Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 841488 - sys-kernel/gentoo-sources: Update of our 4567_distro-Gentoo-Kconfig.patch
Summary: sys-kernel/gentoo-sources: Update of our 4567_distro-Gentoo-Kconfig.patch
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Kernel Bug Wranglers and Kernel Maintainers
URL: https://kernsec.org/wiki/index.php/Ke...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-04-28 14:17 UTC by Peter
Modified: 2022-05-12 12:27 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Peter 2022-04-28 14:17:05 UTC
I would like to improve our KSPP settings in .../distro/Kconfig:


1. We have an old option forgotten:

CONFIG_HARDENED_USERCOPY=y


2. Since 2022-03-30 KSPP recommends 6 new options, we should set also:

# Randomize kernel stack offset on syscall entry (since v5.13).
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y

# Enable sampling-based overflow detection. This is similar to KASAN coverage, but with almost zero runtime overhead.
CONFIG_KFENCE=y

# Do not ignore compile-time warnings (since v5.15)
CONFIG_WERROR=y

# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y

# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
CONFIG_SCHED_CORE=y

# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers)
CONFIG_ZERO_CALL_USED_REGS=y


3. Since 5.15 DVKMEM doesnt exists anymore, so we dont need to check if it is unset and can cut !DEVKMEM =>

Depends on: GENTOO_LINUX [=y] && [...] && !DEVKMEM [=n] && [...]



Reproducible: Always

Steps to Reproduce:
It is not updated in 5.15.36
Actual Results:  
Old settings

Expected Results:  
New settings
Comment 1 Mike Pagano gentoo-dev 2022-05-11 16:49:17 UTC
Everything is in except for CONFIG_WERROR=y which gyakovlev in #gentoo-hardened suggested could cause issues with some architectures.
Comment 2 Larry the Git Cow gentoo-dev 2022-05-11 17:40:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=e6616502ad6e34b980112d4828cf526fdfbf0635

commit e6616502ad6e34b980112d4828cf526fdfbf0635
Author:     Mike Pagano <mpagano@gentoo.org>
AuthorDate: 2022-05-11 17:25:52 +0000
Commit:     Mike Pagano <mpagano@gentoo.org>
CommitDate: 2022-05-11 17:25:52 +0000

    Update Gentoo Hardened patchset based on KSPP thanks to Peter Bo
    Bug: https://bugs.gentoo.org/841488
    
    Added:
    CONFIG_HARDENED_USERCOPY=y
    CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
    CONFIG_KFENCE=y
    CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
    CONFIG_SCHED_CORE=y
    CONFIG_ZERO_CALL_USED_REGS=y
    
    Signed-off-by: Mike Pagano <mpagano@gentoo.org>

 4567_distro-Gentoo-Kconfig.patch | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)
Comment 3 Larry the Git Cow gentoo-dev 2022-05-12 12:27:09 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b7bb70af4842e3e091c70631e4956023a91c946c

commit b7bb70af4842e3e091c70631e4956023a91c946c
Author:     Mike Pagano <mpagano@gentoo.org>
AuthorDate: 2022-05-12 12:26:09 +0000
Commit:     Mike Pagano <mpagano@gentoo.org>
CommitDate: 2022-05-12 12:26:09 +0000

    sys-kernel/gentoo-sources: add 5.17.7 and update to kspp patch
    
    Update Gentoo Hardened patchset based on KSPP thanks to Peter Bo
    
    Closes: https://bugs.gentoo.org/841488
    
    Signed-off-by: Mike Pagano <mpagano@gentoo.org>

 sys-kernel/gentoo-sources/Manifest                 |  3 +++
 .../gentoo-sources/gentoo-sources-5.17.7.ebuild    | 28 ++++++++++++++++++++++
 2 files changed, 31 insertions(+)

Additionally, it has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb485852c43843d7272940266f52468c6e0c5a93

commit bb485852c43843d7272940266f52468c6e0c5a93
Author:     Mike Pagano <mpagano@gentoo.org>
AuthorDate: 2022-05-12 12:25:11 +0000
Commit:     Mike Pagano <mpagano@gentoo.org>
CommitDate: 2022-05-12 12:25:11 +0000

    sys-kernel/gentoo-sources: add 5.15.39 and ksp update
    
    Update Gentoo Hardened patchset based on KSPP thanks
    to Peter Bo (Mike Pagano)
    
    Bug: https://bugs.gentoo.org/841488
    
    Signed-off-by: Mike Pagano <mpagano@gentoo.org>

 sys-kernel/gentoo-sources/Manifest                 |  3 +++
 .../gentoo-sources/gentoo-sources-5.15.39.ebuild   | 28 ++++++++++++++++++++++
 2 files changed, 31 insertions(+)