build: -c to enable a single linux kernel config

Disable CONFIG_FORTIFY_SOURCE=y by default as it might incur overhead,
enable CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y as it should not.

README.adoc

@@ -2134,6 +2134,14 @@ If you want to just use your own exact `.config` instead, do:
 
 Beware that Buildroot can `sed` override some of the configurations we make no matter what, e.g. it forces `CONFIG_BLK_DEV_INITRD=y` when `BR2_TARGET_ROOTFS_CPIO` is on, so you might want to double check as explained at <<find-the-kernel-config>>. TODO check if there is a way to prevent that patching and maybe patch Buildroot for it, it is too fuzzy. People should be able to just build with whatever `.config` they want.
 
+==== Modify a config option
+
+Only effective for the current build:
+
+....
+./build -c 'CONFIG_FORTIFY_SOURCE=y' -l
+....
+
 ==== Find the kernel config
 
 Ge the build config in guest:
@@ -2887,15 +2895,15 @@ Stop the cursor from blinking:
 echo 0 > /sys/class/graphics/fbcon/cursor_blink
 ....
 
-Rotate the console 90 degrees!
+Rotate the console 90 degrees! https://askubuntu.com/questions/237963/how-do-i-rotate-my-display-when-not-using-an-x-server
 
 ....
 echo 1 > /sys/class/graphics/fbcon/rotate
 ....
 
-Requires `CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y`.
+Relies on: `CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y`.
 
-Documented under: `fb/`.
+Documented under: `Documentation/fb/`.
 
 TODO: font and keymap. Mentioned at: https://cmcenroe.me/2017/05/05/linux-console.html and I think can be done with Busybox `loadkmap` and `loadfont`, we just have to understand their formats, related:
 
@@ -2995,17 +3003,25 @@ Looks like a recompile is needed to modify the image...
 * https://superuser.com/questions/736423/changing-kernel-bootsplash-image
 * https://unix.stackexchange.com/questions/153975/how-to-change-boot-logo-in-linux-mint
 
-=== Hardening
+=== LInux kernel hardening
 
 Make it harder to get hacked and easier to notice that you were, at the cost of some (small?) runtime overhead.
 
 ==== CONFIG_FORTIFY_SOURCE
 
+Enable:
+
 ....
-insmod /strlen_overflow.ko
+./build -c 'CONFIG_FORTIFY_SOURCE=y'
 ....
 
-detects the overflow:
+Test it out:
+
+....
+./run -F 'insmod /strlen_overflow.ko'
+....
+
+Detects the overflow:
 
 ....
 <4>[    3.136382] strlen_overflow: loading out-of-tree module taints kernel.

build

@@ -2,10 +2,13 @@
 set -eu
 . common
 set -- ${cli_build:-} "$@"
-br2_cli_file="${out_dir}/br2_cli"
 mkdir -p "${out_dir}"
+br2_cli_file="${out_dir}/br2_cli"
 rm -f "$br2_cli_file"
 touch "$br2_cli_file"
+kernel_config_fragment_cli_file="${out_dir}/kernel_config_fragment_cli"
+rm -f "$kernel_config_fragment_cli_file"
+touch "$kernel_config_fragment_cli_file"
 configure=true
 config_fragments="${root_dir}/br2"
 extra_make_args=
@@ -16,20 +19,23 @@ post_script_args=
 qemu_sdl='--enable-sdl --with-sdlabi=2.0'
 suffix=
 v=0
-while getopts 'a:B:b:CGgj:hIiK:klp:qSs:v' OPT; do
+while getopts 'a:B:b:Cc:Ggj:hIiK:klp:qSs:v' OPT; do
   case "$OPT" in
     a)
       arch="$OPTARG"
       ;;
-    b)
-      config_fragments="${config_fragments} $(common_abspath "${OPTARG}")"
-      ;;
     B)
       echo "$OPTARG" >> "$br2_cli_file"
       ;;
+    b)
+      config_fragments="${config_fragments} $(common_abspath "${OPTARG}")"
+      ;;
     C)
       configure=false
       ;;
+    c)
+      echo "$OPTARG" >> "$kernel_config_fragment_cli_file"
+      ;;
     g)
       extra_make_args="${extra_make_args} gem5-reconfigure \\
 "
@@ -142,7 +148,7 @@ BR2_ROOTFS_POST_SCRIPT_ARGS=\"${post_script_args}\"
   else
     d=../kernel_config_fragment
     f="${d}/min"
-    printf "BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES=\"${f} ${d}/default\"\n" >> "$config_file"
+    printf "BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES=\"${f} ${d}/default ${kernel_config_fragment_cli_file}\"\n" >> "$config_file"
     if "${linux_reconfigure}"; then
       # https://stackoverflow.com/questions/49260466/why-when-i-change-br2-linux-kernel-custom-config-file-and-run-make-linux-reconfi
       touch "$f"

build-usage.adoc

@@ -10,14 +10,15 @@
 |===
 |Name |Argument name        |Description
 |`-a` |`ARCH`               |Build for architecture `ARCH`.
-|`-b` |`BR2_FILE`           |Also use the given Buildroot configuration fragment file.
-                             Pass multiple times to use multiple fragment files.
 |`-B` |`BR2_CONFIG`         |Add a single Buildroot option to the current build.
                              Example: `-B 'BR2_TARGET_ROOTFS_EXT2_SIZE="512M"'`
-|`-c` |`BR2_FILE`           |Also use the given Buildroot configuration fragment file.
+|`-b` |`BR2_FILE`           |Also use the given Buildroot configuration fragment file.
                              Pass multiple times to use multiple fragment files.
 |`-C` |                     |Skip the Buildroot configuration. Saves a few seconds,
                              but requires you to know what you are doing :-)
+|`-c` |`CONFIG_SOMETHING`   |Also use the given Linux kernel configuration, example:
+                             `./build -c 'CONFIG_FORTIFY_SOURCE=y'`
+                             Can be used multiple times for multiple configs.
 |`-g` |                     |Enable gem5 build or force its rebuild.
 |`-h` |                     |Show this help message.
 |`-I` |                     |Enable initramfs for the current build.

kernel_config_fragment/default

@@ -77,7 +77,7 @@ CONFIG_VIRTIO_BLK=y
 CONFIG_VIRTIO_NET=y
 
 # Misc
-#CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y
+CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y
 
 ## Networking
 
@@ -197,6 +197,3 @@ CONFIG_ARM64_PTDUMP=y
 
 # For record and replay.
 CONFIG_8139CP=y
-
-# Hardening
-CONFIG_FORTIFY_SOURCE=y