[Ksummit-discuss] [TECH TOPIC] is Kconfig a bit hard sometimes?

Kees Cook keescook at chromium.org
Tue Jun 27 20:53:00 UTC 2017


On Tue, Jun 27, 2017 at 12:27 PM, Linus Torvalds
<torvalds at linux-foundation.org> wrote:
> No. The defconfigs are useless. They are fundamentally broken, excatly
> because there is never one config that can work.
>
> They do need to be of the "kvmconfig" type, but for sane subconfirurations.
>
> So I'd look for something like
>
>     make modernpcconfig # enable minimal modern PC workstation stuff
>     make f25config  # enable minimal stuff required for F25
>     make amdconfig # enable the core modern AMD stuff
>
> or something like that.
>
> But it's not going to happen, because everybody thinks *their* code is
> so supremely important, so the "minimal config" is literally a doomed
> concept ;(

I'd be curious to see someone try this anyway, just to see how it
turns out. It's been suggested to me before for hardening features,
(e.g. "make hardenedconfig") and I think it would turn out better than
trying to encode it directly in Kconfig itself. Each kernel release
can have its "make *config" targets updated as the individual CONFIGs
change... though I suspect it might bitrot... But it would be nice to
add "make paranoidconfig" to the above set of make *config runs.

I know I won't have time to do this in the near future, though, so the
best I've done is spew paranoid default suggestions into the KSPP wiki
instead[1]. My plan for spending time on Kconfig currently is to try
to get the compiler feature detection[2] working sanely.

-Kees

[1] http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
[2] http://www.spinics.net/lists/linux-kbuild/msg15070.html

-- 
Kees Cook
Pixel Security


More information about the Ksummit-discuss mailing list