Re: [d-kernel] [PATCH std-def] config: Update some config options

[Vitaly Chikunov <vt@altlinux.org>]

On Wed, May 11, 2022 at 12:20:54PM +0300, Nikolai Kostrigin wrote:
> Здравствуйте!
> 
> 07.05.2022 21:40, Vitaly Chikunov пишет:
> > Based on suggestions from Alexey V. Vissarionov <gremlin@altlinux.org>,
> > but not completely following them. All mistakes are mine.
> > 
> > - Mostly - add new hardware support.
> > - Disable some legacy stuff.
> > - Turn off SHA1 by default.
> > - Set panic=60 by default.
> > 
> > Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
> > ---
> >   config | 115 ++++++++++++++++++++++++++++-----------------------------
> >   1 file changed, 57 insertions(+), 58 deletions(-)
> > 
> [...]
> > -CONFIG_PANIC_TIMEOUT=0
> > +CONFIG_PANIC_TIMEOUT=60
> >   CONFIG_LOCKUP_DETECTOR=y
> >   CONFIG_SOFTLOCKUP_DETECTOR=y
> >   # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
> 
> 
> Хотелось бы еще внести предложение изменить во всех ядрах (un-def, std-def)
> 
> diff --git a/config b/config
> index a41e871016a8..be80ba93c04d 100644
> --- a/config
> +++ b/config
> @@ -2323,7 +2323,7 @@ CONFIG_UEFI_CPER=y
>  CONFIG_UEFI_CPER_X86=y
>  CONFIG_EFI_DEV_PATH_PARSER=y
>  CONFIG_EFI_EARLYCON=y
> -CONFIG_EFI_CUSTOM_SSDT_OVERLAYS=y
> +# CONFIG_EFI_CUSTOM_SSDT_OVERLAYS is not set
> 
>  #
>  # Tegra firmware driver
> 
> 
> ввиду того, что включение этой опции считается потенциальной уязвимостью для
> режима UEFI SB [1].
> 
> "Is kernel upstream commit 75b0cea7bf307f362057cc778efe89af4c615354 present
> in your kernel, if you boot chain includes a Linux kernel ?

Так у нас этот коммит есть, следовательно угрозы от
CONFIG_EFI_CUSTOM_SSDT_OVERLAYS не должно быть?

> [...]
> 
> And the configuration setting CONFIG_EFI_CUSTOM_SSDT_OVERLAYS is disabled."
> 
> 
> [1] https://github.com/rhboot/shim-review/issues/233
> 
> -- 
> Best regards,
> Nikolai Kostrigin
> _______________________________________________
> devel-kernel mailing list
> devel-kernel@lists.altlinux.org
> https://lists.altlinux.org/mailman/listinfo/devel-kernel