From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <vt@altlinux.org>
Date: Wed, 11 May 2022 20:02:48 +0300
From: Vitaly Chikunov <vt@altlinux.org>
To: ALT Linux kernel packages development <devel-kernel@lists.altlinux.org>
Message-ID: <20220511170248.utoxca4z2zdqxfmz@altlinux.org>
References: <20220507184016.2539003-1-vt@altlinux.org>
 <f2b6380a-1dd9-790f-118d-3a3ff01e574d@basealt.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <f2b6380a-1dd9-790f-118d-3a3ff01e574d@basealt.ru>
Subject: Re: [d-kernel] [PATCH std-def] config: Update some config options
X-BeenThere: devel-kernel@lists.altlinux.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ALT Linux kernel packages development
 <devel-kernel@lists.altlinux.org>
List-Id: ALT Linux kernel packages development
 <devel-kernel.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/options/devel-kernel>,
 <mailto:devel-kernel-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/devel-kernel>
List-Post: <mailto:devel-kernel@lists.altlinux.org>
List-Help: <mailto:devel-kernel-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/devel-kernel>,
 <mailto:devel-kernel-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Wed, 11 May 2022 17:02:49 -0000
Archived-At: <http://lore.altlinux.org/devel-kernel/20220511170248.utoxca4z2zdqxfmz@altlinux.org/>
List-Archive: <http://lore.altlinux.org/devel-kernel/>
List-Post: <mailto:devel-kernel@altlinux.org>

On Wed, May 11, 2022 at 12:20:54PM +0300, Nikolai Kostrigin wrote:
> Здравствуйте!
> 
> 07.05.2022 21:40, Vitaly Chikunov пишет:
> > Based on suggestions from Alexey V. Vissarionov <gremlin@altlinux.org>,
> > but not completely following them. All mistakes are mine.
> > 
> > - Mostly - add new hardware support.
> > - Disable some legacy stuff.
> > - Turn off SHA1 by default.
> > - Set panic=60 by default.
> > 
> > Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
> > ---
> >   config | 115 ++++++++++++++++++++++++++++-----------------------------
> >   1 file changed, 57 insertions(+), 58 deletions(-)
> > 
> [...]
> > -CONFIG_PANIC_TIMEOUT=0
> > +CONFIG_PANIC_TIMEOUT=60
> >   CONFIG_LOCKUP_DETECTOR=y
> >   CONFIG_SOFTLOCKUP_DETECTOR=y
> >   # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
> 
> 
> Хотелось бы еще внести предложение изменить во всех ядрах (un-def, std-def)
> 
> diff --git a/config b/config
> index a41e871016a8..be80ba93c04d 100644
> --- a/config
> +++ b/config
> @@ -2323,7 +2323,7 @@ CONFIG_UEFI_CPER=y
>  CONFIG_UEFI_CPER_X86=y
>  CONFIG_EFI_DEV_PATH_PARSER=y
>  CONFIG_EFI_EARLYCON=y
> -CONFIG_EFI_CUSTOM_SSDT_OVERLAYS=y
> +# CONFIG_EFI_CUSTOM_SSDT_OVERLAYS is not set
> 
>  #
>  # Tegra firmware driver
> 
> 
> ввиду того, что включение этой опции считается потенциальной уязвимостью для
> режима UEFI SB [1].
> 
> "Is kernel upstream commit 75b0cea7bf307f362057cc778efe89af4c615354 present
> in your kernel, if you boot chain includes a Linux kernel ?

Так у нас этот коммит есть, следовательно угрозы от
CONFIG_EFI_CUSTOM_SSDT_OVERLAYS не должно быть?

> [...]
> 
> And the configuration setting CONFIG_EFI_CUSTOM_SSDT_OVERLAYS is disabled."
> 
> 
> [1] https://github.com/rhboot/shim-review/issues/233
> 
> -- 
> Best regards,
> Nikolai Kostrigin
> _______________________________________________
> devel-kernel mailing list
> devel-kernel@lists.altlinux.org
> https://lists.altlinux.org/mailman/listinfo/devel-kernel