[PATCH 7/9] powerpc/configs/skiroot: Enable security features

Oliver O'Halloran oohall at gmail.com
Thu Jan 16 18:10:40 AEDT 2020


On Thu, Jan 16, 2020 at 4:00 PM Daniel Axtens <dja at axtens.net> wrote:
>
> Michael Ellerman <mpe at ellerman.id.au> writes:
>
> > From: Joel Stanley <joel at jms.id.au>
> >
> > This turns on HARDENED_USERCOPY with HARDENED_USERCOPY_PAGESPAN, and
> > FORTIFY_SOURCE.
> >
> > It also enables SECURITY_LOCKDOWN_LSM with _EARLY and
> > LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY options enabled.
> >
>
> As I said before, this will disable xmon entirely. If we want to set
> this, we should compile out xmon. But if we want xmon in read-only mode
> to be an option, we should pick integrity mode.
>
> I don't really mind, because I don't work with skiroot very
> much. Oliver, Joel, Nayna, you all do stuff around this sort of level -
> is this a problem for any of you?

Keep it enabled and force INTEGRITY mode. There are some cases where
xmon is the only method for debugging a crashing skiroot (hello SMC
BMCs) so I'd rather it remained available. If there's some actual
security benefit to disabling it entirely then someone should
articulate that.

Oliver


More information about the Linuxppc-dev mailing list