KERNEL_SELF_PROTECTION_COMMON with clang/llvm

Message

Asch · Post by **Asch** » Wed Jan 07, 2026 12:53 am

/usr/src/linux/distro/Kconfig wrote: if GENTOO_KERNEL_SELF_PROTECTION
config GENTOO_KERNEL_SELF_PROTECTION_COMMON
bool "Enable Kernel Self Protection Project Recommendations"

depends on GENTOO_LINUX && !SLAB_MERGE_DEFAULT && !SLUB_TINY && !COMPAT_BRK && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !X86_X32_ABI && !MODIFY_LDT_SYSCALL && GCC_PLUGINS && !IOMMU_DEFAULT_DMA_LAZY && !IOMMU_DEFAULT_PASSTHROUGH && IOMMU_DEFAULT_DMA_STRICT && SECURITY

...
...

select RANDOMIZE_KSTACK_OFFSET_DEFAULT if HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET && (INIT_STACK_NONE || !CC_IS_CLANG || CLANG_VERSION>=140000)

It seems that GENTOO_KERNEL_SELF_PROTECTION_COMMON depends on GCC_PLUGINS, which is unavailable if you run make menuconfig with LLVM=1 and therefore plan to compile the kernel with clang/llvm. Or am I missing something subtle?

Maybe the GCC_PLUGIN requirement should be rewritten as ( GCC_PLUGINS || CLANG_VERSION>=140000 ) as in the select example above? I could easily implement this change myself, but it might be a good idea to do this upstream as well.

BTW, enabling all of these selections manually for COMMON and X86_64 makes kernel compilation fail. I'm trying to pinpoint what option exactly is the culprit.

Post by **pietinger** » Tue Feb 03, 2026 11:17 pm

Asch,

there is another method for kernel hardening besides using our GENTOO_KERNEL_SELF_PROTECTION kernel option:

Disable ... and enable everything by yourself ... you will need only the link to the KSPP page
->
https://wiki.gentoo.org/wiki/User:Pieti ... _with_KSPP
->
https://kspp.github.io/Recommended_Settings

(Of course you can omit everything related to gcc and use instead clang-related options like CONFIG_CFI_CLANG=y )