- Timestamp:
- 09/19/2022 06:38:55 AM (2 years ago)
- Branches:
- xry111/clfs-ng
- Children:
- 1f6dfd4
- Parents:
- 1203312 (diff), 3d65730e (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the(diff)
links above to see all the changes relative to each parent. - File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
chapter10/kernel.xml
r1203312 r6c952e3 106 106 not work correctly or boot at all:</para> 107 107 108 <screen role="nodump" revision="sysv">General setup --> 108 <screen role="nodump" revision="sysv">Processor type and features ---> 109 [*] Build a relocatable kernel [CONFIG_RELOCATABLE] 110 [*] Randomize the address of the kernel image (KASLR) [CONFIG_RANDOMIZE_BASE] 111 General setup ---> 109 112 [ ] Compile the kernel with warnings as errors [CONFIG_WERROR] 110 113 < > Enable kernel headers through /sys/kernel/kheaders.tar.xz [CONFIG_IKHEADERS] 114 General architecture-dependent options ---> 115 [*] Stack Protector buffer overflow detection [CONFIG_STACKPROTECTOR] 116 [*] Strong Stack Protector [CONFIG_STACKPROTECTOR_STRONG] 111 117 Device Drivers ---> 112 118 Graphics support ---> … … 118 124 [*] Automount devtmpfs at /dev, after the kernel mounted the rootfs [CONFIG_DEVTMPFS_MOUNT]</screen> 119 125 120 <screen role="nodump" revision="systemd">General setup --> 126 <screen role="nodump" revision="systemd">Processor type and features ---> 127 [*] Build a relocatable kernel [CONFIG_RELOCATABLE] 128 [*] Randomize the address of the kernel image (KASLR) [CONFIG_RANDOMIZE_BASE] 129 General setup ---> 121 130 [ ] Compile the kernel with warnings as errors [CONFIG_WERROR] 122 131 [ ] Auditing Support [CONFIG_AUDIT] … … 131 140 General architecture-dependent options ---> 132 141 [*] Enable seccomp to safely compute untrusted bytecode [CONFIG_SECCOMP] 142 [*] Stack Protector buffer overflow detection [CONFIG_STACKPROTECTOR] 143 [*] Strong Stack Protector [CONFIG_STACKPROTECTOR_STRONG] 133 144 Networking support ---> 134 145 Networking options ---> … … 160 171 <screen role="nodump">Processor type and features ---> 161 172 [*] Support x2apic [CONFIG_X86_X2APIC] 162 Memory Management options --->163 [ ] Enable userfaultfd() system call [CONFIG_USERFAULTFD]164 173 Device Drivers ---> 165 174 [*] PCI Support ---> [CONFIG_PCI] … … 192 201 193 202 <varlistentry> 203 <term><parameter>Randomize the address of the kernel image (KASLR)</parameter></term> 204 <listitem> 205 <para>Enable ASLR for kernel image, to mitigate some attacks based 206 on fixed addresses of sensitive data or code in the kernel.</para> 207 </listitem> 208 </varlistentry> 209 210 <varlistentry> 194 211 <term> 195 212 <parameter> … … 213 230 <para>This will require <command>cpio</command> building the kernel. 214 231 <command>cpio</command> is not installed by LFS.</para> 232 </listitem> 233 </varlistentry> 234 235 <varlistentry> 236 <term><parameter>Strong Stack Protector</parameter></term> 237 <listitem> 238 <para>Enable SSP for the kernel. We've enabled it for the entire 239 userspace with <parameter>--enable-default-ssp</parameter> 240 configuring GCC, but the kernel does not use GCC default setting 241 for SSP. We enable it explicitly here.</para> 215 242 </listitem> 216 243 </varlistentry> … … 252 279 has no effect, but also does no harm if x2APIC is disabled by the 253 280 firmware.</para> 254 </listitem>255 </varlistentry>256 257 <varlistentry>258 <term><parameter>Enable userfaultfd() system call</parameter></term>259 <listitem>260 <para>If this option is enabled, a security vulnerability not261 resolved in Linux-&linux-version; yet will be exploitable.262 Disable this option to avoid the vulnerability. This system call263 is not used by any part of LFS or BLFS.</para>264 281 </listitem> 265 282 </varlistentry>
Note:
See TracChangeset
for help on using the changeset viewer.