I saw kees posting on mastodon about this recently and realised we need to update 4567_distro-Gentoo-Kconfig.patch to include new KSPP recommendations from https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings. Specifically, we should enable the UBSAN stuff there for sure, for hardened. See also: * https://fosstodon.org/@kees/112278296373441646 * https://fosstodon.org/@kees/112339190937233667
kees: "Note that really only BOUNDS and SHIFT are ready for real-world environments. BOOL and ENUM have low signal-to-noise ratio"
I added UBSAN_BOUNDS and UBSAN_SHIFT and some dependencies. Please let me know if there are other config items you want to add.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=f9505074541db86a09aaf77aeeb425f029565fcf commit f9505074541db86a09aaf77aeeb425f029565fcf Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2024-04-27 22:01:28 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2024-04-27 22:01:28 +0000 Add UBSAN_BOUNDS and UBSAN_SHIFT and dependencies Bug: https://bugs.gentoo.org/930733 Signed-off-by: Mike Pagano <mpagano@gentoo.org> 4567_distro-Gentoo-Kconfig.patch | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-)
(In reply to Mike Pagano from comment #2) > I added UBSAN_BOUNDS and UBSAN_SHIFT and some dependencies. Please let me > know if there are other config items you want to add. Mike, could we add the following too please: amd64 only: CONFIG_X86_KERNEL_IBT=y CONFIG_X86_USER_SHADOW_STACK=y arm64 only: CONFIG_SHADOW_CALL_STACK=y CONFIG_UNWIND_PATCH_PAC_INTO_SCS=y CONFIG_ARM64_PTR_AUTH=y CONFIG_ARM64_PTR_AUTH_KERNEL=y CONFIG_ARM64_BTI=y CONFIG_ARM64_BTI_KERNEL=y CONFIG_ARM64_MTE=y CONFIG_KASAN_HW_TAGS=y CONFIG_ARM64_E0PD=y CONFIG_ARM64_EPAN=y all: CONFIG_RANDOM_KMALLOC_CACHES=y CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y Thank you!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=12593a65130d8f0ca1b837d5a3cd05388194568b commit 12593a65130d8f0ca1b837d5a3cd05388194568b Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2024-05-02 16:20:27 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2024-05-02 16:20:27 +0000 sys-kernel/gentoo-sources: add 6.8.9, and KSPP updates and BMQ v6.8-r6 BMQ Patch v6.8-r6 Add UBSAN_BOUNDS and UBSAN_SHIFT and dependencies Bug: https://bugs.gentoo.org/930733 Signed-off-by: Mike Pagano <mpagano@gentoo.org> sys-kernel/gentoo-sources/Manifest | 3 +++ .../gentoo-sources/gentoo-sources-6.8.9.ebuild | 27 ++++++++++++++++++++++ 2 files changed, 30 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=55e3a97e981ac6415c11cae37ff93f833faa6955 commit 55e3a97e981ac6415c11cae37ff93f833faa6955 Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2024-05-02 16:19:36 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2024-05-02 16:19:36 +0000 sys-kernel/gentoo-sources: add 6.6.30 and KSPP updates Add UBSAN_BOUNDS and UBSAN_SHIFT and dependencies Bug: https://bugs.gentoo.org/930733 Signed-off-by: Mike Pagano <mpagano@gentoo.org> sys-kernel/gentoo-sources/Manifest | 3 +++ .../gentoo-sources/gentoo-sources-6.6.30.ebuild | 27 ++++++++++++++++++++++ 2 files changed, 30 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f0cde63fe6a6311797f332a9cf873a478654e8ee commit f0cde63fe6a6311797f332a9cf873a478654e8ee Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2024-05-02 16:17:57 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2024-05-02 16:17:57 +0000 sys-kernel/gentoo-sources: add 5.15.158 and KSPP updates Add UBSAN_BOUNDS and UBSAN_SHIFT and dependencies Bug: https://bugs.gentoo.org/930733 Signed-off-by: Mike Pagano <mpagano@gentoo.org> sys-kernel/gentoo-sources/Manifest | 2 ++ .../gentoo-sources/gentoo-sources-5.15.158.ebuild | 27 ++++++++++++++++++++++ 2 files changed, 29 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=db756a95113a1477fafbdcbcdd4d580cc3c12b2a commit db756a95113a1477fafbdcbcdd4d580cc3c12b2a Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2024-05-02 16:16:37 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2024-05-02 16:16:37 +0000 sys-kernel/gentoo-sources: add 5.10.216 and KSPP updates Add UBSAN_BOUNDS and UBSAN_SHIFT and dependencies Bug: https://bugs.gentoo.org/930733 Signed-off-by: Mike Pagano <mpagano@gentoo.org> sys-kernel/gentoo-sources/Manifest | 3 +++ .../gentoo-sources/gentoo-sources-5.10.216.ebuild | 27 ++++++++++++++++++++++ 2 files changed, 30 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=abbbd285be43f4a758e4cbaac9cf33c6bc74e32a commit abbbd285be43f4a758e4cbaac9cf33c6bc74e32a Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2024-05-05 17:54:13 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2024-05-05 17:54:13 +0000 Update to KSPP patch Bug: https://bugs.gentoo.org/930733 Signed-off-by: Mike Pagano <mpagano@gentoo.org> 4567_distro-Gentoo-Kconfig.patch | 33 +++++++++++++++++++++------------ 1 file changed, 21 insertions(+), 12 deletions(-)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cc5171bf27ae9a8d1ac8c1cf83fb5732e2bc65b8 commit cc5171bf27ae9a8d1ac8c1cf83fb5732e2bc65b8 Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2024-05-17 13:01:29 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2024-05-17 13:03:18 +0000 sys-kernel/gentoo-sources: add 6.8.10, update to KSPP Patch Closes: https://bugs.gentoo.org/930733 Do not select BMQ on default Signed-off-by: Mike Pagano <mpagano@gentoo.org> sys-kernel/gentoo-sources/Manifest | 3 +++ .../gentoo-sources/gentoo-sources-6.8.10.ebuild | 27 ++++++++++++++++++++++ 2 files changed, 30 insertions(+) Additionally, it has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a2adea6ef97874fb30db50f1c554fdb4b2da0a76 commit a2adea6ef97874fb30db50f1c554fdb4b2da0a76 Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2024-05-17 13:00:44 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2024-05-17 13:03:17 +0000 sys-kernel/gentoo-sources: add 6.6.31, update to KSPP Patch Bug: https://bugs.gentoo.org/930733 Removed redundant patch: 2930_gcc14-btrfs-fix-kvcalloc-args-order.patch Signed-off-by: Mike Pagano <mpagano@gentoo.org> sys-kernel/gentoo-sources/Manifest | 3 +++ .../gentoo-sources/gentoo-sources-6.6.31.ebuild | 27 ++++++++++++++++++++++ 2 files changed, 30 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5593f3ebe61daafe198689c1aa11627f7577abf9 commit 5593f3ebe61daafe198689c1aa11627f7577abf9 Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2024-05-17 12:59:56 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2024-05-17 13:03:17 +0000 sys-kernel/gentoo-sources: add 6.1.91, update to KSPP Patch Bug: https://bugs.gentoo.org/930733 Signed-off-by: Mike Pagano <mpagano@gentoo.org> sys-kernel/gentoo-sources/Manifest | 3 +++ .../gentoo-sources/gentoo-sources-6.1.91.ebuild | 27 ++++++++++++++++++++++ 2 files changed, 30 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e3e8830d5f459f9025aa5368b4c6f31a752a1396 commit e3e8830d5f459f9025aa5368b4c6f31a752a1396 Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2024-05-17 12:59:09 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2024-05-17 13:03:17 +0000 sys-kernel/gentoo-sources: add 5.15.159, update to KSPP Patch Bug: https://bugs.gentoo.org/930733 Signed-off-by: Mike Pagano <mpagano@gentoo.org> sys-kernel/gentoo-sources/Manifest | 2 ++ .../gentoo-sources/gentoo-sources-5.15.159.ebuild | 27 ++++++++++++++++++++++ 2 files changed, 29 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=edc9e0c9c4bed12da70c14d10b7eb38b7cef1022 commit edc9e0c9c4bed12da70c14d10b7eb38b7cef1022 Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2024-05-17 12:58:09 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2024-05-17 13:03:17 +0000 sys-kernel/gentoo-sources: add 5.10.217 Update to KSPP patch Bug: https://bugs.gentoo.org/930733 Signed-off-by: Mike Pagano <mpagano@gentoo.org> sys-kernel/gentoo-sources/Manifest | 3 +++ .../gentoo-sources/gentoo-sources-5.10.217.ebuild | 27 ++++++++++++++++++++++ 2 files changed, 30 insertions(+)
