<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="/rss.xsl.xml"?>
<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/">
<channel>
    <title>Changes in Kconfig.hardening</title>
    <description></description>
    <language>en</language>
    <copyright>Copyright 2015</copyright>
    <generator>Java</generator><item>
        <title>f5c68a4e - hardening: Disable GCC randstruct for COMPILE_TEST</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/security/Kconfig.hardening#f5c68a4e</link>
        <description>hardening: Disable GCC randstruct for COMPILE_TESTThere is a GCC crash bug in the randstruct for latest GCC versions thatis being tickled by landlock[1]. Temporarily disable GCC randstruct forCOMPILE_TEST builds to unbreak CI systems for the coming -rc2. This canbe restored once the bug is fixed.Suggested-by: Mark Brown &lt;broonie@kernel.org&gt;Link: https://lore.kernel.org/all/20250407-kbuild-disable-gcc-plugins-v1-1-5d46ae583f5e@kernel.org/ [1]Acked-by: Mark Brown &lt;broonie@kernel.org&gt;Acked-by: Arnd Bergmann &lt;arnd@arndb.de&gt;Link: https://lore.kernel.org/r/20250409151154.work.872-kees@kernel.orgSigned-off-by: Kees Cook &lt;kees@kernel.org&gt;

            List of files:
            /linux-6.15/security/Kconfig.hardening</description>
        <pubDate>Wed, 09 Apr 2025 15:11:58 +0000</pubDate>
        <dc:creator>Kees Cook &lt;kees@kernel.org&gt;</dc:creator>
    </item>
<item>
        <title>d70da124 - hardening: Enable i386 FORTIFY_SOURCE on Clang 16+</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/security/Kconfig.hardening#d70da124</link>
        <description>hardening: Enable i386 FORTIFY_SOURCE on Clang 16+The i386 regparm bug exposed with FORTIFY_SOURCE with Clang was fixedin Clang 16[1].Link: https://github.com/llvm/llvm-project/commit/c167c0a4dcdb998affb2756ce76903a12f7d8ca5 [1]Reviewed-by: Nathan Chancellor &lt;nathan@kernel.org&gt;Link: https://lore.kernel.org/r/20250308042929.1753543-2-kees@kernel.orgSigned-off-by: Kees Cook &lt;kees@kernel.org&gt;

            List of files:
            /linux-6.15/security/Kconfig.hardening</description>
        <pubDate>Sat, 08 Mar 2025 04:29:26 +0000</pubDate>
        <dc:creator>Kees Cook &lt;kees@kernel.org&gt;</dc:creator>
    </item>
<item>
        <title>ca758b14 - fortify: Move FORTIFY_SOURCE under &apos;Kernel hardening options&apos;</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/security/Kconfig.hardening#ca758b14</link>
        <description>fortify: Move FORTIFY_SOURCE under &apos;Kernel hardening options&apos;FORTIFY_SOURCE is a hardening option both at build and runtime. Moveit under &apos;Kernel hardening options&apos;.Signed-off-by: Mel Gorman &lt;mgorman@techsingularity.net&gt;Acked-by: Paul Moore &lt;paul@paul-moore.com&gt;Link: https://lore.kernel.org/r/20250123221115.19722-5-mgorman@techsingularity.netSigned-off-by: Kees Cook &lt;kees@kernel.org&gt;

            List of files:
            /linux-6.15/security/Kconfig.hardening</description>
        <pubDate>Thu, 23 Jan 2025 22:11:15 +0000</pubDate>
        <dc:creator>Mel Gorman &lt;mgorman@techsingularity.net&gt;</dc:creator>
    </item>
<item>
        <title>d2132f45 - mm: security: Allow default HARDENED_USERCOPY to be set at compile time</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/security/Kconfig.hardening#d2132f45</link>
        <description>mm: security: Allow default HARDENED_USERCOPY to be set at compile timeHARDENED_USERCOPY defaults to on if enabled at compile time. Allowhardened_usercopy= default to be set at compile time similar toinit_on_alloc= and init_on_free=. The intent is that hardeningoptions that can be disabled at runtime can set their default atbuild time.Signed-off-by: Mel Gorman &lt;mgorman@techsingularity.net&gt;Link: https://lore.kernel.org/r/20250123221115.19722-3-mgorman@techsingularity.netSigned-off-by: Kees Cook &lt;kees@kernel.org&gt;

            List of files:
            /linux-6.15/security/Kconfig.hardening</description>
        <pubDate>Thu, 23 Jan 2025 22:11:13 +0000</pubDate>
        <dc:creator>Mel Gorman &lt;mgorman@techsingularity.net&gt;</dc:creator>
    </item>
<item>
        <title>f4d4e8b9 - mm: security: Move hardened usercopy under &apos;Kernel hardening options&apos;</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/security/Kconfig.hardening#f4d4e8b9</link>
        <description>mm: security: Move hardened usercopy under &apos;Kernel hardening options&apos;There is a submenu for &apos;Kernel hardening options&apos; under &quot;Security&quot;.Move HARDENED_USERCOPY under the hardening options as it is clearlyrelated.Signed-off-by: Mel Gorman &lt;mgorman@techsingularity.net&gt;Acked-by: Paul Moore &lt;paul@paul-moore.com&gt;Link: https://lore.kernel.org/r/20250123221115.19722-2-mgorman@techsingularity.netSigned-off-by: Kees Cook &lt;kees@kernel.org&gt;

            List of files:
            /linux-6.15/security/Kconfig.hardening</description>
        <pubDate>Thu, 23 Jan 2025 22:11:12 +0000</pubDate>
        <dc:creator>Mel Gorman &lt;mgorman@techsingularity.net&gt;</dc:creator>
    </item>
<item>
        <title>a9a5e0bd - hardening: Document INIT_STACK_ALL_PATTERN behavior with GCC</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/security/Kconfig.hardening#a9a5e0bd</link>
        <description>hardening: Document INIT_STACK_ALL_PATTERN behavior with GCCThe help text for INIT_STACK_ALL_PATTERN documents the patterns used byClang, but lacks documentation for GCC.Signed-off-by: Geert Uytterhoeven &lt;geert+renesas@glider.be&gt;Link: https://lore.kernel.org/r/293d29d6a0d1823165be97285c1bc73e90ee9db8.1736239070.git.geert+renesas@glider.beSigned-off-by: Kees Cook &lt;kees@kernel.org&gt;

            List of files:
            /linux-6.15/security/Kconfig.hardening</description>
        <pubDate>Tue, 07 Jan 2025 08:38:57 +0000</pubDate>
        <dc:creator>Geert Uytterhoeven &lt;geert+renesas@glider.be&gt;</dc:creator>
    </item>
<item>
        <title>dd3a7ee9 - hardening: Adjust dependencies in selection of MODVERSIONS</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/security/Kconfig.hardening#dd3a7ee9</link>
        <description>hardening: Adjust dependencies in selection of MODVERSIONSMODVERSIONS recently grew a dependency on !COMPILE_TEST so that Rustcould be more easily tested. However, this introduces a Kconfig warningwhen building allmodconfig with a clang version that supports RANDSTRUCTnatively because RANDSTRUCT_FULL and RANDSTRUCT_PERFORMANCE selectMODVERSIONS when MODULES is enabled, bypassing the !COMPILE_TESTdependency:  WARNING: unmet direct dependencies detected for MODVERSIONS    Depends on [n]: MODULES [=y] &amp;&amp; !COMPILE_TEST [=y]    Selected by [y]:    - RANDSTRUCT_FULL [=y] &amp;&amp; (CC_HAS_RANDSTRUCT [=y] || GCC_PLUGINS [=n]) &amp;&amp; MODULES [=y]Add the !COMPILE_TEST dependency to the selections to clear up thewarning.Fixes: 1f9c4a996756 (&quot;Kbuild: make MODVERSIONS support depend on not being a compile test build&quot;)Signed-off-by: Nathan Chancellor &lt;nathan@kernel.org&gt;Link: https://lore.kernel.org/r/20240928-fix-randstruct-modversions-kconfig-warning-v1-1-27d3edc8571e@kernel.orgSigned-off-by: Kees Cook &lt;kees@kernel.org&gt;

            List of files:
            /linux-6.15/security/Kconfig.hardening</description>
        <pubDate>Sat, 28 Sep 2024 18:13:13 +0000</pubDate>
        <dc:creator>Nathan Chancellor &lt;nathan@kernel.org&gt;</dc:creator>
    </item>
<item>
        <title>384a746b - Revert &quot;mm: init_mlocked_on_free_v3&quot;</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/security/Kconfig.hardening#384a746b</link>
        <description>Revert &quot;mm: init_mlocked_on_free_v3&quot;There was insufficient review and no agreement that this is the rightapproach.There are serious flaws with the implementation that make processes usingmlock() not even work with simple fork() [1] and we get reliable crasheswhen rebooting.Further, simply because we might be unmapping a single PTE of a largemlocked folio, we shouldn&apos;t zero out the whole folio.... especially because the code can also *corrupt* urelated memory because	kernel_init_pages(page, folio_nr_pages(folio));Could end up writing outside of the actual folio if we work with a tailpage.Let&apos;s revert it.  Once there is agreement that this is the right approach,the issues were fixed and there was reasonable review and proper testing,we can consider it again.[1] https://lkml.kernel.org/r/4da9da2f-73e4-45fd-b62f-a8a513314057@redhat.comLink: https://lkml.kernel.org/r/20240605091710.38961-1-david@redhat.comFixes: ba42b524a040 (&quot;mm: init_mlocked_on_free_v3&quot;)Signed-off-by: David Hildenbrand &lt;david@redhat.com&gt;Reported-by: David Wang &lt;00107082@163.com&gt;Closes: https://lore.kernel.org/lkml/20240528151340.4282-1-00107082@163.com/Reported-by: Lance Yang &lt;ioworker0@gmail.com&gt;Closes: https://lkml.kernel.org/r/20240601140917.43562-1-ioworker0@gmail.comAcked-by: Lance Yang &lt;ioworker0@gmail.com&gt;Cc: York Jasper Niebuhr &lt;yjnworkstation@gmail.com&gt;Cc: Matthew Wilcox (Oracle) &lt;willy@infradead.org&gt;Cc: Kees Cook &lt;keescook@chromium.org&gt;Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;

            List of files:
            /linux-6.15/security/Kconfig.hardening</description>
        <pubDate>Wed, 05 Jun 2024 09:17:10 +0000</pubDate>
        <dc:creator>David Hildenbrand &lt;david@redhat.com&gt;</dc:creator>
    </item>
<item>
        <title>ba42b524 - mm: init_mlocked_on_free_v3</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/security/Kconfig.hardening#ba42b524</link>
        <description>mm: init_mlocked_on_free_v3Implements the &quot;init_mlocked_on_free&quot; boot option. When this boot optionis enabled, any mlock&apos;ed pages are zeroed on free. Ifthe pages are munlock&apos;ed beforehand, no initialization takes place.This boot option is meant to combat the performance hit of&quot;init_on_free&quot; as reported in commit 6471384af2a6 (&quot;mm: security:introduce init_on_alloc=1 and init_on_free=1 boot options&quot;). With&quot;init_mlocked_on_free=1&quot; only relevant data is freed while everythingelse is left untouched by the kernel. Correspondingly, this patchintroduces no performance hit for unmapping non-mlock&apos;ed memory. Theunmapping overhead for purely mlocked memory was measured to beapproximately 13%. Realistically, most systems mlock only a fraction ofthe total memory so the real-world system overhead should be close tozero.Optimally, userspace programs clear any key material or otherconfidential memory before exit and munlock the according memoryregions. If a program crashes, userspace key managers fail to do thisjob. Accordingly, no munlock operations are performed so the data iscaught and zeroed by the kernel. Should the program not crash, allmemory will ideally be munlocked so no overhead is caused.CONFIG_INIT_MLOCKED_ON_FREE_DEFAULT_ON can be set to enable&quot;init_mlocked_on_free&quot; by default.Link: https://lkml.kernel.org/r/20240329145605.149917-1-yjnworkstation@gmail.comSigned-off-by: York Jasper Niebuhr &lt;yjnworkstation@gmail.com&gt;Cc: Matthew Wilcox (Oracle) &lt;willy@infradead.org&gt;Cc: York Jasper Niebuhr &lt;yjnworkstation@gmail.com&gt;Cc: Kees Cook &lt;keescook@chromium.org&gt;Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;

            List of files:
            /linux-6.15/security/Kconfig.hardening</description>
        <pubDate>Fri, 29 Mar 2024 14:56:05 +0000</pubDate>
        <dc:creator>York Jasper Niebuhr &lt;yjnworkstation@gmail.com&gt;</dc:creator>
    </item>
<item>
        <title>aa9f10d5 - hardening: Move BUG_ON_DATA_CORRUPTION to hardening options</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/security/Kconfig.hardening#aa9f10d5</link>
        <description>hardening: Move BUG_ON_DATA_CORRUPTION to hardening optionsBUG_ON_DATA_CORRUPTION is turning detected corruptions of list datastructures from WARNings into BUGs. This can be useful to stop furthercorruptions or even exploitation attempts.However, the option has less to do with debugging than with hardening.With the introduction of LIST_HARDENED, it makes more sense to move itto the hardening options, where it selects LIST_HARDENED instead.Without this change, combining BUG_ON_DATA_CORRUPTION with LIST_HARDENEDalone wouldn&apos;t be possible, because DEBUG_LIST would always be selectedby BUG_ON_DATA_CORRUPTION.Signed-off-by: Marco Elver &lt;elver@google.com&gt;Link: https://lore.kernel.org/r/20230811151847.1594958-4-elver@google.comSigned-off-by: Kees Cook &lt;keescook@chromium.org&gt;

            List of files:
            /linux-6.15/security/Kconfig.hardening</description>
        <pubDate>Fri, 11 Aug 2023 15:18:41 +0000</pubDate>
        <dc:creator>Marco Elver &lt;elver@google.com&gt;</dc:creator>
    </item>
<item>
        <title>aebc7b0d - list: Introduce CONFIG_LIST_HARDENED</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/security/Kconfig.hardening#aebc7b0d</link>
        <description>list: Introduce CONFIG_LIST_HARDENEDNumerous production kernel configs (see [1, 2]) are choosing to enableCONFIG_DEBUG_LIST, which is also being recommended by KSPP for hardenedconfigs [3]. The motivation behind this is that the option can be usedas a security hardening feature (e.g. CVE-2019-2215 and CVE-2019-2025are mitigated by the option [4]).The feature has never been designed with performance in mind, yet commonlist manipulation is happening across hot paths all over the kernel.Introduce CONFIG_LIST_HARDENED, which performs list pointer checkinginline, and only upon list corruption calls the reporting slow path.To generate optimal machine code with CONFIG_LIST_HARDENED:  1. Elide checking for pointer values which upon dereference would     result in an immediate access fault (i.e. minimal hardening     checks).  The trade-off is lower-quality error reports.  2. Use the __preserve_most function attribute (available with Clang,     but not yet with GCC) to minimize the code footprint for calling     the reporting slow path. As a result, function size of callers is     reduced by avoiding saving registers before calling the rarely     called reporting slow path.     Note that all TUs in lib/Makefile already disable function tracing,     including list_debug.c, and __preserve_most&apos;s implied notrace has     no effect in this case.  3. Because the inline checks are a subset of the full set of checks in     __list_*_valid_or_report(), always return false if the inline     checks failed.  This avoids redundant compare and conditional     branch right after return from the slow path.As a side-effect of the checks being inline, if the compiler can provesome condition to always be true, it can completely elide some checks.Since DEBUG_LIST is functionally a superset of LIST_HARDENED, theKconfig variables are changed to reflect that: DEBUG_LIST selectsLIST_HARDENED, whereas LIST_HARDENED itself has no dependency onDEBUG_LIST.Running netperf with CONFIG_LIST_HARDENED (using a Clang compiler with&quot;preserve_most&quot;) shows throughput improvements, in my case of ~7% onaverage (up to 20-30% on some test cases).Link: https://r.android.com/1266735 [1]Link: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/blob/main/config [2]Link: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings [3]Link: https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html [4]Signed-off-by: Marco Elver &lt;elver@google.com&gt;Link: https://lore.kernel.org/r/20230811151847.1594958-3-elver@google.comSigned-off-by: Kees Cook &lt;keescook@chromium.org&gt;

            List of files:
            /linux-6.15/security/Kconfig.hardening</description>
        <pubDate>Fri, 11 Aug 2023 15:18:40 +0000</pubDate>
        <dc:creator>Marco Elver &lt;elver@google.com&gt;</dc:creator>
    </item>
<item>
        <title>78f7a3fd - randstruct: disable Clang 15 support</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/security/Kconfig.hardening#78f7a3fd</link>
        <description>randstruct: disable Clang 15 supportThe randstruct support released in Clang 15 is unsafe to use due to abug that can cause miscompilations: &quot;-frandomize-layout-seedinconsistently randomizes all-function-pointers structs&quot;(https://github.com/llvm/llvm-project/issues/60349).  It has been fixedon the Clang 16 release branch, so add a Clang version check.Fixes: 035f7f87b729 (&quot;randstruct: Enable Clang support&quot;)Cc: stable@vger.kernel.orgSigned-off-by: Eric Biggers &lt;ebiggers@google.com&gt;Acked-by: Nick Desaulniers &lt;ndesaulniers@google.com&gt;Reviewed-by: Nathan Chancellor &lt;nathan@kernel.org&gt;Reviewed-by: Bill Wendling &lt;morbo@google.com&gt;Signed-off-by: Kees Cook &lt;keescook@chromium.org&gt;Link: https://lore.kernel.org/r/20230208065133.220589-1-ebiggers@kernel.org

            List of files:
            /linux-6.15/security/Kconfig.hardening</description>
        <pubDate>Wed, 08 Feb 2023 06:51:33 +0000</pubDate>
        <dc:creator>Eric Biggers &lt;ebiggers@google.com&gt;</dc:creator>
    </item>
<item>
        <title>d6a9fb87 - security: Restrict CONFIG_ZERO_CALL_USED_REGS to gcc or clang &gt; 15.0.6</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/security/Kconfig.hardening#d6a9fb87</link>
        <description>security: Restrict CONFIG_ZERO_CALL_USED_REGS to gcc or clang &gt; 15.0.6A bad bug in clang&apos;s implementation of -fzero-call-used-regs can resultin NULL pointer dereferences (see the links above the check for moreinformation). Restrict CONFIG_CC_HAS_ZERO_CALL_USED_REGS to either asupported GCC version or a clang newer than 15.0.6, which will catchboth a theoretical 15.0.7 and the upcoming 16.0.0, which will both havethe bug fixed.Cc: stable@vger.kernel.org # v5.15+Signed-off-by: Nathan Chancellor &lt;nathan@kernel.org&gt;Signed-off-by: Kees Cook &lt;keescook@chromium.org&gt;Link: https://lore.kernel.org/r/20221214232602.4118147-1-nathan@kernel.org

            List of files:
            /linux-6.15/security/Kconfig.hardening</description>
        <pubDate>Wed, 14 Dec 2022 23:26:03 +0000</pubDate>
        <dc:creator>Nathan Chancellor &lt;nathan@kernel.org&gt;</dc:creator>
    </item>
<item>
        <title>42eaa27d - security: kmsan: fix interoperability with auto-initialization</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/security/Kconfig.hardening#42eaa27d</link>
        <description>security: kmsan: fix interoperability with auto-initializationHeap and stack initialization is great, but not when we are trying uses ofuninitialized memory.  When the kernel is built with KMSAN, having kernelmemory initialization enabled may introduce false negatives.We disable CONFIG_INIT_STACK_ALL_PATTERN and CONFIG_INIT_STACK_ALL_ZEROunder CONFIG_KMSAN, making it impossible to auto-initialize stackvariables in KMSAN builds.  We also disableCONFIG_INIT_ON_ALLOC_DEFAULT_ON and CONFIG_INIT_ON_FREE_DEFAULT_ON toprevent accidental use of heap auto-initialization.We however still let the users enable heap auto-initialization atboot-time (by setting init_on_alloc=1 or init_on_free=1), in which case awarning is printed.Link: https://lkml.kernel.org/r/20220915150417.722975-31-glider@google.comSigned-off-by: Alexander Potapenko &lt;glider@google.com&gt;Cc: Alexander Viro &lt;viro@zeniv.linux.org.uk&gt;Cc: Alexei Starovoitov &lt;ast@kernel.org&gt;Cc: Andrey Konovalov &lt;andreyknvl@gmail.com&gt;Cc: Andrey Konovalov &lt;andreyknvl@google.com&gt;Cc: Andy Lutomirski &lt;luto@kernel.org&gt;Cc: Arnd Bergmann &lt;arnd@arndb.de&gt;Cc: Borislav Petkov &lt;bp@alien8.de&gt;Cc: Christoph Hellwig &lt;hch@lst.de&gt;Cc: Christoph Lameter &lt;cl@linux.com&gt;Cc: David Rientjes &lt;rientjes@google.com&gt;Cc: Dmitry Vyukov &lt;dvyukov@google.com&gt;Cc: Eric Biggers &lt;ebiggers@google.com&gt;Cc: Eric Biggers &lt;ebiggers@kernel.org&gt;Cc: Eric Dumazet &lt;edumazet@google.com&gt;Cc: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;Cc: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;Cc: Ilya Leoshkevich &lt;iii@linux.ibm.com&gt;Cc: Ingo Molnar &lt;mingo@redhat.com&gt;Cc: Jens Axboe &lt;axboe@kernel.dk&gt;Cc: Joonsoo Kim &lt;iamjoonsoo.kim@lge.com&gt;Cc: Kees Cook &lt;keescook@chromium.org&gt;Cc: Marco Elver &lt;elver@google.com&gt;Cc: Mark Rutland &lt;mark.rutland@arm.com&gt;Cc: Matthew Wilcox &lt;willy@infradead.org&gt;Cc: Michael S. Tsirkin &lt;mst@redhat.com&gt;Cc: Pekka Enberg &lt;penberg@kernel.org&gt;Cc: Peter Zijlstra &lt;peterz@infradead.org&gt;Cc: Petr Mladek &lt;pmladek@suse.com&gt;Cc: Stephen Rothwell &lt;sfr@canb.auug.org.au&gt;Cc: Steven Rostedt &lt;rostedt@goodmis.org&gt;Cc: Thomas Gleixner &lt;tglx@linutronix.de&gt;Cc: Vasily Gorbik &lt;gor@linux.ibm.com&gt;Cc: Vegard Nossum &lt;vegard.nossum@oracle.com&gt;Cc: Vlastimil Babka &lt;vbabka@suse.cz&gt;Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;

            List of files:
            /linux-6.15/security/Kconfig.hardening</description>
        <pubDate>Thu, 15 Sep 2022 15:04:04 +0000</pubDate>
        <dc:creator>Alexander Potapenko &lt;glider@google.com&gt;</dc:creator>
    </item>
<item>
        <title>607e57c6 - hardening: Remove Clang&apos;s enable flag for -ftrivial-auto-var-init=zero</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/security/Kconfig.hardening#607e57c6</link>
        <description>hardening: Remove Clang&apos;s enable flag for -ftrivial-auto-var-init=zeroNow that Clang&apos;s -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clangoption is no longer required, remove it from the command line. Clang 16and later will warn when it is used, which will cause Kconfig to thinkit can&apos;t use -ftrivial-auto-var-init=zero at all. Check for whether itis required and only use it when so.Cc: Nathan Chancellor &lt;nathan@kernel.org&gt;Cc: Masahiro Yamada &lt;masahiroy@kernel.org&gt;Cc: Nick Desaulniers &lt;ndesaulniers@google.com&gt;Cc: linux-kbuild@vger.kernel.orgCc: llvm@lists.linux.devCc: stable@vger.kernel.orgFixes: f02003c860d9 (&quot;hardening: Avoid harmless Clang option under CONFIG_INIT_STACK_ALL_ZERO&quot;)Signed-off-by: Kees Cook &lt;keescook@chromium.org&gt;

            List of files:
            /linux-6.15/security/Kconfig.hardening</description>
        <pubDate>Fri, 30 Sep 2022 05:57:43 +0000</pubDate>
        <dc:creator>Kees Cook &lt;keescook@chromium.org&gt;</dc:creator>
    </item>
<item>
        <title>035f7f87 - randstruct: Enable Clang support</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/security/Kconfig.hardening#035f7f87</link>
        <description>randstruct: Enable Clang supportClang 15 will support randstruct via the -frandomize-layout-seed-file=...option. Update the Kconfig and Makefile to recognize this feature.Cc: Masahiro Yamada &lt;masahiroy@kernel.org&gt;Cc: linux-kbuild@vger.kernel.orgSigned-off-by: Kees Cook &lt;keescook@chromium.org&gt;Link: https://lore.kernel.org/r/20220503205503.3054173-7-keescook@chromium.org

            List of files:
            /linux-6.15/security/Kconfig.hardening</description>
        <pubDate>Tue, 03 May 2022 20:55:03 +0000</pubDate>
        <dc:creator>Kees Cook &lt;keescook@chromium.org&gt;</dc:creator>
    </item>
<item>
        <title>be2b34fa - randstruct: Move seed generation into scripts/basic/</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/security/Kconfig.hardening#be2b34fa</link>
        <description>randstruct: Move seed generation into scripts/basic/To enable Clang randstruct support, move the structure layoutrandomization seed generation out of scripts/gcc-plugins/ intoscripts/basic/ so it happens early enough that it can be used by eithercompiler implementation. The gcc-plugin still builds its own header file,but now does so from the common &quot;randstruct.seed&quot; file.Cc: linux-hardening@vger.kernel.orgSigned-off-by: Kees Cook &lt;keescook@chromium.org&gt;Link: https://lore.kernel.org/r/20220503205503.3054173-6-keescook@chromium.org

            List of files:
            /linux-6.15/security/Kconfig.hardening</description>
        <pubDate>Tue, 03 May 2022 20:55:02 +0000</pubDate>
        <dc:creator>Kees Cook &lt;keescook@chromium.org&gt;</dc:creator>
    </item>
<item>
        <title>595b893e - randstruct: Reorganize Kconfigs and attribute macros</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/security/Kconfig.hardening#595b893e</link>
        <description>randstruct: Reorganize Kconfigs and attribute macrosIn preparation for Clang supporting randstruct, reorganize the Kconfigs,move the attribute macros, and generalize the feature to be namedCONFIG_RANDSTRUCT for on/off, CONFIG_RANDSTRUCT_FULL for the fullrandomization mode, and CONFIG_RANDSTRUCT_PERFORMANCE for the cache-linesized mode.Cc: linux-hardening@vger.kernel.orgSigned-off-by: Kees Cook &lt;keescook@chromium.org&gt;Link: https://lore.kernel.org/r/20220503205503.3054173-4-keescook@chromium.org

            List of files:
            /linux-6.15/security/Kconfig.hardening</description>
        <pubDate>Tue, 03 May 2022 20:55:00 +0000</pubDate>
        <dc:creator>Kees Cook &lt;keescook@chromium.org&gt;</dc:creator>
    </item>
<item>
        <title>f154066b - gcc-plugins/stackleak: Provide verbose mode</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/security/Kconfig.hardening#f154066b</link>
        <description>gcc-plugins/stackleak: Provide verbose modeIn order to compare instrumentation between builds, make the verbosemode of the plugin available during the build. This is rarely needed(behind EXPERT) and very noisy (disabled for COMPILE_TEST).Cc: Alexander Popov &lt;alex.popov@linux.com&gt;Signed-off-by: Kees Cook &lt;keescook@chromium.org&gt;

            List of files:
            /linux-6.15/security/Kconfig.hardening</description>
        <pubDate>Sun, 06 Feb 2022 17:20:08 +0000</pubDate>
        <dc:creator>Kees Cook &lt;keescook@chromium.org&gt;</dc:creator>
    </item>
<item>
        <title>8bd51a2b - gcc-plugins: Explicitly document purpose and deprecation schedule</title>
        <link>http://172.16.0.5:8080/history/linux-6.15/security/Kconfig.hardening#8bd51a2b</link>
        <description>gcc-plugins: Explicitly document purpose and deprecation scheduleGCC plugins should only exist when some compiler feature needs to beproven but does not exist in either GCC nor Clang. For example, if adesired feature is already in Clang, it should be added to GCC upstream.Document this explicitly.Additionally, mark the plugins with matching upstream GCC features asremovable past their respective GCC versions.Cc: Masahiro Yamada &lt;masahiroy@kernel.org&gt;Cc: Michal Marek &lt;michal.lkml@markovi.net&gt;Cc: Nick Desaulniers &lt;ndesaulniers@google.com&gt;Cc: Jonathan Corbet &lt;corbet@lwn.net&gt;Cc: James Morris &lt;jmorris@namei.org&gt;Cc: &quot;Serge E. Hallyn&quot; &lt;serge@hallyn.com&gt;Cc: Nathan Chancellor &lt;nathan@kernel.org&gt;Cc: linux-hardening@vger.kernel.orgCc: linux-kbuild@vger.kernel.orgCc: linux-doc@vger.kernel.orgCc: linux-security-module@vger.kernel.orgCc: llvm@lists.linux.devSigned-off-by: Kees Cook &lt;keescook@chromium.org&gt;Reviewed-by: Nathan Chancellor &lt;nathan@kernel.org&gt;Reviewed-by: Miguel Ojeda &lt;ojeda@kernel.org&gt;Acked-by: Nick Desaulniers &lt;ndesaulniers@google.com&gt;Acked-by: Ard Biesheuvel &lt;ardb@kernel.org&gt;Link: https://lore.kernel.org/r/20211020173554.38122-2-keescook@chromium.org

            List of files:
            /linux-6.15/security/Kconfig.hardening</description>
        <pubDate>Wed, 20 Oct 2021 17:35:53 +0000</pubDate>
        <dc:creator>Kees Cook &lt;keescook@chromium.org&gt;</dc:creator>
    </item>
</channel>
</rss>
