You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would strongly suggest considering building monolithic kernels with a minimal config. If you transition away from HVM to pvgrub, and even if you don't, it will be a good idea. Removing LKM support has several benefits in terms of reducing attack surface in the kernel for ROP and code injection scenarios (after all, LKM support comes with the implicit need for a dynamic linker in kernel space).
I replied:
This is a good point and something I started wondering about mid-last week, whether there was any benefit to building individual modules. I'll look into doing a monolithic build.
From what I can tell we just need to change all the m settings to y and then turn off CONFIG_MODULES. We should make sure that the blacklisted modules (see freedomofpress/securedrop#1886) are disabled at build-time as well.
The text was updated successfully, but these errors were encountered:
Oh heh, we already have an open issue about needing at least 1G memory: freedomofpress/securedrop-workstation#838. I never got around to digging into it further, are you saying it's just a requirement of the grsec patches?
At #45 (comment) @thedeadliestcatch wrote:
I replied:
From what I can tell we just need to change all the
m
settings toy
and then turn offCONFIG_MODULES
. We should make sure that the blacklisted modules (see freedomofpress/securedrop#1886) are disabled at build-time as well.The text was updated successfully, but these errors were encountered: