hardening: Enable KCFI and some other options
Add some stuff that got missed along the way: - CONFIG_UNWIND_PATCH_PAC_INTO_SCS=y so SCS vs PAC is hardware selectable. - CONFIG_X86_KERNEL_IBT=y while a default, just be sure. - CONFIG_CFI_CLANG=y globally. - CONFIG_PAGE_TABLE_CHECK=y for userspace mapping sanity. Reviewed-by: Nathan Chancellor <nathan@kernel.org> Link: https://lore.kernel.org/r/20240501193709.make.982-kees@kernel.org Signed-off-by: Kees Cook <keescook@chromium.org>
This commit is contained in:
parent
fb28a8862d
commit
a284e43852
@ -5,6 +5,7 @@ CONFIG_ARM64_SW_TTBR0_PAN=y
|
||||
|
||||
# Software Shadow Stack or PAC
|
||||
CONFIG_SHADOW_CALL_STACK=y
|
||||
CONFIG_UNWIND_PATCH_PAC_INTO_SCS=y
|
||||
|
||||
# Pointer authentication (ARMv8.3 and later). If hardware actually supports
|
||||
# it, one can turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.
|
||||
|
@ -10,5 +10,8 @@ CONFIG_INTEL_IOMMU_DEFAULT_ON=y
|
||||
CONFIG_INTEL_IOMMU_SVM=y
|
||||
CONFIG_AMD_IOMMU=y
|
||||
|
||||
# Enforce CET Indirect Branch Tracking in the kernel.
|
||||
CONFIG_X86_KERNEL_IBT=y
|
||||
|
||||
# Enable CET Shadow Stack for userspace.
|
||||
CONFIG_X86_USER_SHADOW_STACK=y
|
||||
|
@ -23,6 +23,10 @@ CONFIG_SLAB_FREELIST_HARDENED=y
|
||||
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
|
||||
CONFIG_RANDOM_KMALLOC_CACHES=y
|
||||
|
||||
# Sanity check userspace page table mappings.
|
||||
CONFIG_PAGE_TABLE_CHECK=y
|
||||
CONFIG_PAGE_TABLE_CHECK_ENFORCED=y
|
||||
|
||||
# Randomize kernel stack offset on syscall entry.
|
||||
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
|
||||
|
||||
@ -81,6 +85,10 @@ CONFIG_SECCOMP_FILTER=y
|
||||
# Provides some protections against SYN flooding.
|
||||
CONFIG_SYN_COOKIES=y
|
||||
|
||||
# Enable Kernel Control Flow Integrity (currently Clang only).
|
||||
CONFIG_CFI_CLANG=y
|
||||
# CONFIG_CFI_PERMISSIVE is not set
|
||||
|
||||
# Attack surface reduction: do not autoload TTY line disciplines.
|
||||
# CONFIG_LDISC_AUTOLOAD is not set
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user