A firewall for device drivers

Posted Aug 14, 2021 20:56 UTC (Sat) by pebolle (guest, #35204)
In reply to: A firewall for device drivers by malor
Parent article: A firewall for device drivers

> kernels that had only the exact device drivers I wanted

A nice idea. I sort of tried to achieve that goal until I realized it would take an insane amount of time to reach it and to stay at it at every release of a new kernel.

> This was a long time ago, so I could be misremembering, but I believe I was forced to stop doing this because the kernel stopped supporting static compilation; it was loadable modules or nothing.

That would mean CONFIG_MODULES (or its equivalent) was broken. I would be surprised if it still is.

A firewall for device drivers

Posted Aug 20, 2021 13:49 UTC (Fri) by bustervill (guest, #85383) [Link]

> A nice idea. I sort of tried to achieve that goal until I realized it would take an insane amount of time to reach it and to stay at it at every release of a new kernel.

I used to do it as well, spending large amounts of time and attention. I think this is exactly the problem and the reason people (including me) prefer not to have do it anymore.

An XKCD comic is worth a thousand words: https://xkcd.com/1671/

A firewall for device drivers

Posted Aug 21, 2021 0:52 UTC (Sat) by pabs (subscriber, #43278) [Link]

ISTR Linux has a localmodconfig make target that could be used for this; build a full kernel, boot it on the hardware you want, note the loaded modules, and using localmodconfig build a kernel config with those modules and then turn CONFIG_* with =m into =y and build the result.