From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <nickel@basealt.ru>
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
 sa.local.altlinux.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.3 required=5.0 tests=ALL_TRUSTED,BAYES_00,
 RP_MATCHES_RCVD autolearn=unavailable autolearn_force=no version=3.4.1
Message-ID: <f2b6380a-1dd9-790f-118d-3a3ff01e574d@basealt.ru>
Date: Wed, 11 May 2022 12:20:54 +0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.7.0
Content-Language: en-US
To: devel-kernel@lists.altlinux.org
References: <20220507184016.2539003-1-vt@altlinux.org>
From: Nikolai Kostrigin <nickel@basealt.ru>
In-Reply-To: <20220507184016.2539003-1-vt@altlinux.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [d-kernel] [PATCH std-def] config: Update some config options
X-BeenThere: devel-kernel@lists.altlinux.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ALT Linux kernel packages development
 <devel-kernel@lists.altlinux.org>
List-Id: ALT Linux kernel packages development
 <devel-kernel.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/options/devel-kernel>,
 <mailto:devel-kernel-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/devel-kernel>
List-Post: <mailto:devel-kernel@lists.altlinux.org>
List-Help: <mailto:devel-kernel-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/devel-kernel>,
 <mailto:devel-kernel-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Wed, 11 May 2022 09:21:00 -0000
Archived-At: <http://lore.altlinux.org/devel-kernel/f2b6380a-1dd9-790f-118d-3a3ff01e574d@basealt.ru/>
List-Archive: <http://lore.altlinux.org/devel-kernel/>
List-Post: <mailto:devel-kernel@altlinux.org>

Здравствуйте!

07.05.2022 21:40, Vitaly Chikunov пишет:
> Based on suggestions from Alexey V. Vissarionov <gremlin@altlinux.org>,
> but not completely following them. All mistakes are mine.
> 
> - Mostly - add new hardware support.
> - Disable some legacy stuff.
> - Turn off SHA1 by default.
> - Set panic=60 by default.
> 
> Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
> ---
>   config | 115 ++++++++++++++++++++++++++++-----------------------------
>   1 file changed, 57 insertions(+), 58 deletions(-)
> 
[...]
> -CONFIG_PANIC_TIMEOUT=0
> +CONFIG_PANIC_TIMEOUT=60
>   CONFIG_LOCKUP_DETECTOR=y
>   CONFIG_SOFTLOCKUP_DETECTOR=y
>   # CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set


Хотелось бы еще внести предложение изменить во всех ядрах (un-def, std-def)

diff --git a/config b/config
index a41e871016a8..be80ba93c04d 100644
--- a/config
+++ b/config
@@ -2323,7 +2323,7 @@ CONFIG_UEFI_CPER=y
  CONFIG_UEFI_CPER_X86=y
  CONFIG_EFI_DEV_PATH_PARSER=y
  CONFIG_EFI_EARLYCON=y
-CONFIG_EFI_CUSTOM_SSDT_OVERLAYS=y
+# CONFIG_EFI_CUSTOM_SSDT_OVERLAYS is not set

  #
  # Tegra firmware driver


ввиду того, что включение этой опции считается потенциальной уязвимостью 
для режима UEFI SB [1].

"Is kernel upstream commit 75b0cea7bf307f362057cc778efe89af4c615354 
present in your kernel, if you boot chain includes a Linux kernel ?
[...]

And the configuration setting CONFIG_EFI_CUSTOM_SSDT_OVERLAYS is disabled."


[1] https://github.com/rhboot/shim-review/issues/233

-- 
Best regards,
Nikolai Kostrigin