lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aBnxGuJDCteDU70Y@gmail.com>
Date: Tue, 6 May 2025 13:23:06 +0200
From: Ingo Molnar <mingo@...nel.org>
To: Ivan Shapovalov <intelfx@...elfx.name>
Cc: linux-kernel@...r.kernel.org, "H . Peter Anvin" <hpa@...or.com>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Peter Zijlstra <peterz@...radead.org>,
	Borislav Petkov <bp@...en8.de>,
	Thomas Gleixner <tglx@...utronix.de>,
	Ard Biesheuvel <ardb@...nel.org>, Arnd Bergmann <arnd@...db.de>,
	David Woodhouse <dwmw@...zon.co.uk>,
	Masahiro Yamada <yamada.masahiro@...ionext.com>,
	Michal Marek <michal.lkml@...kovi.net>
Subject: Re: [PATCH 12/15] x86/kconfig/64: Enable popular kernel debugging
 options in the defconfig


* Ivan Shapovalov <intelfx@...elfx.name> wrote:

> On 2025-05-05 at 13:09 +0200, Ingo Molnar wrote:
> > 
> >  - CONFIG_DEBUG_LIST=y:
> > 
> >      Fedora/RHEL have it enabled, while Ubuntu has it disabled.
> 
> (Please forgive my potential ignorance.)
> 
> If I'm guessing right, the point of CONFIG_DEBUG_LIST being enabled
> everywhere is probably more about hardening than debugging, and given
> that since 6.6 we have a CONFIG_LIST_HARDENED[1], wouldn't it make more
> sense to use that instead?

Yeah, I agree, and I've just changed it to CONFIG_LIST_HARDENED=y, 
which I agree is the more sensible default.

> Or is the point here to exactly follow the typical distro config,
> without regard to whether it's actually the optimal thing to do?
> 
> [1]: https://lore.kernel.org/all/20230811151847.1594958-3-elver@google.com/

So Ubuntu doesn't have it:

  /boot/config-6.11.0-25-generic:# CONFIG_LIST_HARDENED is not set

While Fedora has it:

  .config.fedora.generic:CONFIG_LIST_HARDENED=y

in which case it's basically a judgement call whether to do it in the 
defconfig. I agree that DEBUG_LIST=y is pretty heavy-handed, 
LIST_HARDENED=y looks better to me.

But when all major distros have an option enabled then I think in most 
cases the right policy is to enable it in our defconfig as well, 
because the option has become ubiquitous and we'd be denying reality by 
not having it in our regular tests.

Thanks,

	Ingo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ