Public
- Public
- Network
- Groups
- Featured
- Popular
- People

Conversation

Notices

Embed this notice
Kees Cook :tux: (kees@fosstodon.org)'s status on Saturday, 26-Aug-2023 23:08:22 JST Kees Cook :tux:

The #Linux #kernel has been overdue for having a Kconfig fragment for #hardening options. I'm hoping this can land:
https://lore.kernel.org/lkml/20230825050618.never.197-kees@kernel.org
In conversation Saturday, 26-Aug-2023 23:08:22 JST from fosstodon.org permalink
Attachments
1. No result found on File_thumbnail lookup.
  
  [PATCH] hardening: Provide Kconfig fragments for basic options - Kees Cook
- Embed this notice
  Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Saturday, 26-Aug-2023 23:08:21 JST Haelwenn /элвэн/ :triskell:
  in reply to
  
  @kees I wonder what's the practical difference with a config option depending on KSPP hardening options like Gentoo has been doing for a while.
  
  In conversation Saturday, 26-Aug-2023 23:08:21 JST permalink
- Embed this notice
  Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Monday, 28-Aug-2023 00:48:17 JST Haelwenn /элвэн/ :triskell:
  in reply to
  
  @kees https://gitweb.gentoo.org/proj/linux-patches.git/tree/4567_distro-Gentoo-Kconfig.patch
  In conversation Monday, 28-Aug-2023 00:48:17 JST permalink
  Attachments
  1. Domain not in remote thumbnail source whitelist: assets.gentoo.org
    
    4567_distro-Gentoo-Kconfig.patch - proj/linux-patches.git - Linux patches
    
    Browse the Gentoo Git repositories
- Embed this notice
  Kees Cook :tux: (kees@fosstodon.org)'s status on Monday, 28-Aug-2023 00:48:18 JST Kees Cook :tux:
  in reply to
  - Haelwenn /элвэн/ :triskell:
  @lanodan in not sure what you're asking. What's Gentoo been doing?
  
  In conversation Monday, 28-Aug-2023 00:48:18 JST permalink
- Embed this notice
  Kees Cook :tux: (kees@fosstodon.org)'s status on Monday, 28-Aug-2023 08:09:22 JST Kees Cook :tux:
  in reply to
  - Haelwenn /элвэн/ :triskell:
  @lanodan Ah, I see. Thanks for the link! Yeah, many things are repeated, but there are some options there that I think are a bit "heavy". It's based on the KSPP recommendations which tries to include everything but some stuff may be very disruptive (dropping 32-bit compatibility, removing module loading, etc).
  
  In conversation Monday, 28-Aug-2023 08:09:22 JST permalink
- Embed this notice
  Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Monday, 28-Aug-2023 08:09:22 JST Haelwenn /элвэн/ :triskell:
  in reply to
  
  @kees Yeah some went a bit heavy but I think the current ones are fine, worst case it just becomes a list that you can easily check while configuring the kernel.
  
  Also it reminds me that https://github.com/a13xp0p0v/kconfig-hardened-check grabs a bunch of recommendations (KSPP but not only), some of them being quite hardcore to seriously questionable (say recommending against coredumps from clipos).
  In conversation Monday, 28-Aug-2023 08:09:22 JST permalink
  Attachments
  1. Domain not in remote thumbnail source whitelist: opengraph.githubassets.com
    
    GitHub - a13xp0p0v/kconfig-hardened-check: A tool for checking the security hardening options of the Linux kernel
    
    A tool for checking the security hardening options of the Linux kernel - GitHub - a13xp0p0v/kconfig-hardened-check: A tool for checking the security hardening options of the Linux kernel

Public

Conversation

Notices

Feeds