To:Cc:From; b=J27Iqbg273Pg8ljtsvmY6q7ER8kESDyFYS96JEjPIMqrAMStqZ8Fg/8JqDK6oB0r6 rqMbIh7Cm5fKIMl1yf1Uy3esXvC7qmf9xAIHidhsGKJBbj9gTLoqNs02FDz7r+3ru/ /Sswac4qKLL7CzOOU7Wr3OV+x5XiSQDe8Pxmw20LVqtTo8Eb1Ual2Bzgh6O0TyRmvI of4M8oupUCvKGKIwsKw4r0opn98od6QooayRRE5up87l/Mh6U/MlFBIZVo/Sa3oCbR PdBURxAEoLT/AKE22XL08bDU1IZw7NsSJ68ASw1koc1HGvHcB+wl62tnpSBfgGhRiX pmNm1wS9vuN5g== X-Nifty-SrcIP: [209.85.217.171] Received: by mail-ua0-f171.google.com with SMTP id x24-v6so10765419ual.10; Sun, 22 Jul 2018 18:56:37 -0700 (PDT) X-Gm-Message-State: AOUpUlEGBT1MVBeXDryqZ9/KEBCUawcTiloCY/IJ8wQySsUn4tbE0Ugi rN3ZdmON3bHlyEvi92cL2mERBrhDz4e+6IMrxaE= X-Received: by 2002:ab0:4c24:: with SMTP id l36-v6mr7300449uaf.199.1532310996319; Sun, 22 Jul 2018 18:56:36 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:ab0:7289:0:0:0:0:0 with HTTP; Sun, 22 Jul 2018 18:55:55 -0700 (PDT) In-Reply-To: References: <1531935483-30784-1-git-send-email-s.mesoraca16@gmail.com> From: Masahiro Yamada Date: Mon, 23 Jul 2018 10:55:55 +0900 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC] kconfig: add hardened defconfig helpers To: Kees Cook Cc: Salvatore Mesoraca , Kernel Hardening , Laura Abbott , LKML , "open list:DOCUMENTATION" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 2018-07-20 14:15 GMT+09:00 Kees Cook : > +lkml, Masahiro, and linux-doc, just for wider review/thoughts. I do not subscribe to kernel-hardening ML. I do not see the original patch in lkml or kbuild/kconfig ML. > On Wed, Jul 18, 2018 at 10:38 AM, Salvatore Mesoraca > wrote: >> Adds 4 new defconfig helpers (hardenedlowconfig, >> hardenedmediumconfig, hardenedhighconfig, >> hardenedextremeconfig) to enable various hardening >> features. >> The list of config options to enable is based on >> KSPP's Recommended Settings[1] and on >> kconfig-hardened-check[2], with some modifications. >> These options are divided into 4 levels (low, medium, >> high, extreme) based on their negative side effects, not >> on their usefulness. >> 'Low' level collects all those protections that have >> (almost) no negative side effects. > > Likely the "Low" should be on-by-default already, but it's easier to > bike-shed that separately. :) > >> 'Extreme' level collects those protections that may have >> some many negative side effects that most people >> wouldn't want to enable them. >> Every feature in each level is briefly documented in >> Documentation/security/hardenedconfig.rst, this file >> also contain a better explanation of what every level >> means. >> To prevent this file from drifting from what the various >> defconfigs actually do, it is used to dynamically >> generate the config fragments. > > I like that the configs are generated from the docs! This makes things > very sane to update. > >> >> [1] http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings >> [2] https://github.com/a13xp0p0v/kconfig-hardened-check >> >> Signed-off-by: Salvatore Mesoraca >> --- >> .gitignore | 6 + >> Documentation/security/hardenedconfig.rst | 1027 ++++++++++++++++++++++++++++ >> Documentation/security/index.rst | 1 + >> Makefile | 6 +- >> scripts/kconfig/Makefile | 72 +- >> scripts/kconfig/build_hardened_fragment.sh | 54 ++ >> 6 files changed, 1143 insertions(+), 23 deletions(-) >> create mode 100644 Documentation/security/hardenedconfig.rst >> create mode 100755 scripts/kconfig/build_hardened_fragment.sh >> -- Best Regards Masahiro Yamada