GitList

Browse code

linux-secure: added extra hardening from KSPP

- cmdline: added pti=on
- config: PANIC_TIMEOUT=-1, DEBUG_RODATA_TEST=y
- NCC Group recommendation: added audit=1 cmdline to have it
enabled from the very beginning

Change-Id: I449baf30e62ca5decc28c5889c388066c1eaec7d
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6487
Tested-by: michellew <michellew@vmware.com>
Reviewed-by: Srivatsa S. Bhat <srivatsab@vmware.com>

Alexey Makhalov authored on 2019/01/11 06:58:10
Showing 2 changed files

SPECS/linux/config-secure index 04c8edb..4d77dbd 100644
SPECS/linux/linux-secure.spec index 3b94ca3..9727c75 100644

SPECS/linux/config-secure

History View file @ bfa7f23

@@ -4823,7 +4823,7 @@ CONFIG_PAGE_POISONING=y
                      CONFIG_PAGE_POISONING_NO_SANITY=y
                      CONFIG_PAGE_POISONING_ZERO=y
                      # CONFIG_DEBUG_PAGE_REF is not set
                     -# CONFIG_DEBUG_RODATA_TEST is not set
                     +CONFIG_DEBUG_RODATA_TEST=y
                      # CONFIG_DEBUG_OBJECTS is not set
                      # CONFIG_SLUB_DEBUG_ON is not set
                      # CONFIG_SLUB_STATS is not set
@@ -4863,7 +4863,7 @@ CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
                      # CONFIG_WQ_WATCHDOG is not set
                      CONFIG_PANIC_ON_OOPS=y
                      CONFIG_PANIC_ON_OOPS_VALUE=1
                     -CONFIG_PANIC_TIMEOUT=0
                     +CONFIG_PANIC_TIMEOUT=-1
                      CONFIG_SCHED_DEBUG=y
                      CONFIG_SCHED_INFO=y
                      CONFIG_SCHEDSTATS=y

SPECS/linux/linux-secure.spec

History View file @ bfa7f23

@@ -2,7 +2,7 @@
                      Summary:        Kernel
                      Name:           linux-secure
                      Version:        4.19.6
                     -Release:        3%{?kat_build:.%kat_build}%{?dist}
                     +Release:        4%{?kat_build:.%kat_build}%{?dist}
                      License:        GPLv2
                      URL:            http://www.kernel.org/
                      Group:          System Environment/Kernel
@@ -172,7 +172,7 @@ cp -v vmlinux %{buildroot}/usr/lib/debug/lib/modules/%{uname_r}/vmlinux-%{uname_
                      # because .ko files will be loaded from the memory (LoadPin: obj=<unknown>)
                      cat > %{buildroot}/boot/linux-%{uname_r}.cfg << "EOF"
                      # GRUB Environment Block
                     -photon_cmdline=init=/lib/systemd/systemd ro loglevel=3 quiet no-vmw-sta loadpin.enabled=0 slub_debug=P page_poison=1 slab_nomerge
                     +photon_cmdline=init=/lib/systemd/systemd ro loglevel=3 quiet no-vmw-sta loadpin.enabled=0 audit=1 slub_debug=P page_poison=1 slab_nomerge pti=on
                      photon_linux=vmlinuz-%{uname_r}
                      photon_initrd=initrd.img-%{uname_r}
                      EOF
@@ -234,6 +234,9 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg
                      /usr/src/linux-headers-%{uname_r}
                      %changelog
                     +*   Thu Jan 10 2019 Alexey Makhalov <amakhalov@vmware.com> 4.19.6-4
                     +-   cmdline: added audit=1 pti=on
                     +-   config: PANIC_TIMEOUT=-1, DEBUG_RODATA_TEST=y
                      *   Wed Jan 09 2019 Alexey Makhalov <amakhalov@vmware.com> 4.19.6-3
                      -   Additional security hardening options in the config.
                      *   Fri Jan 04 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.6-2