diff options
author | He Zhe <zhe.he@windriver.com> | 2019-06-27 11:02:51 +0800 |
---|---|---|
committer | Ricardo Salveti <ricardo@foundries.io> | 2019-07-10 16:59:06 -0300 |
commit | 296272a6179f7b8940c9d079ebbf9ba7af289a84 (patch) | |
tree | fa74668163b2bd65a221ac4c47dbed7c40695802 | |
parent | ebe4ca5e9b3cc5138c97223e6dfa327e4d75205e (diff) |
features/security: Add more kernel hardening fragments
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Ricardo Salveti <ricardo@foundries.io>
-rw-r--r-- | features/security/security.cfg | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/features/security/security.cfg b/features/security/security.cfg index 2e2c2d0..ed84453 100644 --- a/features/security/security.cfg +++ b/features/security/security.cfg @@ -11,6 +11,7 @@ CONFIG_SLAB_FREELIST_HARDENED=y # Stack Protector is for buffer overflow detection and hardening CONFIG_STACKPROTECTOR=y +CONFIG_STACKPROTECTOR_STRONG=y # Disable to ensure random heap placement to make exploits harder # CONFIG_COMPAT_BRK is not set @@ -28,3 +29,18 @@ CONFIG_STRICT_DEVMEM=y # Perform additional validation of various commonly targeted structures CONFIG_SCHED_STACK_END_CHECK=y + +# Information exposure +CONFIG_PAGE_POISONING=y + +# Kernel Address Space Layout Randomization (KASLR) +CONFIG_RANDOMIZE_BASE=y +CONFIG_RANDOMIZE_MEMORY=y + +# Direct kernel overwrite +CONFIG_STRICT_KERNEL_RWX=y +CONFIG_STRICT_MODULE_RWX=y + +# Meltdown and Spectre +CONFIG_PAGE_TABLE_ISOLATION=y +CONFIG_RETPOLINE=y |