From 563a6887e23e57cb7510aa0712c0d1c761aad51f Mon Sep 17 00:00:00 2001 From: Crypt0s Date: Thu, 14 Nov 2024 13:38:23 -0500 Subject: [PATCH] kernel: add CONFIG_KEYS=y to enable kernel keyring KinD checks for the presence of this (and other) kernel configuration via scripts like https://blog.hypriot.com/post/verify-kernel-container-compatibility/ or attempts to directly use /proc/sys/kernel/keys/ without checking to see if it exists, causing an exit when it does not see it. Docker/it's consumers apparently expect to be able to use the kernel keyring and it's associated syscalls from/for containers. There aren't any known downsides to enabling this except that it would by definition enable additional syscalls defined in https://man7.org/linux/man-pages/man7/keyrings.7.html which are reachable from userspace. This minimally increases the attack surface of the Kata Kernel, but this attack surface is minimal (especially since the kernel is most likely being executed by some kind of hypervisor) and highly restricted compared to the utility of enabling this feature to get further containerization compatibility. Signed-off-by: Crypt0s --- tools/packaging/kernel/configs/fragments/common/base.conf | 2 ++ tools/packaging/kernel/kata_config_version | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/tools/packaging/kernel/configs/fragments/common/base.conf b/tools/packaging/kernel/configs/fragments/common/base.conf index 362608470f..edde158372 100644 --- a/tools/packaging/kernel/configs/fragments/common/base.conf +++ b/tools/packaging/kernel/configs/fragments/common/base.conf @@ -41,6 +41,8 @@ CONFIG_RELOCATABLE=y # https://github.com/kata-containers/tests/issues/1543 # RANDOM_TRUST_CPU=y +CONFIG_KEYS=y + # CONFIG_CGROUP_PERF needs CONFIG_HAVE_PERF_EVENTS=y CONFIG_PERF_EVENTS=y diff --git a/tools/packaging/kernel/kata_config_version b/tools/packaging/kernel/kata_config_version index 897bdc8200..dee261df40 100644 --- a/tools/packaging/kernel/kata_config_version +++ b/tools/packaging/kernel/kata_config_version @@ -1 +1 @@ -139 +140