[PATCH 7/9] powerpc/configs/skiroot: Enable security features
Joel Stanley
joel at jms.id.au
Thu Jan 16 18:14:31 AEDT 2020
On Thu, 16 Jan 2020 at 07:10, Oliver O'Halloran <oohall at gmail.com> wrote:
>
> On Thu, Jan 16, 2020 at 4:00 PM Daniel Axtens <dja at axtens.net> wrote:
> >
> > Michael Ellerman <mpe at ellerman.id.au> writes:
> >
> > > From: Joel Stanley <joel at jms.id.au>
> > >
> > > This turns on HARDENED_USERCOPY with HARDENED_USERCOPY_PAGESPAN, and
> > > FORTIFY_SOURCE.
> > >
> > > It also enables SECURITY_LOCKDOWN_LSM with _EARLY and
> > > LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY options enabled.
> > >
> >
> > As I said before, this will disable xmon entirely. If we want to set
> > this, we should compile out xmon. But if we want xmon in read-only mode
> > to be an option, we should pick integrity mode.
> >
> > I don't really mind, because I don't work with skiroot very
> > much. Oliver, Joel, Nayna, you all do stuff around this sort of level -
> > is this a problem for any of you?
>
> Keep it enabled and force INTEGRITY mode. There are some cases where
> xmon is the only method for debugging a crashing skiroot (hello SMC
> BMCs) so I'd rather it remained available. If there's some actual
> security benefit to disabling it entirely then someone should
> articulate that.
Ack.
More information about the Linuxppc-dev
mailing list