[linux-yocto] [kernel-cache][PATCH] features/security: Add more kernel hardening fragments
zhe.he at windriver.com
zhe.he at windriver.com
Wed Jun 26 02:30:11 PDT 2019
From: He Zhe <zhe.he at windriver.com>
Signed-off-by: He Zhe <zhe.he at windriver.com>
---
features/security/security.cfg | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/features/security/security.cfg b/features/security/security.cfg
index 87408b6..8b7a065 100644
--- a/features/security/security.cfg
+++ b/features/security/security.cfg
@@ -11,6 +11,7 @@ CONFIG_SLAB_FREELIST_HARDENED=y
# Stack Protector is for buffer overflow detection and hardening
CONFIG_STACKPROTECTOR=y
+CONFIG_STACKPROTECTOR_STRONG=y
# Perform extensive checks on reference counting
CONFIG_REFCOUNT_FULL=y
@@ -44,3 +45,18 @@ CONFIG_DEBUG_LIST=y
CONFIG_DEBUG_SG=y
CONFIG_DEBUG_NOTIFIERS=y
CONFIG_DEBUG_CREDENTIALS=y
+
+# Information exposure
+CONFIG_PAGE_POISONING=y
+
+# Kernel Address Space Layout Randomization (KASLR)
+CONFIG_RANDOMIZE_BASE=y
+CONFIG_RANDOMIZE_MEMORY=y
+
+# Direct kernel overwrite
+CONFIG_STRICT_KERNEL_RWX=y
+CONFIG_STRICT_MODULE_RWX=y
+
+# Meltdown and Spectre
+CONFIG_PAGE_TABLE_ISOLATION=y
+CONFIG_RETPOLINE=y
--
2.7.4
More information about the linux-yocto
mailing list