Announcement

**iustinp** · 05 November 2023, 10:25 AM

Oooh, I would really like this back ported to 6.1, pretty please! It does look useful for sure.

**debrouxl** · 05 November 2023, 01:19 PM

I guess it's a step in the right direction. However:
* not only without backports (6.1 might be a long shot unless someone spends time also backporting the fixes it may depend on, but backporting to 6.6 should be doable), it won't be part of kernels used in the real world by a majority for years;
* but also, it fails to disable known sources of streams of security vulnerabilities: the likes of eBPF JIT, io_uring, unprivileged user namespaces.

**gavron** · 05 November 2023, 06:28 PM

SO is $ make hardening.config used instead of e.g. $ make defconfig or after $ make oldconfig or what? Basically I guess I'm asking "I have my own .config, developed over time, and it works great for me.

How can I use hardening.config to "suggest" tweaks to it that I can answer Y, N, or ? and get more hardening without sacrificing most previous choices?

**Jakobson** · 05 November 2023, 06:50 PM

Originally posted by gavron View Post

How can I use hardening.config to "suggest" tweaks to it that I can answer Y, N, or ? and get more hardening without sacrificing most previous choices?

scripts/kconfig/merge_config.sh

Configs are here:

linux/kernel/configs/hardening.config at master · torvalds/linux

https://github.com/torvalds/linux/blob/master/kernel/configs/hardening.config

Linux kernel source tree. Contribute to torvalds/linux development by creating an account on GitHub.

(note also architecture-specific arch/*/configs/hardening.config files)

**gavron** · 05 November 2023, 07:24 PM

Originally posted by Jakobson View Post

scripts/kconfig/merge_config.sh

Configs are here:

linux/kernel/configs/hardening.config at master · torvalds/linux

https://github.com/torvalds/linux/blob/master/kernel/configs/hardening.config

Linux kernel source tree. Contribute to torvalds/linux development by creating an account on GitHub.

(note also architecture-specific arch/*/configs/hardening.config files)

@jakobson: Thank you!!
Interestingly, $ make hardening.config requires an existing .config, which it merely modifies. This means that, to answer my own previous question another way, one can either have an old .config or use $ make defconfig && make hardening.config.

Edit: Just finished booting linux-6.6.0-next-20231103 with the hardening script. It booted a bit faster than 6.6.0 and I'm too tired to figure out why. The metric is what the last timestamp is from a verbose boot before getting the LUKS prompt. Sample size of one is not yet science ... but also not a performance regression.

**waxhead** · 06 November 2023, 02:00 AM

Uuuuh..... Hard.... Hhhuh huh hhhuh huh

**Jakobson** · 06 November 2023, 09:20 AM

Originally posted by gavron View Post

Interestingly, $ make hardening.config requires an existing .config, which it merely modifies.

Yes, it is a kernel config fragment file. There purpose is to enable only particular indented feature and nothing more.

Announcement

Linux 6.7 Introduces "make hardening.config" To Help Build A Hardened Kernel

Linux 6.7 Introduces "make hardening.config" To Help Build A Hardened Kernel

Comment

Comment

Comment

Comment

Comment

Comment

Comment