Changeset f4facc4 for chapter10/kernel.xml
- Timestamp:
- 09/23/2022 04:06:19 PM (22 months ago)
- Branches:
- xry111/arm64, xry111/arm64-12.0
- Children:
- 44784c1
- Parents:
- c6df98a1 (diff), 10d7c7a8 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the(diff)
links above to see all the changes relative to each parent. - File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
chapter10/kernel.xml
rc6df98a1 rf4facc4 106 106 not work correctly or boot at all:</para> 107 107 108 <screen role="nodump" revision="sysv">General setup --> 108 <screen role="nodump" revision="sysv">Processor type and features ---> 109 [*] Build a relocatable kernel [CONFIG_RELOCATABLE] 110 [*] Randomize the address of the kernel image (KASLR) [CONFIG_RANDOMIZE_BASE] 111 General setup ---> 109 112 [ ] Compile the kernel with warnings as errors [CONFIG_WERROR] 110 113 < > Enable kernel headers through /sys/kernel/kheaders.tar.xz [CONFIG_IKHEADERS] 114 General architecture-dependent options ---> 115 [*] Stack Protector buffer overflow detection [CONFIG_STACKPROTECTOR] 116 [*] Strong Stack Protector [CONFIG_STACKPROTECTOR_STRONG] 111 117 Device Drivers ---> 112 118 Graphics support ---> 113 119 Frame buffer Devices ---> 114 [*] Support for frame buffer devices ---- 120 <*> Support for frame buffer devices ---> 121 Console display driver support ---> 122 [*] Framebuffer Console support [CONFIG_FRAMEBUFFER_CONSOLE] 115 123 Generic Driver Options ---> 116 124 [ ] Support for uevent helper [CONFIG_UEVENT_HELPER] … … 118 126 [*] Automount devtmpfs at /dev, after the kernel mounted the rootfs [CONFIG_DEVTMPFS_MOUNT]</screen> 119 127 120 <screen role="nodump" revision="systemd">General setup --> 128 <screen role="nodump" revision="systemd">Processor type and features ---> 129 [*] Build a relocatable kernel [CONFIG_RELOCATABLE] 130 [*] Randomize the address of the kernel image (KASLR) [CONFIG_RANDOMIZE_BASE] 131 General setup ---> 121 132 [ ] Compile the kernel with warnings as errors [CONFIG_WERROR] 122 133 [ ] Auditing Support [CONFIG_AUDIT] … … 131 142 General architecture-dependent options ---> 132 143 [*] Enable seccomp to safely compute untrusted bytecode [CONFIG_SECCOMP] 144 [*] Stack Protector buffer overflow detection [CONFIG_STACKPROTECTOR] 145 [*] Strong Stack Protector [CONFIG_STACKPROTECTOR_STRONG] 133 146 Networking support ---> 134 147 Networking options ---> … … 146 159 Frame buffer Devices ---> 147 160 <*> Support for frame buffer devices ---> 161 Console display driver support ---> 162 [*] Framebuffer Console support [CONFIG_FRAMEBUFFER_CONSOLE] 148 163 File systems ---> 149 164 [*] Inotify support for userspace [CONFIG_INOTIFY_USER] 150 165 Pseudo filesystems ---> 151 166 [*] Tmpfs POSIX Access Control Lists [CONFIG_TMPFS_POSIX_ACL]</screen> 152 153 <para>Disable a feature which is security compromised in this kernel154 release:</para>155 156 <screen role="nodump">Memory Management options --->157 [ ] Enable userfaultfd() system call [CONFIG_USERFAULTFD]</screen>158 167 </note> 159 168 … … 181 190 182 191 <varlistentry> 192 <term><parameter>Randomize the address of the kernel image (KASLR)</parameter></term> 193 <listitem> 194 <para>Enable ASLR for kernel image, to mitigate some attacks based 195 on fixed addresses of sensitive data or code in the kernel.</para> 196 </listitem> 197 </varlistentry> 198 199 <varlistentry> 183 200 <term> 184 201 <parameter> … … 206 223 207 224 <varlistentry> 225 <term><parameter>Strong Stack Protector</parameter></term> 226 <listitem> 227 <para>Enable SSP for the kernel. We've enabled it for the entire 228 userspace with <parameter>--enable-default-ssp</parameter> 229 configuring GCC, but the kernel does not use GCC default setting 230 for SSP. We enable it explicitly here.</para> 231 </listitem> 232 </varlistentry> 233 234 <varlistentry> 208 235 <term><parameter>Support for uevent helper</parameter></term> 209 236 <listitem> … … 233 260 234 261 <varlistentry> 235 <term><parameter>Enable userfaultfd() system call</parameter></term> 236 <listitem> 237 <para>If this option is enabled, a security vulnerability not 238 resolved in Linux-&linux-version; yet will be exploitable. 239 Disable this option to avoid the vulnerability. This system call 240 is not used by any part of LFS or BLFS.</para> 262 <term><parameter>Framebuffer Console support</parameter></term> 263 <listitem> 264 <para>This is needed to display the Linux console on a frame 265 buffer device. To allow the kernel to print debug messages at an 266 early boot stage, it shouldn't be built as a kernel module 267 unless an initramfs will be used. And, if 268 <option>CONFIG_DRM</option> (Direct Rendering Manager) is enabled, 269 it's likely <option>CONFIG_DRM_FBDEV_EMULATION</option> (Enable 270 legacy fbdev support for your modesetting driver) should be 271 enabled as well.</para> 241 272 </listitem> 242 273 </varlistentry>
Note:
See TracChangeset
for help on using the changeset viewer.