I recently experimented with GENTOO_KERNEL_SELF_PROTECTION_COMMON in sys-kernel/gentoo-sources on amd64 and riscv and noticed some things that may be worth fixing. 1. GENTOO_KERNEL_SELF_PROTECTION_COMMON depends on !X86_X32. This is architecture dependent so might be better at GENTOO_KERNEL_SELF_PROTECTION_X86_64 2. GENTOO_KERNEL_SELF_PROTECTION_COMMON selects GCC_PLUGIN_STACKLEAK which is only available for x86 and arm64, so it might be better at those architecture specific settings 3. GENTOO_KERNEL_SELF_PROTECTION_COMMON selects SECURITY_YAMA. SECURITY_YAMA depends on SECURITY but this is not selected automatically, leading to dependency errors from Kconfig. This is also listed on https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings Reproducible: Always Steps to Reproduce: For point 1, GENTOO_KERNEL_SELF_PROTECTION_COMMON depends on !X86_X32, read distro/Kconfig and see For point 2, GCC_PLUGIN_STACKLEAK: 1. Enable GENTOO_KERNEL_SELF_PROTECTION_COMMON for an arch which does not support this and notice a dependency error from Kconfig for missing HAVE_ARCH_STACKLEAK. Forcing it will result in a compile time error. 2. To verify support in the kernel, cd to the arch directory of the sources and grep -R HAVE_ARCH_STACKLEAK *, this results in arm64 and x86 on current kernels For point 3, the missing dependency on SECURITY: 1. Start with a kernel config where GENTOO_KERNEL_SELF_PROTECTION_COMMON, SECURITY_YAMA and SECURITY options are disabled 2. Enable GENTOO_KERNEL_SELF_PROTECTION_COMMON and Kconfig will give you a warning about the missing dependency CONFIG_SECURITY Actual Results: The result not being able to enable GENTOO_KERNEL_SELF_PROTECTION_COMMON on RISC-V (due to issue 2), and dependency errors on RISC-V and amd64 due to issues 1 and 3. Expected Results: I expect dependencies to be resolved cleanly and the "COMMON" configuration option not to select architecture specific options. I also posted in this forum topic: https://forums.gentoo.org/viewtopic-t-1141903-highlight-.html
I have a rework in process https://gist.github.com/gyakovlev/315da106a0b855d5559bdbe365b0cdc0 it's here I believe it covers most of the pain points you mention. I will finish it sometime soon and we'll add it.
Thanks for your reply Gregory. That patch indeed seems to solve my points.
Created attachment 761238 [details, diff] 4567_distro-Gentoo-Kconfig.patch new patch version will be great if you could give it a try. basically replace existing 4567_distro-Gentoo-Kconfig.patch with this one before applying patches. I tried multiple arches and there are no warnings or unselectable stuff, or stuff that should not be selected. but I did not build test everything.
^ this is for 5.15/5.16 no earlier versions yet
Thanks for the update. I'll have to sync/update first, i don't have 5.15/5.16 kernels in my repo yet. It's running now, and it might take a while :-)
I will do same for 5.10 soon too, will attach here as well. 5.10 one will probably work on 5.4 with no modifications.
Created attachment 761276 [details, diff] 5.10 version of 4567_distro-Gentoo-Kconfig.patch here's one for 5.10 kernel
My update is almost finished so i was able to test your new patch. I took gentoo-sources 5.15.12, modified genpatches-5.14-4.extras.tar.xz to include your patch instead of the original one, updated the manifest and installed. This was done without an issue and i can see the modifications to distro/Kconfig. Then i loaded my pre-kspp config to the 5.15.12 sources, ran make oldconfig, and after that went through the process of switching on the KSPP options. Everything worked well without any errors. I didn't try to compile (yet), but i think the result of that might be beyond the scope of this bug. I do have one point of feedback about the new structure: In the old structure the CONFIG_GENTOO_KERNEL_SELF_PROTECTION option contained the help text on what to do to make the other options show up. This help text is unreachable now (at least in menuconfig) when the setting itself has unmet dependencies, so you can't read what you're supposed to do until it's not needed anymore :-). For the rest it looks good. Sidenote for the patch and kernel versions: I was actually using a 5.14 kernel :-). If you'd like me to do more tests it way easier if you could provide it in a form that allows me to place it as a user patch. That would save the hassle of fiddling with the genpatches and manifest files. Or is there an easier way to do this?
press Z in menuconfig, you'd be surprised =) It will show all untogglable/unsatisfied items and you'll be able to see help for those. but I agree, not everyone knows it and it's not obvious how to make item to show up. I'll think on a better structure. Previous had nicer UI, but had some other issues.
Sorry for my late response. Thanks for the tip on the Z, didn't know that. Maybe you could add an option named "readme" with the help text and ignore the value. An other option might be to add documentation under the Documentation directory of the sources, which might actually be closer to the "official" way of doing things.
yeah I thought about separate item that's always visible and contains help, kinda like before. not sure if we want separate documentation file. it's harder to find, and it has to be maintained separately if changes are made. help string in config and dependency options are rendered straight from Kconfig, so help always matches single source of truth. anyway, did not have time to work on it again yet. as soon as I do something I'll leave a comment and maybe make a droppable patch for ease of testing.
