Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 930732

Summary: sys-kernel/gentoo-kernel: update USE=hardened configs to include UBSAN
Product: Gentoo Linux Reporter: Sam James <sam>
Component: Current packagesAssignee: Distribution Kernel Project <dist-kernel>
Status: IN_PROGRESS ---    
Severity: normal CC: hardened
Priority: Normal Keywords: InVCS
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=2275162
https://salsa.debian.org/kernel-team/linux/-/merge_requests/1065
https://bugs.gentoo.org/show_bug.cgi?id=930733
https://github.com/projg2/gentoo-kernel-config/pull/13
Whiteboard:
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-04-26 19:46:46 UTC 
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings has received a bunch of updates including UBSAN.

I saw the recent post by kees about this which led me to look at it:
* https://fosstodon.org/@kees/112278296373441646
* https://fosstodon.org/@kees/112339190937233667
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-04-26 19:56:01 UTC 
kees: "Note that really only BOUNDS and SHIFT are ready for real-world environments. BOOL and ENUM have low signal-to-noise ratio"
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-04-29 18:49:24 UTC 
commit 3cf6026a1998010e2136946b3b01cf79aa0f1f90 (HEAD -> master, tag: g13, origin/master, origin/HEAD)
Author: Sam James <sam@gentoo.org>
Date:   Fri Apr 26 22:14:04 2024 +0100

    hardened-base.config: enable UBSAN

    Enables the following:
    * CONFIG_UBSAN
    * CONFIG_UBSAN_BOUNDS
    * CONFIG_UBSAN_SANITIZE_ALL
    * CONFIG_UBSAN_LOCAL_BOUNDS

    Prompted by discussion with Kees Cook at https://fosstodon.org/@kees/112339190937233667.

    Notes on decision-making:
    * Not doing CONFIG_UBSAN_TRAP for now, we can re-assess it later on. Others
    haven't set it.

    * UBSAN in the kernel is *not* the same as UBSAN in userland; the kernel
    hardening team are recommending its use in production, unlike userland
    where care is required to e.g. use the minimal runtime.

    Bug: https://bugs.gentoo.org/930732
    Signed-off-by: Sam James <sam@gentoo.org>
    Closes: https://github.com/projg2/gentoo-kernel-config/pull/13
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

commit fce9717516054d808ce4516d36f9dfbe5ae8a9f5
Author: Sam James <sam@gentoo.org>
Date:   Fri Apr 26 22:10:42 2024 +0100

    hardened-arm64.config, hardened-amd64.config, hardened-base.config: refresh

    Enable CONFIG_RANDOM_KMALLOC_CACHES, CONFIG_X86_USER_SHADOW_STACK,
    CONFIG_PAGE_TABLE_CHECK, and CONFIG_PAGE_TABLE_CHECK_ENFORCED.

    Prompted by conversation with Kees Cook at https://fosstodon.org/@kees/112339190937233667.

    Bug: https://bugs.gentoo.org/930732
    Signed-off-by: Sam James <sam@gentoo.org>
    Signed-off-by: Michał Górny <mgorny@gentoo.org>