Hardening options with Menuconfig

What are all the possible hardening settings under Menuconfig? I found a few listed in Config-build.in but I'm only seeing four in menuconfig (ASLR, user SSP, kernel SSP, buffer overflow detection, RELRO).

Any guides or info on where to find the rest? I found a couple listed here but again they're for the Config-build.in file, not menuconfig.

This is what I have, but with 128MB NAND flash.

bump

Tihis post has to be at least 10 characters long

iirc, those and what resides under Kernel build options

1 Like

Thanks. I think I found all the ones mentioned in the article I linked, except this one:

CONFIG_PKG_FORTIFY_SOURCE_2=y

Where do I find that one in menuconfig?

Edit: Also, in Kernel Build Options, I'm not seeing much regarding hardening except for some logging features. Which ones are you talking about specifically? The undefined behavior sanity checker?

I was simply saying those were all I was aware of within the facility for which you were inquiring. If using the search function "/" does not yield what you are seeking than I guess you will have to step out to kernel_menuconfig.

1 Like

I found this:

Some settings break things and others degrade throughput by quite a bit.
The slab/slub, fortify source, etc seem to be ok...

2 Likes

I'm aware of the potential for breakage, but I'm only going to run 1 program on it.

And thanks for the script, but assuming it showed that sources were not fortified, then what? I still don't know where to find anything in menuconfig.

It would be nice if someone just had a list of corresponding kernel-config.in values for each menuconfig option. Or even a guide on menuconfig. There's got to be at least a thousand options in there.

Seems the help function on Enable buffer-overflows detection... provides the answer you seek. It changes the CLI compile options for generated code from 1 to 2. I would suggest that an eye to the environs in which the kernel is running on a router is important in regard kernel hardening.

1 Like

Oh okay, so the the hardening settings listed here:

CONFIG_PKG_CHECK_FORMAT_SECURITY=y Yes -Wformat -Werror=format-security
CONFIG_PKG_CC_STACKPROTECTOR_REGULAR=y Yes -fstack-protector
CONFIG_PKG_CC_STACKPROTECTOR_STRONG=y -fstack-protector-strong
CONFIG_KERNEL_CC_STACKPROTECTOR_REGULAR=y Yes Kernel config CONFIG_STACKPROTECTOR
CONFIG_KERNEL_CC_STACKPROTECTOR_STRONG=y Kernel config CONFIG_STACKPROTECTOR_STRONG
CONFIG_PKG_FORTIFY_SOURCE_1=y Yes -D_FORTIFY_SOURCE=1 (Using fortify-headers for musl libc)
CONFIG_PKG_FORTIFY_SOURCE_2=y -D_FORTIFY_SOURCE=2 (Using fortify-headers for musl libc)
CONFIG_PKG_RELRO_FULL=y Yes -Wl,-z,now -Wl,-z,relro
CONFIG_PKG_ASLR_PIE=y -PIE (some own spec file)

are all found in "Hardening Build Options"? Thanks guys.

@anomeome What options were you thinking of earlier in kernel build options?

Also, is there any way to find out what each option in Menuconfig means? If this were possible then I could figure out the answers I need myself.

https://github.com/openwrt/openwrt/tree/master/config

Nothing in those directories matches the options in menuconfig. The names are all different. How am I supposed to match an entry to its menuconfig name?

Omit the prefix and use the search:
https://github.com/openwrt/openwrt/search?q=PKG_RELRO_FULL

OK, thanks, that search feature helps.

1 Like

As mentioned earlier, you can issue the / key inside menuconfig, and do a case-insensitive string search.

That will also display the available package description. Essentially searching thru the packages, but doing it from inside menuconfig and kernel_menuconfig

2 Likes