Bug #1959384 “CONFIG_IO_STRICT_DEVMEM could be enabled” : Bugs : linux package : Ubuntu

CONFIG_IO_STRICT_DEVMEM could be enabled

Bug #1959384 reported by Laurent Bonnaud
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Ubuntu could enable CONFIG_IO_STRICT_DEVMEM to restrict userspace access of active io-memory ranges.

This could impact kernel debugability. In that case, you may reboot with
iomem=relaxed on the kernel command line to override this setting.

This config option is recommended by the Kernel Self Protection Project[1] and a 2019 study performed by Capsule 8 shows that it is enabled in many other major distro kernels[2].

[1] https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
[2] https://capsule8.com/blog/millions-of-binaries-later-a-look-into-linux-hardening-in-the-wild/

In Ubuntu impish:

$ grep CONFIG_IO_STRICT_DEVMEM /boot/config-*
/boot/config-5.13.0-27-generic:# CONFIG_IO_STRICT_DEVMEM is not set
/boot/config-5.13.0-27-lowlatency:# CONFIG_IO_STRICT_DEVMEM is not set
/boot/config-5.16.3-051603-generic:# CONFIG_IO_STRICT_DEVMEM is not set
/boot/config-5.16.3-051603-lowlatency:# CONFIG_IO_STRICT_DEVMEM is not set

In Debian 11:

$ grep CONFIG_IO_STRICT_DEVMEM /boot/config-*
/boot/config-5.10.0-10-amd64:CONFIG_IO_STRICT_DEVMEM=y
/boot/config-5.10.0-11-amd64:CONFIG_IO_STRICT_DEVMEM=y

In Debian sid:

$ grep CONFIG_IO_STRICT_DEVMEM /boot/config-*
/boot/config-5.15.0-3-amd64:CONFIG_IO_STRICT_DEVMEM=y
/boot/config-5.15.0-3-rt-amd64:CONFIG_IO_STRICT_DEVMEM=y

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux (Ubuntu):
status: New → Confirmed
tags: added: jammy
tags: added: kinetic lunar
tags: added: mantic
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Loading subscribers...

Remote bug watches

Bug watches keep track of this bug in other bug trackers.