a284e43852
Add some stuff that got missed along the way: - CONFIG_UNWIND_PATCH_PAC_INTO_SCS=y so SCS vs PAC is hardware selectable. - CONFIG_X86_KERNEL_IBT=y while a default, just be sure. - CONFIG_CFI_CLANG=y globally. - CONFIG_PAGE_TABLE_CHECK=y for userspace mapping sanity. Reviewed-by: Nathan Chancellor <nathan@kernel.org> Link: https://lore.kernel.org/r/20240501193709.make.982-kees@kernel.org Signed-off-by: Kees Cook <keescook@chromium.org>
18 lines
473 B
Plaintext
18 lines
473 B
Plaintext
# Basic kernel hardening options (specific to x86)
|
|
|
|
# Modern libc no longer needs a fixed-position mapping in userspace, remove
|
|
# it as a possible target.
|
|
CONFIG_LEGACY_VSYSCALL_NONE=y
|
|
|
|
# Enable chip-specific IOMMU support.
|
|
CONFIG_INTEL_IOMMU=y
|
|
CONFIG_INTEL_IOMMU_DEFAULT_ON=y
|
|
CONFIG_INTEL_IOMMU_SVM=y
|
|
CONFIG_AMD_IOMMU=y
|
|
|
|
# Enforce CET Indirect Branch Tracking in the kernel.
|
|
CONFIG_X86_KERNEL_IBT=y
|
|
|
|
# Enable CET Shadow Stack for userspace.
|
|
CONFIG_X86_USER_SHADOW_STACK=y
|