Enabled hardening configs default to build. (#1223)

vkraleti · web-flow · commit de6bff83d8f8 · 2026-04-08T18:40:18.000+05:30
This PR introduces support for merging `hardening.config` into the kernel configuration for linux-qcom-next. The goal is to ensure that security hardening options are applied consistently across all builds. What’s Changed Added logic to include `hardening.config` during kernel configuration using merge_config.sh. Override `CONFIG_KSTACK_ERASE=n` Why This Change Kernel builds previously lacked default hardening options, which could lead to reduced security. This update ensures that compiler-based mitigations and other hardening features are applied by default. Override `CONFIG_KSTACK_ERASE=n` because enabling it introduces absolute workspace paths into out‑of‑tree (OOT) kernel module builds, which cause Yocto's package QA to flag this as build error. Verification verified build on QCS9100-ride-sx. Kernel configuration includes hardening options as expected. Ref: [1201#issuecomment-3543906617](#1201 (comment)) #1628 (comment)
diff --git a/recipes-kernel/linux/linux-qcom-6.18/configs/bsp-additions.cfg b/recipes-kernel/linux/linux-qcom-6.18/configs/bsp-additions.cfg
@@ -314,3 +314,5 @@ CONFIG_NFT_TPROXY=m
 CONFIG_NFT_TUNNEL=m
 CONFIG_PACKET_DIAG=y
 CONFIG_VETH=m
+# Disable stack erase plugin to avoid buildpath leakage in out-of-tree modules
+CONFIG_KSTACK_ERASE=n
diff --git a/recipes-kernel/linux/linux-qcom-next/configs/bsp-additions.cfg b/recipes-kernel/linux/linux-qcom-next/configs/bsp-additions.cfg
@@ -314,3 +314,5 @@ CONFIG_NFT_TPROXY=m
 CONFIG_NFT_TUNNEL=m
 CONFIG_PACKET_DIAG=y
 CONFIG_VETH=m
+# Disable stack erase plugin to avoid buildpath leakage in out-of-tree modules
+CONFIG_KSTACK_ERASE=n
diff --git a/recipes-kernel/linux/linux-qcom-next_git.bb b/recipes-kernel/linux/linux-qcom-next_git.bb
@@ -36,7 +36,7 @@ S = "${UNPACKDIR}/${BP}"
 KBUILD_DEFCONFIG ?= "defconfig"
 KBUILD_DEFCONFIG:qcom-armv7a = "qcom_defconfig"
 
-KBUILD_CONFIG_EXTRA = "${@bb.utils.contains('DISTRO_FEATURES', 'hardened', '${S}/kernel/configs/hardening.config', '', d)}"
+KBUILD_CONFIG_EXTRA = "${S}/kernel/configs/hardening.config"
 KBUILD_CONFIG_EXTRA:append:aarch64 = " ${S}/arch/arm64/configs/prune.config"
 KBUILD_CONFIG_EXTRA:append:aarch64 = " ${S}/arch/arm64/configs/qcom.config"
 KBUILD_CONFIG_EXTRA:append = " ${@oe.utils.vartrue('DEBUG_BUILD', '${S}/kernel/configs/debug.config', '', d)}"
diff --git a/recipes-kernel/linux/linux-qcom_6.18.bb b/recipes-kernel/linux/linux-qcom_6.18.bb
@@ -39,7 +39,7 @@ S = "${UNPACKDIR}/${BP}"
 KBUILD_DEFCONFIG ?= "defconfig"
 KBUILD_DEFCONFIG:qcom-armv7a = "qcom_defconfig"
 
-KBUILD_CONFIG_EXTRA = "${@bb.utils.contains('DISTRO_FEATURES', 'hardened', '${S}/kernel/configs/hardening.config', '', d)}"
+KBUILD_CONFIG_EXTRA = "${S}/kernel/configs/hardening.config"
 KBUILD_CONFIG_EXTRA:append:aarch64 = " ${S}/arch/arm64/configs/prune.config"
 KBUILD_CONFIG_EXTRA:append:aarch64 = " ${S}/arch/arm64/configs/qcom.config"
 KBUILD_CONFIG_EXTRA:append = " ${@oe.utils.vartrue('DEBUG_BUILD', '${S}/kernel/configs/debug.config', '', d)}"
