[RFC PATCH 9/9] powerpc/configs/skiroot: Enable some more hardening options

Joel Stanley joel at jms.id.au
Thu Jan 16 12:51:26 AEDT 2020


On Thu, 16 Jan 2020 at 01:48, Michael Ellerman <mpe at ellerman.id.au> wrote:
>
> Enable more hardening options.
>
> Note BUG_ON_DATA_CORRUPTION selects DEBUG_LIST and is essentially just
> a synonym for it.
>
> DEBUG_SG, DEBUG_NOTIFIERS, DEBUG_LIST, DEBUG_CREDENTIALS and
> SCHED_STACK_END_CHECK should all be low overhead and just add a few
> extra checks.
>
> Unselecting SLAB_MERGE_DEFAULT causes the SLAB to use more memory, but
> the skiroot kernel shouldn't be memory constrained on any of our
> systems, all it does is run a small bootloader.

Why do we unselect it?

> SLAB_FREELIST_RANDOM, and SLUB_DEBUG_ON will add some overhead to the
> SLAB allocator, but nothing that should be meaningful for skiroot.
>
> Signed-off-by: Michael Ellerman <mpe at ellerman.id.au>

Acked-by: Joel Stanley <joel at jms.id.au>


> ---
>  arch/powerpc/configs/skiroot_defconfig | 8 ++++++++
>  1 file changed, 8 insertions(+)
>
> diff --git a/arch/powerpc/configs/skiroot_defconfig b/arch/powerpc/configs/skiroot_defconfig
> index 12c96c8b0c1d..59c2de904fda 100644
> --- a/arch/powerpc/configs/skiroot_defconfig
> +++ b/arch/powerpc/configs/skiroot_defconfig
> @@ -23,6 +23,8 @@ CONFIG_EXPERT=y
>  # CONFIG_AIO is not set
>  CONFIG_PERF_EVENTS=y
>  # CONFIG_COMPAT_BRK is not set
> +# CONFIG_SLAB_MERGE_DEFAULT is not set
> +CONFIG_SLAB_FREELIST_RANDOM=y
>  CONFIG_SLAB_FREELIST_HARDENED=y
>  CONFIG_PPC64=y
>  CONFIG_ALTIVEC=y
> @@ -293,6 +295,8 @@ CONFIG_LIBCRC32C=y
>  # CONFIG_XZ_DEC_SPARC is not set
>  CONFIG_PRINTK_TIME=y
>  CONFIG_MAGIC_SYSRQ=y
> +CONFIG_SLUB_DEBUG_ON=y
> +CONFIG_SCHED_STACK_END_CHECK=y
>  CONFIG_DEBUG_STACKOVERFLOW=y
>  CONFIG_PANIC_ON_OOPS=y
>  CONFIG_SOFTLOCKUP_DETECTOR=y
> @@ -301,6 +305,10 @@ CONFIG_HARDLOCKUP_DETECTOR=y
>  CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y
>  CONFIG_WQ_WATCHDOG=y
>  # CONFIG_SCHED_DEBUG is not set
> +CONFIG_DEBUG_SG=y
> +CONFIG_DEBUG_NOTIFIERS=y
> +CONFIG_BUG_ON_DATA_CORRUPTION=y
> +CONFIG_DEBUG_CREDENTIALS=y
>  # CONFIG_FTRACE is not set
>  CONFIG_XMON=y
>  # CONFIG_RUNTIME_TESTING_MENU is not set
> --
> 2.21.1
>


More information about the Linuxppc-dev mailing list