Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2001367imm;
        Sun, 9 Sep 2018 13:29:07 -0700 (PDT)
X-Google-Smtp-Source: ANB0VdaIDEbNym3o7x77WAEXJh6M06f5XVLycLGQTFZvF+SammLm3HlT59Q2HL5VQnWiug+VjYYf
X-Received: by 2002:a63:c44a:: with SMTP id m10-v6mr19283805pgg.416.1536524947017;
        Sun, 09 Sep 2018 13:29:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1536524946; cv=none;
        d=google.com; s=arc-20160816;
        b=IyMKnlgz6VqfVlVYrI75N+vPOwdqRCNyXUeUEsAV3hgcVqIbDBew4+T21dX/neLnC/
         uqO2DSDIZJge9aC+k56iImq9G7Nq1lTQQLnlgA0uKVQQNtAWuijqP3w8Ex1x1l6MnwAS
         wElW/DL+69zML73jliYK93Z+O31BpM5sx1hLA/4Bu+Qu/Hmix1op/fkEx8euz/G8Dpyq
         iAIXiEPL11JCzCENCwd/X6uiwFM0xyn3/rqWW2nh+sIWn/8LkLILM3vz078BZUfQtlbX
         yw+KcxSkGcH/mQrxS+v2T/MpiUgYeEOlVywBTeHAInO13hdTcJrCuHKDL5mVMleg1Sl4
         S3Pg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :organization:references:in-reply-to:message-id:subject:cc:to:from
         :date;
        bh=f+NXhi/xkjMoVoM9gwB4IGKQVuSPGYz9yJdRdiu6AoU=;
        b=tBjDTwWnUgkMcVPVYIZBoaPpGIW92MulybVPJb0XrYM/p87GUc3JFSECQyuYeMBt3G
         MklVOAhVERD0cv+8zTss5Rj/LE9uOy5JD7ebkRxKBoHQrekRcSn0HpJvFQOHsTWhWYaO
         pirsazgMTBqy8r/DqM1E+dLW+GAFc5x3i/cBKgd54tCNPrbQRFmm6nDnEVSggq2bzJTA
         yGLily0n+xbhYzpUirnSq5xQT3qlZwBbtL1aLn6CKjVFy2Jq2RaX2YTBqBWtpdJnvrHl
         L1PG6biU/rI6IUmqeh82fraAbDmDDDUg9HbLSJm2HLGPCkp9T9PD1V3vTfhzqJOauxJj
         5Vhw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a34-v6si14831016pld.149.2018.09.09.13.28.50;
        Sun, 09 Sep 2018 13:29:06 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726725AbeIJBSh (ORCPT <rfc822;hubert.jasudowicz@gmail.com>
        + 99 others); Sun, 9 Sep 2018 21:18:37 -0400
Received: from ms.lwn.net ([45.79.88.28]:38220 "EHLO ms.lwn.net"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726609AbeIJBSh (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 9 Sep 2018 21:18:37 -0400
Received: from localhost.localdomain (localhost [127.0.0.1])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ms.lwn.net (Postfix) with ESMTPSA id E05D16D9;
        Sun,  9 Sep 2018 20:27:43 +0000 (UTC)
Date:   Sun, 9 Sep 2018 14:27:41 -0600
From:   Jonathan Corbet <corbet@lwn.net>
To:     Salvatore Mesoraca <s.mesoraca16@gmail.com>
Cc:     kernel-hardening@lists.openwall.com, linux-doc@vger.kernel.org,
        linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org,
        Jann Horn <jannh@google.com>,
        Kees Cook <keescook@chromium.org>,
        Laura Abbott <labbott@redhat.com>,
        Masahiro Yamada <yamada.masahiro@socionext.com>,
        Michal Marek <michal.lkml@markovi.net>,
        "Eric W. Biederman" <ebiederm@xmission.com>
Subject: Re: [PATCH v2] kconfig: add hardened defconfig helpers
Message-ID: <20180909142741.3b87df76@lwn.net>
In-Reply-To: <1536516257-30871-1-git-send-email-s.mesoraca16@gmail.com>
References: <1536516257-30871-1-git-send-email-s.mesoraca16@gmail.com>
Organization: LWN.net
X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-redhat-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sun,  9 Sep 2018 20:04:17 +0200
Salvatore Mesoraca <s.mesoraca16@gmail.com> wrote:

> +===============================
> +Hardening Configuration Options
> +===============================
> +
> +This is a list of configuration options that are useful for hardening purposes.
> +These options are divided in 4 levels based on the magnitude of their negative
> +side effects, not on their importance or usefulness:
> +
> +	- **Low**: Negligible performance impact. No user-space breakage.
> +	- **Medium**: Some performance impact and/or user-space breakage for
> +	  few users.
> +	- **High**: Notable performance impact and/or user-space breakage for
> +	  many users.
> +	- **Extreme**: Big performance impact and/or user-space breakage for
> +	  most users.
> +
> +In other words: **Low** level contains protections that *everybody* can and
> +should use; **Medium** level should be usable by *most people* without issues;
> +**High** level may cause *some trouble*, especially from a *performance*
> +perspective; **Extreme** level contains protections that *few people* may want
> +to enable, some people will probably *cherry-pick* some options from here based
> +on their needs.
> +
> +For further details about which option is included in each level, please read
> +the description below, for more information on any particular option refer to
> +their help page.
> +
> +The content of this list is automatically translated into *config fragments*
> +that can be used to apply the suggested hardening options to your current
> +configuration.
> +To use them you just need to run ``make hardened$LEVELconfig`` (e.g.
> +``make hardenedhighconfig``).

Some overall thoughts:

- As Sam asked: who are the users of this feature?  Presumably you have
  some real people out there in mind for each of these levels, or you would
  not have created them?

- Who will maintain it?  The list of hardening-relevant configuration
  options is always in high flux, as our understanding of the security
  implications of each.  This feature will require some significant ongoing
  attention or it will quickly become stale.  I think it needs a
  MAINTAINERS entry.

- It's a little strange to see an RST document used as the input for the
  kernel configuration process.  Assuming this is really the best way to do
  this (and I worry about things like duplicated descriptions of kernel
  configuration options), you should, at a minimum, carefully document the
  format of this file at the beginning.  Otherwise people will surely break
  it.  In fact, they'll break it anyway, so more checking in the processing
  script seems indicated.

  Without having thought it through in great depth, I suspect that a better
  approach might be to find a way to mark the hardening level in the
  Kconfig entries.

- You have ordered the options alphabetically, but that is, I would argue,
  not the best way.  My guess is that people would read this file to answer
  the question of "just how many bullets will hardening level H put into my
  foot?"  So I would sort them by hardening level as the primary key.

Thanks,

jon