mirror of
https://github.com/torvalds/linux.git
synced 2024-11-22 04:38:03 +00:00
7b3133aa4b
Commit 94f8f319cb
("drm: Remove Kconfig option for legacy support
(CONFIG_DRM_LEGACY)") removes the config DRM_LEGACY, but one reference to
that config is left in the hardening.config fragment.
As there is no drm legacy driver left, we do not need to recommend this
attack surface reduction anymore.
Drop this reference in hardening.config fragment.
Signed-off-by: Lukas Bulwahn <lukas.bulwahn@gmail.com>
Link: https://lore.kernel.org/r/20240208091045.9219-3-lukas.bulwahn@gmail.com
Signed-off-by: Kees Cook <keescook@chromium.org>
95 lines
2.7 KiB
Plaintext
95 lines
2.7 KiB
Plaintext
# Help: Basic kernel hardening options
|
|
#
|
|
# These are considered the basic kernel hardening, self-protection, and
|
|
# attack surface reduction options. They are expected to have low (or
|
|
# no) performance impact on most workloads, and have a reasonable level
|
|
# of legacy API removals.
|
|
|
|
# Make sure reporting of various hardening actions is possible.
|
|
CONFIG_BUG=y
|
|
|
|
# Basic kernel memory permission enforcement.
|
|
CONFIG_STRICT_KERNEL_RWX=y
|
|
CONFIG_STRICT_MODULE_RWX=y
|
|
CONFIG_VMAP_STACK=y
|
|
|
|
# Kernel image and memory ASLR.
|
|
CONFIG_RANDOMIZE_BASE=y
|
|
CONFIG_RANDOMIZE_MEMORY=y
|
|
|
|
# Randomize allocator freelists, harden metadata.
|
|
CONFIG_SLAB_FREELIST_RANDOM=y
|
|
CONFIG_SLAB_FREELIST_HARDENED=y
|
|
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
|
|
CONFIG_RANDOM_KMALLOC_CACHES=y
|
|
|
|
# Randomize kernel stack offset on syscall entry.
|
|
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
|
|
|
|
# Basic stack frame overflow protection.
|
|
CONFIG_STACKPROTECTOR=y
|
|
CONFIG_STACKPROTECTOR_STRONG=y
|
|
|
|
# Basic buffer length bounds checking.
|
|
CONFIG_HARDENED_USERCOPY=y
|
|
CONFIG_FORTIFY_SOURCE=y
|
|
|
|
# Basic array index bounds checking.
|
|
CONFIG_UBSAN=y
|
|
CONFIG_UBSAN_TRAP=y
|
|
CONFIG_UBSAN_BOUNDS=y
|
|
# CONFIG_UBSAN_SHIFT is not set
|
|
# CONFIG_UBSAN_DIV_ZERO
|
|
# CONFIG_UBSAN_UNREACHABLE
|
|
# CONFIG_UBSAN_BOOL
|
|
# CONFIG_UBSAN_ENUM
|
|
# CONFIG_UBSAN_ALIGNMENT
|
|
|
|
# Linked list integrity checking.
|
|
CONFIG_LIST_HARDENED=y
|
|
|
|
# Initialize all heap variables to zero on allocation.
|
|
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
|
|
|
|
# Initialize all stack variables to zero on function entry.
|
|
CONFIG_INIT_STACK_ALL_ZERO=y
|
|
|
|
# Wipe RAM at reboot via EFI. For more details, see:
|
|
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
|
|
CONFIG_RESET_ATTACK_MITIGATION=y
|
|
|
|
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.
|
|
CONFIG_EFI_DISABLE_PCI_DMA=y
|
|
|
|
# Force IOMMU TLB invalidation so devices will never be able to access stale
|
|
# data content.
|
|
CONFIG_IOMMU_SUPPORT=y
|
|
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
|
|
|
|
# Do not allow direct physical memory access to non-device memory.
|
|
CONFIG_STRICT_DEVMEM=y
|
|
CONFIG_IO_STRICT_DEVMEM=y
|
|
|
|
# Provide userspace with seccomp BPF API for syscall attack surface reduction.
|
|
CONFIG_SECCOMP=y
|
|
CONFIG_SECCOMP_FILTER=y
|
|
|
|
# Provides some protections against SYN flooding.
|
|
CONFIG_SYN_COOKIES=y
|
|
|
|
# Attack surface reduction: do not autoload TTY line disciplines.
|
|
# CONFIG_LDISC_AUTOLOAD is not set
|
|
|
|
# Dangerous; enabling this disables userspace brk ASLR.
|
|
# CONFIG_COMPAT_BRK is not set
|
|
|
|
# Dangerous; exposes kernel text image layout.
|
|
# CONFIG_PROC_KCORE is not set
|
|
|
|
# Dangerous; enabling this disables userspace VDSO ASLR.
|
|
# CONFIG_COMPAT_VDSO is not set
|
|
|
|
# Attack surface reduction: Use the modern PTY interface (devpts) only.
|
|
# CONFIG_LEGACY_PTYS is not set
|