Re: hardening-check can detect whether kernel is protected or not

To: Mikhail Morfikov <mmorfikov@gmail.com>, debian-kernel@lists.debian.org
Subject: Re: hardening-check can detect whether kernel is protected or not
From: Yves-Alexis Perez <corsac@debian.org>
Date: Wed, 02 Jan 2019 17:48:47 +0100
Message-id: <[🔎] 91813c5698a87cbe783cb73de673808eb7908e36.camel@debian.org>
In-reply-to: <[🔎] a41776d2-f272-d2ac-b49e-91340690889c@gmail.com>
References: <[🔎] 2796fc2e-d5fb-2a7f-288e-9301e07a1269@gmail.com> <[🔎] d2a6242227ca224081efdb486f932484f8cdc465.camel@debian.org> <[🔎] a41776d2-f272-d2ac-b49e-91340690889c@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Wed, 2019-01-02 at 17:37 +0100, Mikhail Morfikov wrote:
> I have one question. Let's say I set the kernel options that are described 
> here[1]. Do I have to use DEB_BUILD_MAINT_OPTIONS or set any additional flags
> in the debian/rules file to get some extra protection? Does the 
> DEB_BUILD_MAINT_OPTIONS variable do something in the case of building the 
> linux kernel?

No, DEB_BUILD_MAINT_OPTIONS is not used for that. If you want to tune the
kernel configuration you need to follow the kernel handbook (
https://kernel-team.pages.debian.net/kernel-handbook/ch-common-tasks.html#s4.2.3
)

Most of the kernel options recommended on the KSPP page are either enabled or
not relevant for a distribution kernel. There are some left which would be
nice to have (like some gcc plugins) and unsupported for now, but that's all.

Regards,
- -- 
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlws628ACgkQ3rYcyPpX
RFuq7wgAjwEGti43/zBpdxYSodwujnyh5CGN9k2KDpKtd4UtEJRP9+jWOT3eFuo3
8lKN+nojE7DuxYSJmW9NgXV95DNh1mx191ADRs3brbtV30dSoVP46EfypD/w4rVR
u2QJEEZueQiR7y1qE1nqfhuNY+OTSTlgeYsHbOQ4S5hyn7Yvu3gUf3QXaMOVybnu
+7sbfc62mnXuvwywYU2H891SSjjDd4yf0YUkr1uWWdhWHMvzBulEsj6s8b0QBvWq
DPJAGKd/CUp66R8DVyfY68G7rCam+lrX4DeK3gpPR1npFyIptMdXin64vXRhkaJr
1vZ0ct5r2p8GB0Un7371YEJOIvaQGw==
=1cPi
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: hardening-check can detect whether kernel is protected or not
  - From: Mikhail Morfikov <mmorfikov@gmail.com>

References:
- hardening-check can detect whether kernel is protected or not
  - From: Mikhail Morfikov <mmorfikov@gmail.com>
- Re: hardening-check can detect whether kernel is protected or not
  - From: Yves-Alexis Perez <corsac@debian.org>
- Re: hardening-check can detect whether kernel is protected or not
  - From: Mikhail Morfikov <mmorfikov@gmail.com>

Prev by Date: Processed: bug 918036 is forwarded to https://lore.kernel.org/lkml/20181106054212.GA31768@nautica/
Next by Date: Re: hardening-check can detect whether kernel is protected or not
Previous by thread: Re: hardening-check can detect whether kernel is protected or not
Next by thread: Re: hardening-check can detect whether kernel is protected or not
Index(es):
- Date
- Thread