Merged as part of the kernel hardening updates for Linux 6.18 is not a direct hardening improvement but rather a long overdue enhancement to the kernel configuration “Kconfig” system. The introduction of this new “transitional” keyword for Kconfig options can ease the process of renaming Kconfig options across kernel versions with less breakage/headaches for those maintaining their own kernel configurations/builds.
The hardening pull request landed this Kconfig “transitional” support as it’s renaming the “CONFIG_CFI_CLANG” option to just “CLANG_CFI” now that the GCC compiler is also adding control flow integrity (CFI) support. This is just the latest example of cases where renaming a Kconfig option happens and it would be nice to have it properly reflected by users upgrading their existing kernel configuration and building against a new kernel version. With adding the “transitional” option, it can ease and automatically reflect the proper option name for the kernel configuration.
Kees Cook explained with the patch adding the transitional symbol attribute:
“During kernel option migrations (e.g. CONFIG_CFI_CLANG to CONFIG_CFI), existing .config files need to maintain backward compatibility while preventing deprecated options from appearing in newly generated configurations. This is challenging with existing Kconfig mechanisms because:
1. Simply removing old options breaks existing .config files.
2. Manually listing an option as “deprecated” leaves it needlessly visible and still writes them to new .config files.
3. Using any method to remove visibility (.e.g no ‘prompt’, ‘if n’, etc) prevents the option from being processed at all.Add a “transitional” attribute that creates symbols which are:
– Processed during configuration (can influence other symbols’ defaults)
– Hidden from user menus (no prompts appear)
– Omitted from newly written .config files (gets migrated)
– Restricted to only having help sections (no defaults, selects, etc) making it truly just a “prior value pass-through” option.”
An example of Kconfig transitional usage:
This long overdue improvement for Linux kernel configuration handling was merged to Linux 6.18 Git as part of the hardening updates.
