Including Kernel Hardening Flags in linux-qcom-next #1201
Description
Working on enabling several kernel hardening flags in our custom Yocto-based kernel recipe.
After consulting with upstream maintainers, we were advised to use:
KERNEL_FEATURES:append = " features/security/security.scc" which pulls scc files form yocto-kernel-cache.
However, we want to ensure our approach aligns with Yocto mainline practices, where yocto-kernel-cache holds feature-based configuration files.
These are typically enabled using the "KERNEL_FEATURES:append" variable, which pulls in .scc files that reference relevant config fragments.
e.g. of security flags that we are looking @
- CONFIG_SLAB_FREELIST_RANDOM=y
- CONFIG_SLAB_FREELIST_HARDENED=y
- CONFIG_HARDENED_USERCOPY=y
- CONFIG_FORTIFY_SOURCE=y
....
I don't see .scc file being used in linux-qcom-next — or am I missing something?
What would be the recommended approach to enable these configs: should we go with security.cfg under configs/, or is there a better way suggested?