features/security: Add more kernel hardening fragments

Signed-off-by: He Zhe <zhe.he@windriver.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> Signed-off-by: Ricardo Salveti <ricardo@foundries.io>
author: He Zhe <zhe.he@windriver.com> 2019-06-27 11:02:51 +0800
committer: Ricardo Salveti <ricardo@foundries.io> 2019-07-10 16:59:06 -0300
commit: 296272a6179f7b8940c9d079ebbf9ba7af289a84 (patch)
tree: fa74668163b2bd65a221ac4c47dbed7c40695802
parent: ebe4ca5e9b3cc5138c97223e6dfa327e4d75205e (diff)
1 files changed, 16 insertions, 0 deletions
diff --git a/features/security/security.cfg b/features/security/security.cfg
index 2e2c2d0..ed84453 100644
--- a/features/security/security.cfg
+++ b/features/security/security.cfg
@@ -11,6 +11,7 @@ CONFIG_SLAB_FREELIST_HARDENED=y
 
 # Stack Protector is for buffer overflow detection and hardening
 CONFIG_STACKPROTECTOR=y
+CONFIG_STACKPROTECTOR_STRONG=y
 
 # Disable to ensure random heap placement to make exploits harder
 # CONFIG_COMPAT_BRK is not set
@@ -28,3 +29,18 @@ CONFIG_STRICT_DEVMEM=y
 
 # Perform additional validation of various commonly targeted structures
 CONFIG_SCHED_STACK_END_CHECK=y
+
+# Information exposure
+CONFIG_PAGE_POISONING=y
+
+# Kernel Address Space Layout Randomization (KASLR)
+CONFIG_RANDOMIZE_BASE=y
+CONFIG_RANDOMIZE_MEMORY=y
+
+# Direct kernel overwrite
+CONFIG_STRICT_KERNEL_RWX=y
+CONFIG_STRICT_MODULE_RWX=y
+
+# Meltdown and Spectre
+CONFIG_PAGE_TABLE_ISOLATION=y
+CONFIG_RETPOLINE=y
author	He Zhe <zhe.he@windriver.com>	2019-06-27 11:02:51 +0800
committer	Ricardo Salveti <ricardo@foundries.io>	2019-07-10 16:59:06 -0300
commit	296272a6179f7b8940c9d079ebbf9ba7af289a84 (patch)
tree	fa74668163b2bd65a221ac4c47dbed7c40695802
parent	ebe4ca5e9b3cc5138c97223e6dfa327e4d75205e (diff)