linux-qcom-next: Enable hardening.config globally and override CONFIG_KSTACK_ERASE

Abhilasha Manna · Abhilasha Manna · commit 5258188b5929 · 2026-04-07T18:11:51.000+05:30
Apply `hardening.config` to all builds by default to ensure consistent
security hardening across builds.

Override `CONFIG_KSTACK_ERASE=n` because enabling it introduces absolute
workspace paths into out‑of‑tree (OOT) kernel modules.
These leaked paths cause Yocto’s Package QA rule to falg as build error,since
kernel modules must not contain host-specific build paths in shipping images.

Signed-off-by: Abhilasha Manna &lt;amanna@qti.qualcomm.com&gt;
diff --git a/recipes-kernel/linux/linux-qcom-next/configs/bsp-additions.cfg b/recipes-kernel/linux/linux-qcom-next/configs/bsp-additions.cfg
@@ -314,3 +314,5 @@ CONFIG_NFT_TPROXY=m
 CONFIG_NFT_TUNNEL=m
 CONFIG_PACKET_DIAG=y
 CONFIG_VETH=m
+# Disable stack erase plugin to avoid buildpath leakage in out-of-tree modules
+CONFIG_KSTACK_ERASE=n
diff --git a/recipes-kernel/linux/linux-qcom-next_git.bb b/recipes-kernel/linux/linux-qcom-next_git.bb
@@ -36,7 +36,7 @@ S = "${UNPACKDIR}/${BP}"
 KBUILD_DEFCONFIG ?= "defconfig"
 KBUILD_DEFCONFIG:qcom-armv7a = "qcom_defconfig"
 
-KBUILD_CONFIG_EXTRA = "${@bb.utils.contains('DISTRO_FEATURES', 'hardened', '${S}/kernel/configs/hardening.config', '', d)}"
+KBUILD_CONFIG_EXTRA = "${S}/kernel/configs/hardening.config"
 KBUILD_CONFIG_EXTRA:append:aarch64 = " ${S}/arch/arm64/configs/prune.config"
 KBUILD_CONFIG_EXTRA:append:aarch64 = " ${S}/arch/arm64/configs/qcom.config"
 KBUILD_CONFIG_EXTRA:append = " ${@oe.utils.vartrue('DEBUG_BUILD', '${S}/kernel/configs/debug.config', '', d)}"
