[Ksummit-discuss] [CORE TOPIC] Kernel tinification: shrinking the kernel and avoiding size regressions

Steven Rostedt rostedt at goodmis.org
Fri May 2 17:44:27 UTC 2014


On Fri, 02 May 2014 10:20:29 -0700
James Bottomley <James.Bottomley at HansenPartnership.com> wrote:


> If we do this, I think we should have a small number of options related
> to use case ... say something like a secure router kernel
> CONFIG_SECURE_ROUTER which disables anything a secure router wouldn't
> need.

I was thinking the same thing.

> 
> For the distros we could have an ordinary and a reduced attack surface
> kernel CONFIG_REDUCED_ATTACK_SURFACE.

Ug, that's a horrible name. Not selecting it would imply we want to
increase the attack surface.

> 
> The thing I really want to avoid is binaries compiled for one distro not
> running on another because of syscall differences.

Agreed.


Your first config option name looks more the way we want to go. Didn't
Linus once ask for config profiles? That is, we could say
CONFIG_FIREWALL, and everything for a firewall would be set. Or
CONFIG_LAPTOP, which would focus on everything for a laptop, etc.

What ever happened to that? The kbuild environment too scary for
everyone?

I wounder if we should seek out people to rewrite it. Or at least
document how the entire thing works. Every time I have to look at that
code I get the willies.


-- Steve


More information about the Ksummit-discuss mailing list