updated securedrop-workstation config for 4.14.182 build

[zenmonkeykstop]

Version bump for 4.14.182 grsec kernel (no config changes in this version).

[emkll]

I've from a system booted on the kernel and observe the config is different from the one provided here (see diff below) . Can you confirm this is also the case for you?

I think that we should capture here the config of the running kernel, not the one that was used as input to the build, as the makefile targets may automatically enable config options by default or resolve conflicts. What do you think?

diff --git a/files/config-securedrop-workstation-4.14 b/files/config-securedrop-workstation-4.14
index 87d4b90..7b988da 100644
--- a/files/config-securedrop-workstation-4.14
+++ b/files/config-securedrop-workstation-4.14
@@ -11,6 +11,7 @@ CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
 CONFIG_LOCKDEP_SUPPORT=y
 CONFIG_STACKTRACE_SUPPORT=y
 CONFIG_MMU=y
+CONFIG_ALIGN_INIT_TEXT_BITS=4
 CONFIG_ARCH_MMAP_RND_BITS_MIN=28
 CONFIG_ARCH_MMAP_RND_BITS_MAX=32
 CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8
@@ -310,10 +311,7 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK=y
 # CONFIG_GCC_PLUGIN_STRUCTLEAK_VERBOSE is not set
 CONFIG_GCC_PLUGIN_RANDSTRUCT=y
 CONFIG_HAVE_CC_STACKPROTECTOR=y
-CONFIG_CC_STACKPROTECTOR=y
-# CONFIG_CC_STACKPROTECTOR_NONE is not set
-# CONFIG_CC_STACKPROTECTOR_REGULAR is not set
-CONFIG_CC_STACKPROTECTOR_STRONG=y
+# CONFIG_CC_STACKPROTECTOR is not set
 CONFIG_THIN_ARCHIVES=y
 CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y
 CONFIG_HAVE_CONTEXT_TRACKING=y
@@ -327,6 +325,7 @@ CONFIG_HAVE_MOD_ARCH_SPECIFIC=y
 CONFIG_MODULES_USE_ELF_RELA=y
 CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y
 CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
+CONFIG_ARCH_ALIGN_INIT_TEXT_SECTIONS=y
 CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
 CONFIG_HAVE_EXIT_THREAD=y
 CONFIG_ARCH_MMAP_RND_BITS=28
@@ -347,6 +346,7 @@ CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y
 CONFIG_STRICT_KERNEL_RWX=y
 CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y
 CONFIG_ARCH_HAS_REFCOUNT=y
+CONFIG_HAVE_ARCH_COMPILER_H=y
 
 #
 # GCOV-based kernel profiling
@@ -7748,6 +7748,7 @@ CONFIG_UNWINDER_ORC=y
 # Grsecurity
 #
 CONFIG_ARCH_NEEDS_NX=y
+CONFIG_PLUGIN_WANTS_ASMMACRO=y
 CONFIG_PAX_PER_CPU_PGD=y
 CONFIG_GRKERNSEC=y
 CONFIG_GRKERNSEC_CONFIG_AUTO=y
@@ -7833,11 +7834,16 @@ CONFIG_PAX_SIZE_OVERFLOW=y
 CONFIG_HAVE_PAX_INITIFY_INIT_EXIT=y
 CONFIG_PAX_LATENT_ENTROPY=y
 CONFIG_PAX_RAP_PLUGIN=y
+CONFIG_PAX_RAP_HASH=y
 CONFIG_PAX_RAP=y
+CONFIG_PAX_RAP_CALL=y
+CONFIG_PAX_RAP_RET=y
+CONFIG_PAX_RAP_XOR=y
 CONFIG_PAX_RESPECTRE_PLUGIN=y
 # CONFIG_PAX_RESPECTRE_PLUGIN_LOOPINDEX is not set
 # CONFIG_PAX_RESPECTRE_PLUGIN_SSB is not set
 # CONFIG_PAX_RESPECTRE_PLUGIN_VERBOSE is not set
+CONFIG_WANTS_HIDDEN_OBJECT_PATHS=y
 
 #
 # Memory Protections

[zenmonkeykstop]

Makes sense to me - it would be good to either have the config updated as part of the build, or include instructions to fire up the kernel and update the config manually. I built in a temporary VM that is now dead but I can update the PR with the config from a VM running 4.14.182-grsec-workstation now.

[zenmonkeykstop]

Superceded, closing