X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=README.md;h=c5cc464071aae5b8376c33fe7eff8888202cb59c;hb=befa4a35117c0d1ff58e85b5c42a3a1b55b4ebaa;hp=3e95e959820f84818e92aadfa0622b53fcc5e812;hpb=39e1c6ed2ec0a904d8a46dd460763a842046818b;p=kconfig-hardened-check.git
diff --git a/README.md b/README.md
index 3e95e95..c5cc464 100644
--- a/README.md
+++ b/README.md
@@ -248,9 +248,32 @@ __A:__ I personally don't support this recommendation because it provides easy d
attacks for the whole system (kernel oops is not a rare situation). I think having `CONFIG_BUG` is enough here --
if we have a kernel oops in the process context, the offending/attacking process is killed.
+
+
+__Q:__ What about performance impact of these kernel hardening options?
+
+__A:__ Ike Devolder [@BlackIkeEagle][7] made some performance tests and described the results in [this article][8].
+
+
+
+__Q:__ Why enabling `CONFIG_STATIC_USERMODEHELPER` breaks various things in my GNU/Linux system?
+Do I really need that feature?
+
+__A:__ Linux kernel usermode helpers can be used for privilege escalation in kernel exploits
+([example 1][9], [example 2][10]). `CONFIG_STATIC_USERMODEHELPER` prevents that method. But it
+requires the corresponding support in the userspace: see the [example implementation][11] by
+Tycho Andersen [@tych0][12].
+
+
[1]: http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
[2]: https://docs.clip-os.org/clipos/kernel.html#configuration
[3]: https://grsecurity.net/
[4]: https://github.com/a13xp0p0v/linux-kernel-defence-map
[5]: https://lwn.net/Articles/791863/
[6]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/38
+[7]: https://github.com/BlackIkeEagle
+[8]: https://blog.herecura.eu/blog/2020-05-30-kconfig-hardening-tests/
+[9]: https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html
+[10]: https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html
+[11]: https://github.com/tych0/huldufolk
+[12]: https://github.com/tych0