kernel/configs/hardening.config - linux/kernel/git/gregkh/driver-core - Git at Google

 # Help: Basic kernel hardening options
 #
 # These are considered the basic kernel hardening, self-protection, and
 # attack surface reduction options. They are expected to have low (or
 # no) performance impact on most workloads, and have a reasonable level
 # of legacy API removals.

 # Make sure reporting of various hardening actions is possible.
 CONFIG_BUG=y

 # Basic kernel memory permission enforcement.
 CONFIG_STRICT_KERNEL_RWX=y
 CONFIG_STRICT_MODULE_RWX=y
 CONFIG_VMAP_STACK=y

 # Kernel image and memory ASLR.
 CONFIG_RANDOMIZE_BASE=y
 CONFIG_RANDOMIZE_MEMORY=y

 # Randomize allocator freelists, harden metadata.
 CONFIG_SLAB_FREELIST_RANDOM=y
 CONFIG_SLAB_FREELIST_HARDENED=y
 CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
 CONFIG_RANDOM_KMALLOC_CACHES=y

 # Randomize kernel stack offset on syscall entry.
 CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y

 # Basic stack frame overflow protection.
 CONFIG_STACKPROTECTOR=y
 CONFIG_STACKPROTECTOR_STRONG=y

 # Basic buffer length bounds checking.
 CONFIG_HARDENED_USERCOPY=y
 CONFIG_FORTIFY_SOURCE=y

 # Basic array index bounds checking.
 CONFIG_UBSAN=y
 CONFIG_UBSAN_TRAP=y
 CONFIG_UBSAN_BOUNDS=y
 # CONFIG_UBSAN_SHIFT is not set
 # CONFIG_UBSAN_DIV_ZERO is not set
 # CONFIG_UBSAN_UNREACHABLE is not set
 # CONFIG_UBSAN_SIGNED_WRAP is not set
 # CONFIG_UBSAN_BOOL is not set
 # CONFIG_UBSAN_ENUM is not set
 # CONFIG_UBSAN_ALIGNMENT is not set

 # Sampling-based heap out-of-bounds and use-after-free detection.
 CONFIG_KFENCE=y

 # Linked list integrity checking.
 CONFIG_LIST_HARDENED=y

 # Initialize all heap variables to zero on allocation.
 CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y

 # Initialize all stack variables to zero on function entry.
 CONFIG_INIT_STACK_ALL_ZERO=y

 # Wipe RAM at reboot via EFI. For more details, see:
 # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
 # https://bugzilla.redhat.com/show_bug.cgi?id=1532058
 CONFIG_RESET_ATTACK_MITIGATION=y

 # Disable DMA between EFI hand-off and the kernel's IOMMU setup.
 CONFIG_EFI_DISABLE_PCI_DMA=y

 # Force IOMMU TLB invalidation so devices will never be able to access stale
 # data content.
 CONFIG_IOMMU_SUPPORT=y
 CONFIG_IOMMU_DEFAULT_DMA_STRICT=y

 # Do not allow direct physical memory access to non-device memory.
 CONFIG_STRICT_DEVMEM=y
 CONFIG_IO_STRICT_DEVMEM=y

 # Provide userspace with seccomp BPF API for syscall attack surface reduction.
 CONFIG_SECCOMP=y
 CONFIG_SECCOMP_FILTER=y

 # Provides some protections against SYN flooding.
 CONFIG_SYN_COOKIES=y

 # Attack surface reduction: do not autoload TTY line disciplines.
 # CONFIG_LDISC_AUTOLOAD is not set

 # Dangerous; enabling this disables userspace brk ASLR.
 # CONFIG_COMPAT_BRK is not set

 # Dangerous; exposes kernel text image layout.
 # CONFIG_PROC_KCORE is not set

 # Dangerous; enabling this disables userspace VDSO ASLR.
 # CONFIG_COMPAT_VDSO is not set

 # Attack surface reduction: Use the modern PTY interface (devpts) only.
 # CONFIG_LEGACY_PTYS is not set
	# Help: Basic kernel hardening options
	#
	# These are considered the basic kernel hardening, self-protection, and
	# attack surface reduction options. They are expected to have low (or
	# no) performance impact on most workloads, and have a reasonable level
	# of legacy API removals.

	# Make sure reporting of various hardening actions is possible.
	CONFIG_BUG=y

	# Basic kernel memory permission enforcement.
	CONFIG_STRICT_KERNEL_RWX=y
	CONFIG_STRICT_MODULE_RWX=y
	CONFIG_VMAP_STACK=y

	# Kernel image and memory ASLR.
	CONFIG_RANDOMIZE_BASE=y
	CONFIG_RANDOMIZE_MEMORY=y

	# Randomize allocator freelists, harden metadata.
	CONFIG_SLAB_FREELIST_RANDOM=y
	CONFIG_SLAB_FREELIST_HARDENED=y
	CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
	CONFIG_RANDOM_KMALLOC_CACHES=y

	# Randomize kernel stack offset on syscall entry.
	CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y

	# Basic stack frame overflow protection.
	CONFIG_STACKPROTECTOR=y
	CONFIG_STACKPROTECTOR_STRONG=y

	# Basic buffer length bounds checking.
	CONFIG_HARDENED_USERCOPY=y
	CONFIG_FORTIFY_SOURCE=y

	# Basic array index bounds checking.
	CONFIG_UBSAN=y
	CONFIG_UBSAN_TRAP=y
	CONFIG_UBSAN_BOUNDS=y
	# CONFIG_UBSAN_SHIFT is not set
	# CONFIG_UBSAN_DIV_ZERO is not set
	# CONFIG_UBSAN_UNREACHABLE is not set
	# CONFIG_UBSAN_SIGNED_WRAP is not set
	# CONFIG_UBSAN_BOOL is not set
	# CONFIG_UBSAN_ENUM is not set
	# CONFIG_UBSAN_ALIGNMENT is not set

	# Sampling-based heap out-of-bounds and use-after-free detection.
	CONFIG_KFENCE=y

	# Linked list integrity checking.
	CONFIG_LIST_HARDENED=y

	# Initialize all heap variables to zero on allocation.
	CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y

	# Initialize all stack variables to zero on function entry.
	CONFIG_INIT_STACK_ALL_ZERO=y

	# Wipe RAM at reboot via EFI. For more details, see:
	# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
	# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
	CONFIG_RESET_ATTACK_MITIGATION=y

	# Disable DMA between EFI hand-off and the kernel's IOMMU setup.
	CONFIG_EFI_DISABLE_PCI_DMA=y

	# Force IOMMU TLB invalidation so devices will never be able to access stale
	# data content.
	CONFIG_IOMMU_SUPPORT=y
	CONFIG_IOMMU_DEFAULT_DMA_STRICT=y

	# Do not allow direct physical memory access to non-device memory.
	CONFIG_STRICT_DEVMEM=y
	CONFIG_IO_STRICT_DEVMEM=y

	# Provide userspace with seccomp BPF API for syscall attack surface reduction.
	CONFIG_SECCOMP=y
	CONFIG_SECCOMP_FILTER=y

	# Provides some protections against SYN flooding.
	CONFIG_SYN_COOKIES=y

	# Attack surface reduction: do not autoload TTY line disciplines.
	# CONFIG_LDISC_AUTOLOAD is not set

	# Dangerous; enabling this disables userspace brk ASLR.
	# CONFIG_COMPAT_BRK is not set

	# Dangerous; exposes kernel text image layout.
	# CONFIG_PROC_KCORE is not set

	# Dangerous; enabling this disables userspace VDSO ASLR.
	# CONFIG_COMPAT_VDSO is not set

	# Attack surface reduction: Use the modern PTY interface (devpts) only.
	# CONFIG_LEGACY_PTYS is not set