Enabled hardening configs default to build. #1223
Conversation
abhilash-manna
requested review from
lumag,
mwasilew,
ndechesne,
ricardosalveti,
sbanerjee-quic and
vkraleti
as code owners
ci/base.yml
Outdated
| IMAGE_FSTYPES += "qcomflash" | ||
| extra: | | ||
| DISTRO_FEATURES:append = " efi pni-names" | ||
| DISTRO_FEATURES:append = " efi pni-names hardened" |
There was a problem hiding this comment.
If we are enabling by default why distro feature is needed? Can't CONFIG_LIST be populated unconditionally?
There was a problem hiding this comment.
Opt-Out Support: The hardened feature remains configurable, allowing users to explicitly remove it from DISTRO_FEATURES if they choose to disable hardening.
There was a problem hiding this comment.
So, any user not using Kas will not get hardened features? Why do we have them here then? We are not publishing binary images.
There was a problem hiding this comment.
Acknowledged. updated and remove dependency on the hardened feature.
ci/base.yml
Outdated
| IMAGE_FSTYPES += "qcomflash" | ||
| extra: | | ||
| DISTRO_FEATURES:append = " efi pni-names" | ||
| DISTRO_FEATURES:append = " efi pni-names hardened" |
There was a problem hiding this comment.
So, any user not using Kas will not get hardened features? Why do we have them here then? We are not publishing binary images.
abhilash-manna
force-pushed
the
Hardened
branch
from
5ab5518 to
0c8eae9
Compare
abhilash-manna
changed the title
quaresmajose
left a comment
quaresmajose
left a comment
There was a problem hiding this comment.
Good to drop the hardening distro feature that doesn't seem to exist anywhere in all ohter layers.
abhilash-manna
force-pushed
the
Hardened
branch
2 times, most recently
from
f998ff5 to
e61e7c0
Compare
lumag
left a comment
lumag
left a comment
There was a problem hiding this comment.
Please write proper commit subject and message. For the subject you are changing particular recipe rather than full meta-qcom layer. Then please rewrite commit message into a normal English text, describing the issue that you are trying to solve and what is to be done (use imperative language).
Kernel builds currently lack default security hardening options. Add support to merge `hardening.config` during configuration using merge_config.sh. Introduce `KBUILD_CONFIG_EXTRA` (following KBUILD naming conventions) for internal kernel configs like hardening.config, keeping them separate from external fragments managed via SRC_URI. This ensures consistent hardening across builds. Signed-off-by: Abhilasha Manna <[email protected]>
abhilash-manna
force-pushed
the
Hardened
branch
from
e61e7c0 to
b63e07e
Compare
Updated commit message per suggestion |
|
This seems to break building of kgsl-dlkm module. Could you please take a look, why? |
|
Interesting, wonder which new option is causing that for this module in particular. |
This would apply only to the debug package. |
No. This would mean that the builds are not binary-reproducible. So, NAK.
|
|
Yes, we need to understand what is causing TMPDIR to be exposed and see if we can fix the kernel or if we should fix the recipes, adding to INSANE_SKIP is not acceptable. |
5 participants
This PR introduces support for merging hardening.config into the kernel configuration for linux-qcom-next.
The goal is to ensure that security hardening options are applied consistently across all builds.
What’s Changed
Added logic to include hardening.config during kernel configuration using merge_config.sh.
Introduced a new variable KBUILD_CONFIG_EXTRA (aligned with KBUILD naming conventions) to manage internal kernel configuration files like
hardening.config.Maintained separation between internal configs and external fragments (*.cfg) managed via SRC_URI.
Why This Change
Kernel builds previously lacked default hardening options, which could lead to reduced security.
This update ensures that compiler-based mitigations and other hardening features are applied by default.
Verification
verified build on QCS9100-ride-sx. Kernel configuration includes hardening options as expected.
Ref: 1201#issuecomment-3543906617