Ignore:
Timestamp:
09/23/2022 04:06:19 PM (22 months ago)
Author:
Xi Ruoyao <xry111@…>
Branches:
xry111/arm64, xry111/arm64-12.0
Children:
44784c1
Parents:
c6df98a1 (diff), 10d7c7a8 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.
Message:

Merge remote-tracking branch 'origin/trunk' into xry111/arm64

File:
1 edited

Legend:

Unmodified
Added
Removed

  • chapter10/kernel.xml

    rc6df98a1 rf4facc4  
    106106      not work correctly or boot at all:</para>
    107107
    108       <screen role="nodump" revision="sysv">General setup -->
     108      <screen role="nodump" revision="sysv">Processor type and features ---&gt;
     109   [*] Build a relocatable kernel [CONFIG_RELOCATABLE]
     110   [*]   Randomize the address of the kernel image (KASLR) [CONFIG_RANDOMIZE_BASE]
     111General setup ---&gt;
    109112   [ ] Compile the kernel with warnings as errors [CONFIG_WERROR]
    110113   &lt; &gt; Enable kernel headers through /sys/kernel/kheaders.tar.xz [CONFIG_IKHEADERS]
     114General architecture-dependent options  ---&gt;
     115   [*] Stack Protector buffer overflow detection [CONFIG_STACKPROTECTOR]
     116   [*]   Strong Stack Protector [CONFIG_STACKPROTECTOR_STRONG]
    111117Device Drivers  ---&gt;
    112118  Graphics support ---&gt;
    113119   Frame buffer Devices ---&gt;
    114       [*] Support for frame buffer devices ----
     120      &lt;*&gt; Support for frame buffer devices ---&gt;
     121   Console display driver support ---&gt;
     122      [*] Framebuffer Console support [CONFIG_FRAMEBUFFER_CONSOLE]
    115123  Generic Driver Options  ---&gt;
    116124   [ ] Support for uevent helper [CONFIG_UEVENT_HELPER]
     
    118126   [*]   Automount devtmpfs at /dev, after the kernel mounted the rootfs [CONFIG_DEVTMPFS_MOUNT]</screen>
    119127
    120       <screen role="nodump" revision="systemd">General setup -->
     128      <screen role="nodump" revision="systemd">Processor type and features ---&gt;
     129   [*] Build a relocatable kernel [CONFIG_RELOCATABLE]
     130   [*]   Randomize the address of the kernel image (KASLR) [CONFIG_RANDOMIZE_BASE]
     131General setup ---&gt;
    121132   [ ] Compile the kernel with warnings as errors [CONFIG_WERROR]
    122133   [ ] Auditing Support [CONFIG_AUDIT]
     
    131142General architecture-dependent options  ---&gt;
    132143   [*] Enable seccomp to safely compute untrusted bytecode [CONFIG_SECCOMP]
     144   [*] Stack Protector buffer overflow detection [CONFIG_STACKPROTECTOR]
     145   [*]   Strong Stack Protector [CONFIG_STACKPROTECTOR_STRONG]
    133146Networking support  ---&gt;
    134147  Networking options  ---&gt;
     
    146159   Frame buffer Devices ---&gt;
    147160      &lt;*&gt; Support for frame buffer devices ---&gt;
     161   Console display driver support ---&gt;
     162      [*] Framebuffer Console support [CONFIG_FRAMEBUFFER_CONSOLE]
    148163File systems  ---&gt;
    149164   [*] Inotify support for userspace [CONFIG_INOTIFY_USER]
    150165       Pseudo filesystems  ---&gt;
    151166        [*] Tmpfs POSIX Access Control Lists [CONFIG_TMPFS_POSIX_ACL]</screen>
    152 
    153       <para>Disable a feature which is security compromised in this kernel
    154       release:</para>
    155 
    156       <screen role="nodump">Memory Management options  ---&gt;
    157   [ ] Enable userfaultfd() system call [CONFIG_USERFAULTFD]</screen>
    158167    </note>
    159168
     
    181190
    182191      <varlistentry>
     192        <term><parameter>Randomize the address of the kernel image (KASLR)</parameter></term>
     193        <listitem>
     194          <para>Enable ASLR for kernel image, to mitigate some attacks based
     195          on fixed addresses of sensitive data or code in the kernel.</para>
     196        </listitem>
     197      </varlistentry>
     198
     199      <varlistentry>
    183200        <term>
    184201          <parameter>
     
    206223
    207224      <varlistentry>
     225        <term><parameter>Strong Stack Protector</parameter></term>
     226        <listitem>
     227          <para>Enable SSP for the kernel.  We've enabled it for the entire
     228          userspace with <parameter>--enable-default-ssp</parameter>
     229          configuring GCC, but the kernel does not use GCC default setting
     230          for SSP.  We enable it explicitly here.</para>
     231        </listitem>
     232      </varlistentry>
     233
     234      <varlistentry>
    208235        <term><parameter>Support for uevent helper</parameter></term>
    209236        <listitem>
     
    233260
    234261      <varlistentry>
    235         <term><parameter>Enable userfaultfd() system call</parameter></term>
    236         <listitem>
    237           <para>If this option is enabled, a security vulnerability not
    238           resolved in Linux-&linux-version; yet will be exploitable.
    239           Disable this option to avoid the vulnerability.  This system call
    240           is not used by any part of LFS or BLFS.</para>
     262        <term><parameter>Framebuffer Console support</parameter></term>
     263        <listitem>
     264          <para>This is needed to display the Linux console on a frame
     265          buffer device.  To allow the kernel to print debug messages at an
     266          early boot stage, it shouldn't be built as a kernel module
     267          unless an initramfs will be used. And, if
     268          <option>CONFIG_DRM</option> (Direct Rendering Manager) is enabled,
     269          it's likely <option>CONFIG_DRM_FBDEV_EMULATION</option> (Enable
     270          legacy fbdev support for your modesetting driver) should be
     271          enabled as well.</para>
    241272        </listitem>
    242273      </varlistentry>
Note: See TracChangeset for help on using the changeset viewer.