kconfig-hardened-check icon indicating copy to clipboard operation
kconfig-hardened-check copied to clipboard

Published 20 hours ago verified publisher icon a13xp0p0v

Create a tool that changes kconfig options according to the recommendations

Open a13xp0p0v opened this issue 2 years ago • 1 comments

It should use the JSON output of kconfig-hardened-check.

a13xp0p0v avatar Jul 04 '22 00:07 a13xp0p0v

See https://pypi.org/project/kconfiglib/

a13xp0p0v avatar Jul 17 '22 13:07 a13xp0p0v

That tool would also help to filter out the kconfig options that can't be enabled for the given kernel version.

a13xp0p0v avatar Feb 17 '23 16:02 a13xp0p0v

This feature is implemented as a part of the kconfig-hardened-check tool.

With the -g argument, the tool generates a Kconfig fragment with the security hardening options for the selected microarchitecture.

This Kconfig fragment can be merged with the existing Linux kernel config:

$ ./bin/kconfig-hardened-check -g X86_64 > /tmp/fragment
$ cd ~/linux-src/
$ ./scripts/kconfig/merge_config.sh .config /tmp/fragment
Using .config as base
Merging /tmp/fragment
Value of CONFIG_BUG_ON_DATA_CORRUPTION is redefined by fragment /tmp/fragment:
Previous value: # CONFIG_BUG_ON_DATA_CORRUPTION is not set
New value: CONFIG_BUG_ON_DATA_CORRUPTION=y
 ...

a13xp0p0v avatar Jun 12 '23 15:06 a13xp0p0v