https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings has received a bunch of updates including UBSAN. I saw the recent post by kees about this which led me to look at it: * https://fosstodon.org/@kees/112278296373441646 * https://fosstodon.org/@kees/112339190937233667
kees: "Note that really only BOUNDS and SHIFT are ready for real-world environments. BOOL and ENUM have low signal-to-noise ratio"
commit 3cf6026a1998010e2136946b3b01cf79aa0f1f90 (HEAD -> master, tag: g13, origin/master, origin/HEAD) Author: Sam James <sam@gentoo.org> Date: Fri Apr 26 22:14:04 2024 +0100 hardened-base.config: enable UBSAN Enables the following: * CONFIG_UBSAN * CONFIG_UBSAN_BOUNDS * CONFIG_UBSAN_SANITIZE_ALL * CONFIG_UBSAN_LOCAL_BOUNDS Prompted by discussion with Kees Cook at https://fosstodon.org/@kees/112339190937233667. Notes on decision-making: * Not doing CONFIG_UBSAN_TRAP for now, we can re-assess it later on. Others haven't set it. * UBSAN in the kernel is *not* the same as UBSAN in userland; the kernel hardening team are recommending its use in production, unlike userland where care is required to e.g. use the minimal runtime. Bug: https://bugs.gentoo.org/930732 Signed-off-by: Sam James <sam@gentoo.org> Closes: https://github.com/projg2/gentoo-kernel-config/pull/13 Signed-off-by: Michał Górny <mgorny@gentoo.org> commit fce9717516054d808ce4516d36f9dfbe5ae8a9f5 Author: Sam James <sam@gentoo.org> Date: Fri Apr 26 22:10:42 2024 +0100 hardened-arm64.config, hardened-amd64.config, hardened-base.config: refresh Enable CONFIG_RANDOM_KMALLOC_CACHES, CONFIG_X86_USER_SHADOW_STACK, CONFIG_PAGE_TABLE_CHECK, and CONFIG_PAGE_TABLE_CHECK_ENFORCED. Prompted by conversation with Kees Cook at https://fosstodon.org/@kees/112339190937233667. Bug: https://bugs.gentoo.org/930732 Signed-off-by: Sam James <sam@gentoo.org> Signed-off-by: Michał Górny <mgorny@gentoo.org>
