From c735790099ab364d7cfd46419f89339cb4d73b38 Mon Sep 17 00:00:00 2001 From: Ciro Santilli Date: Sat, 5 May 2018 11:50:22 +0100 Subject: [PATCH] build: -c to enable a single linux kernel config Disable CONFIG_FORTIFY_SOURCE=y by default as it might incur overhead, enable CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y as it should not. --- README.adoc | 28 ++++++++++++++++++++++------ build | 18 ++++++++++++------ build-usage.adoc | 7 ++++--- kernel_config_fragment/default | 5 +---- 4 files changed, 39 insertions(+), 19 deletions(-) diff --git a/README.adoc b/README.adoc index ff1fffa..6d72d27 100644 --- a/README.adoc +++ b/README.adoc @@ -2134,6 +2134,14 @@ If you want to just use your own exact `.config` instead, do: Beware that Buildroot can `sed` override some of the configurations we make no matter what, e.g. it forces `CONFIG_BLK_DEV_INITRD=y` when `BR2_TARGET_ROOTFS_CPIO` is on, so you might want to double check as explained at <>. TODO check if there is a way to prevent that patching and maybe patch Buildroot for it, it is too fuzzy. People should be able to just build with whatever `.config` they want. +==== Modify a config option + +Only effective for the current build: + +.... +./build -c 'CONFIG_FORTIFY_SOURCE=y' -l +.... + ==== Find the kernel config Ge the build config in guest: @@ -2887,15 +2895,15 @@ Stop the cursor from blinking: echo 0 > /sys/class/graphics/fbcon/cursor_blink .... -Rotate the console 90 degrees! +Rotate the console 90 degrees! https://askubuntu.com/questions/237963/how-do-i-rotate-my-display-when-not-using-an-x-server .... echo 1 > /sys/class/graphics/fbcon/rotate .... -Requires `CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y`. +Relies on: `CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y`. -Documented under: `fb/`. +Documented under: `Documentation/fb/`. TODO: font and keymap. Mentioned at: https://cmcenroe.me/2017/05/05/linux-console.html and I think can be done with Busybox `loadkmap` and `loadfont`, we just have to understand their formats, related: @@ -2995,17 +3003,25 @@ Looks like a recompile is needed to modify the image... * https://superuser.com/questions/736423/changing-kernel-bootsplash-image * https://unix.stackexchange.com/questions/153975/how-to-change-boot-logo-in-linux-mint -=== Hardening +=== LInux kernel hardening Make it harder to get hacked and easier to notice that you were, at the cost of some (small?) runtime overhead. ==== CONFIG_FORTIFY_SOURCE +Enable: + .... -insmod /strlen_overflow.ko +./build -c 'CONFIG_FORTIFY_SOURCE=y' .... -detects the overflow: +Test it out: + +.... +./run -F 'insmod /strlen_overflow.ko' +.... + +Detects the overflow: .... <4>[ 3.136382] strlen_overflow: loading out-of-tree module taints kernel. diff --git a/build b/build index 9d07984..4259753 100755 --- a/build +++ b/build @@ -2,10 +2,13 @@ set -eu . common set -- ${cli_build:-} "$@" -br2_cli_file="${out_dir}/br2_cli" mkdir -p "${out_dir}" +br2_cli_file="${out_dir}/br2_cli" rm -f "$br2_cli_file" touch "$br2_cli_file" +kernel_config_fragment_cli_file="${out_dir}/kernel_config_fragment_cli" +rm -f "$kernel_config_fragment_cli_file" +touch "$kernel_config_fragment_cli_file" configure=true config_fragments="${root_dir}/br2" extra_make_args= @@ -16,20 +19,23 @@ post_script_args= qemu_sdl='--enable-sdl --with-sdlabi=2.0' suffix= v=0 -while getopts 'a:B:b:CGgj:hIiK:klp:qSs:v' OPT; do +while getopts 'a:B:b:Cc:Ggj:hIiK:klp:qSs:v' OPT; do case "$OPT" in a) arch="$OPTARG" ;; - b) - config_fragments="${config_fragments} $(common_abspath "${OPTARG}")" - ;; B) echo "$OPTARG" >> "$br2_cli_file" ;; + b) + config_fragments="${config_fragments} $(common_abspath "${OPTARG}")" + ;; C) configure=false ;; + c) + echo "$OPTARG" >> "$kernel_config_fragment_cli_file" + ;; g) extra_make_args="${extra_make_args} gem5-reconfigure \\ " @@ -142,7 +148,7 @@ BR2_ROOTFS_POST_SCRIPT_ARGS=\"${post_script_args}\" else d=../kernel_config_fragment f="${d}/min" - printf "BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES=\"${f} ${d}/default\"\n" >> "$config_file" + printf "BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES=\"${f} ${d}/default ${kernel_config_fragment_cli_file}\"\n" >> "$config_file" if "${linux_reconfigure}"; then # https://stackoverflow.com/questions/49260466/why-when-i-change-br2-linux-kernel-custom-config-file-and-run-make-linux-reconfi touch "$f" diff --git a/build-usage.adoc b/build-usage.adoc index 007240c..b4e9cc7 100644 --- a/build-usage.adoc +++ b/build-usage.adoc @@ -10,14 +10,15 @@ |=== |Name |Argument name |Description |`-a` |`ARCH` |Build for architecture `ARCH`. -|`-b` |`BR2_FILE` |Also use the given Buildroot configuration fragment file. - Pass multiple times to use multiple fragment files. |`-B` |`BR2_CONFIG` |Add a single Buildroot option to the current build. Example: `-B 'BR2_TARGET_ROOTFS_EXT2_SIZE="512M"'` -|`-c` |`BR2_FILE` |Also use the given Buildroot configuration fragment file. +|`-b` |`BR2_FILE` |Also use the given Buildroot configuration fragment file. Pass multiple times to use multiple fragment files. |`-C` | |Skip the Buildroot configuration. Saves a few seconds, but requires you to know what you are doing :-) +|`-c` |`CONFIG_SOMETHING` |Also use the given Linux kernel configuration, example: + `./build -c 'CONFIG_FORTIFY_SOURCE=y'` + Can be used multiple times for multiple configs. |`-g` | |Enable gem5 build or force its rebuild. |`-h` | |Show this help message. |`-I` | |Enable initramfs for the current build. diff --git a/kernel_config_fragment/default b/kernel_config_fragment/default index 8d8db07..f68dfcd 100644 --- a/kernel_config_fragment/default +++ b/kernel_config_fragment/default @@ -77,7 +77,7 @@ CONFIG_VIRTIO_BLK=y CONFIG_VIRTIO_NET=y # Misc -#CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y +CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y ## Networking @@ -197,6 +197,3 @@ CONFIG_ARM64_PTDUMP=y # For record and replay. CONFIG_8139CP=y - -# Hardening -CONFIG_FORTIFY_SOURCE=y