SoylentNews

Phoenix666 [soylentnews.org] writes:

At the 2015 Kernel Summit [soylentnews.org], Kees Cook said,
he talked mostly about the things that the community could be doing
to improve the security of the kernel. In 2016, instead, he was there to
talk about what had actually been done. Kernel hardening [lwn.net], he reminded the
group, is not about access control or fixing bugs. Instead, it is about
the kernel protecting itself, eliminating classes of exploits, and reducing
its attack surface. There is still a lot to be done in this area, but the
picture is better than it was one year ago.

One area of progress is in the integration of [soylentnews.org]
GCC plugins into the build system. The plugins in the kernel now are
mostly examples, but there will be more interesting ones coming in the
future. Plugins are currently supported for the x86, arm, and arm64
architectures; he would like to see that list grow, but he needs help from
the architecture maintainers to validate the changes. Plugins are also not
yet used for routine kernel compile testing, since it is hard to get the
relevant sites to install the needed dependencies.

Linus asked how much plugins would slow the kernel build process;
linux-next maintainer Stephen Rothwell also expressed interest in that
question, noting that "some of us do compiles all day." Kees responded
that there hadn't been a lot of benchmarking done, but that the cost was
"not negligible." It is, though, an important part of protecting the
kernel.

Original Submission