Changeset c49c1fb for chapter10/kernel.xml
- Timestamp:
- 09/11/2022 10:30:10 PM (2 years ago)
- Branches:
- multilib, xry111/multilib
- Children:
- c1a6423d
- Parents:
- 530771a (diff), e5e442c (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the(diff)links above to see all the changes relative to each parent. - File:
-
- 1 edited
-
chapter10/kernel.xml (modified) (7 diffs)
Legend:
- Unmodified
- Added
- Removed
-
chapter10/kernel.xml
r530771a rc49c1fb 106 106 not work correctly or boot at all:</para> 107 107 108 <screen role="nodump" revision="sysv">General setup --> 108 <screen role="nodump" revision="sysv">Processor type and features ---> 109 [*] Build a relocatable kernel [CONFIG_RELOCATABLE] 110 [*] Randomize the address of the kernel image (KASLR) [CONFIG_RANDOMIZE_BASE] 111 General setup ---> 109 112 [ ] Compile the kernel with warnings as errors [CONFIG_WERROR] 110 113 < > Enable kernel headers through /sys/kernel/kheaders.tar.xz [CONFIG_IKHEADERS] 114 General architecture-dependent options ---> 115 [*] Stack Protector buffer overflow detection [CONFIG_STACKPROTECTOR] 116 [*] Strong Stack Protector [CONFIG_STACKPROTECTOR_STRONG] 111 117 Device Drivers ---> 112 118 Graphics support ---> … … 118 124 [*] Automount devtmpfs at /dev, after the kernel mounted the rootfs [CONFIG_DEVTMPFS_MOUNT]</screen> 119 125 120 <screen role="nodump" revision="systemd">General setup --> 126 <screen role="nodump" revision="systemd">Processor type and features ---> 127 [*] Build a relocatable kernel [CONFIG_RELOCATABLE] 128 [*] Randomize the address of the kernel image (KASLR) [CONFIG_RANDOMIZE_BASE] 129 General setup ---> 121 130 [ ] Compile the kernel with warnings as errors [CONFIG_WERROR] 122 131 [ ] Auditing Support [CONFIG_AUDIT] … … 131 140 General architecture-dependent options ---> 132 141 [*] Enable seccomp to safely compute untrusted bytecode [CONFIG_SECCOMP] 142 [*] Stack Protector buffer overflow detection [CONFIG_STACKPROTECTOR] 143 [*] Strong Stack Protector [CONFIG_STACKPROTECTOR_STRONG] 133 144 Networking support ---> 134 145 Networking options ---> … … 160 171 <screen role="nodump">Processor type and features ---> 161 172 [*] Support x2apic [CONFIG_X86_X2APIC] 162 Memory Management options --->163 [ ] Enable userfaultfd() system call [CONFIG_USERFAULTFD]164 173 Device Drivers ---> 165 174 [*] PCI Support ---> [CONFIG_PCI] … … 224 233 225 234 <varlistentry> 235 <term><parameter>Randomize the address of the kernel image (KASLR)</parameter></term> 236 <listitem> 237 <para>Enable ASLR for kernel image, to mitigate some attacks based 238 on fixed addresses of sensitive data or code in the kernel.</para> 239 </listitem> 240 </varlistentry> 241 242 <varlistentry> 226 243 <term> 227 244 <parameter> … … 245 262 <para>This will require <command>cpio</command> building the kernel. 246 263 <command>cpio</command> is not installed by LFS.</para> 264 </listitem> 265 </varlistentry> 266 267 <varlistentry> 268 <term><parameter>Strong Stack Protector</parameter></term> 269 <listitem> 270 <para>Enable SSP for the kernel. We've enabled it for the entire 271 userspace with <parameter>--enable-default-ssp</parameter> 272 configuring GCC, but the kernel does not use GCC default setting 273 for SSP. We enable it explicitly here.</para> 247 274 </listitem> 248 275 </varlistentry> … … 284 311 has no effect, but also does no harm if x2APIC is disabled by the 285 312 firmware.</para> 286 </listitem>287 </varlistentry>288 289 <varlistentry>290 <term><parameter>Enable userfaultfd() system call</parameter></term>291 <listitem>292 <para>If this option is enabled, a security vulnerability not293 resolved in Linux-&linux-version; yet will be exploitable.294 Disable this option to avoid the vulnerability. This system call295 is not used by any part of LFS or BLFS.</para>296 313 </listitem> 297 314 </varlistentry>
Note:
See TracChangeset
for help on using the changeset viewer.
