feat: hardend

mihari-dev-kernel-config

@@ -439,7 +439,7 @@ CONFIG_MICROCODE=y
 CONFIG_MICROCODE_INTEL=y
 CONFIG_MICROCODE_AMD=y
 # CONFIG_MICROCODE_LATE_LOADING is not set
-CONFIG_X86_MSR=m
+# CONFIG_X86_MSR is not set
 CONFIG_X86_CPUID=m
 CONFIG_X86_5LEVEL=y
 CONFIG_X86_DIRECT_GBPAGES=y
@@ -471,7 +471,7 @@ CONFIG_X86_UMIP=y
 CONFIG_CC_HAS_IBT=y
 CONFIG_X86_KERNEL_IBT=y
 CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
-# CONFIG_X86_INTEL_TSX_MODE_OFF is not set
+CONFIG_X86_INTEL_TSX_MODE_OFF=y
 # CONFIG_X86_INTEL_TSX_MODE_ON is not set
 CONFIG_X86_INTEL_TSX_MODE_AUTO=y
 CONFIG_X86_SGX=y
@@ -487,7 +487,7 @@ CONFIG_HZ_250=y
 # CONFIG_HZ_1000 is not set
 CONFIG_HZ=250
 CONFIG_SCHED_HRTICK=y
-CONFIG_KEXEC=y
+# CONFIG_KEXEC is not set
 CONFIG_KEXEC_FILE=y
 CONFIG_ARCH_HAS_KEXEC_PURGATORY=y
 CONFIG_KEXEC_SIG=y
@@ -508,9 +508,9 @@ CONFIG_HOTPLUG_CPU=y
 # CONFIG_DEBUG_HOTPLUG_CPU0 is not set
 # CONFIG_COMPAT_VDSO is not set
 CONFIG_LEGACY_VSYSCALL_XONLY=y
-# CONFIG_LEGACY_VSYSCALL_NONE is not set
+CONFIG_LEGACY_VSYSCALL_NONE=y
 # CONFIG_CMDLINE_BOOL is not set
-CONFIG_MODIFY_LDT_SYSCALL=y
+# CONFIG_MODIFY_LDT_SYSCALL is not set
 # CONFIG_STRICT_SIGALTSTACK_SIZE is not set
 CONFIG_HAVE_LIVEPATCH=y
 CONFIG_LIVEPATCH=y
@@ -546,7 +546,7 @@ CONFIG_SUSPEND=y
 CONFIG_SUSPEND_FREEZER=y
 # CONFIG_SUSPEND_SKIP_SYNC is not set
 CONFIG_HIBERNATE_CALLBACKS=y
-CONFIG_HIBERNATION=y
+# CONFIG_HIBERNATION is not set
 CONFIG_HIBERNATION_SNAPSHOT_DEV=y
 CONFIG_PM_STD_PARTITION=""
 CONFIG_PM_SLEEP=y
@@ -715,10 +715,10 @@ CONFIG_AMD_NB=y
 #
 # Binary Emulations
 #
-CONFIG_IA32_EMULATION=y
+# CONFIG_IA32_EMULATION is not set
 # CONFIG_X86_X32_ABI is not set
 CONFIG_COMPAT_32=y
-CONFIG_COMPAT=y
+# CONFIG_COMPAT is not set
 CONFIG_COMPAT_FOR_U64_ALIGNMENT=y
 # end of Binary Emulations
 
@@ -914,7 +914,7 @@ CONFIG_FUNCTION_ALIGNMENT=16
 CONFIG_RT_MUTEXES=y
 CONFIG_BASE_SMALL=0
 CONFIG_MODULE_SIG_FORMAT=y
-CONFIG_MODULES=y
+# CONFIG_MODULES is not set
 # CONFIG_MODULE_FORCE_LOAD is not set
 CONFIG_MODULE_UNLOAD=y
 # CONFIG_MODULE_FORCE_UNLOAD is not set
@@ -1033,7 +1033,7 @@ CONFIG_COMPAT_BINFMT_ELF=y
 CONFIG_ELFCORE=y
 CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y
 CONFIG_BINFMT_SCRIPT=y
-CONFIG_BINFMT_MISC=m
+# CONFIG_BINFMT_MISC is not set
 CONFIG_COREDUMP=y
 # end of Executable file formats
 
@@ -1067,7 +1067,7 @@ CONFIG_ZSMALLOC=y
 CONFIG_SLUB=y
 # CONFIG_SLOB_DEPRECATED is not set
 # CONFIG_SLUB_TINY is not set
-CONFIG_SLAB_MERGE_DEFAULT=y
+# CONFIG_SLAB_MERGE_DEFAULT is not set
 CONFIG_SLAB_FREELIST_RANDOM=y
 CONFIG_SLAB_FREELIST_HARDENED=y
 # CONFIG_SLUB_STATS is not set
@@ -1232,7 +1232,7 @@ CONFIG_INET_IPCOMP=m
 CONFIG_INET_TABLE_PERTURB_ORDER=16
 CONFIG_INET_XFRM_TUNNEL=m
 CONFIG_INET_TUNNEL=m
-CONFIG_INET_DIAG=m
+# CONFIG_INET_DIAG is not set
 CONFIG_INET_TCP_DIAG=m
 CONFIG_INET_UDP_DIAG=m
 CONFIG_INET_RAW_DIAG=m
@@ -4534,10 +4534,10 @@ CONFIG_VT_CONSOLE_SLEEP=y
 CONFIG_HW_CONSOLE=y
 CONFIG_VT_HW_CONSOLE_BINDING=y
 CONFIG_UNIX98_PTYS=y
-CONFIG_LEGACY_PTYS=y
+# CONFIG_LEGACY_PTYS is not set
 CONFIG_LEGACY_PTY_COUNT=0
 CONFIG_LEGACY_TIOCSTI=y
-CONFIG_LDISC_AUTOLOAD=y
+# CONFIG_LDISC_AUTOLOAD is not set
 
 #
 # Serial drivers
@@ -4654,7 +4654,7 @@ CONFIG_IPWIRELESS=m
 # end of PCMCIA character devices
 
 CONFIG_MWAVE=m
-CONFIG_DEVMEM=y
+# CONFIG_DEVMEM is not set
 CONFIG_NVRAM=m
 CONFIG_DEVPORT=y
 CONFIG_HPET=y
@@ -9479,17 +9479,17 @@ CONFIG_IOMMU_IO_PGTABLE=y
 # end of Generic IOMMU Pagetable Support
 
 # CONFIG_IOMMU_DEBUGFS is not set
-# CONFIG_IOMMU_DEFAULT_DMA_STRICT is not set
+CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
 CONFIG_IOMMU_DEFAULT_DMA_LAZY=y
 # CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set
 CONFIG_IOMMU_DMA=y
 CONFIG_IOMMU_SVA=y
 CONFIG_AMD_IOMMU=y
-CONFIG_AMD_IOMMU_V2=m
+CONFIG_AMD_IOMMU_V2=y
 CONFIG_DMAR_TABLE=y
 CONFIG_INTEL_IOMMU=y
 CONFIG_INTEL_IOMMU_SVM=y
-# CONFIG_INTEL_IOMMU_DEFAULT_ON is not set
+CONFIG_INTEL_IOMMU_DEFAULT_ON=y
 CONFIG_INTEL_IOMMU_FLOPPY_WA=y
 # CONFIG_INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON is not set
 # CONFIG_IOMMUFD is not set
@@ -10583,7 +10583,7 @@ CONFIG_NTFS3_FS_POSIX_ACL=y
 # Pseudo filesystems
 #
 CONFIG_PROC_FS=y
-CONFIG_PROC_KCORE=y
+# CONFIG_PROC_KCORE is not set
 CONFIG_PROC_VMCORE=y
 CONFIG_PROC_VMCORE_DEVICE_DUMP=y
 CONFIG_PROC_SYSCTL=y
@@ -10872,9 +10872,9 @@ CONFIG_HARDENED_USERCOPY=y
 CONFIG_FORTIFY_SOURCE=y
 CONFIG_STATIC_USERMODEHELPER=y
 CONFIG_SECURITY_SELINUX=y
-CONFIG_SECURITY_SELINUX_BOOTPARAM=y
+# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
 # CONFIG_SECURITY_SELINUX_DISABLE is not set
-CONFIG_SECURITY_SELINUX_DEVELOP=y
+# CONFIG_SECURITY_SELINUX_DEVELOP is not set
 CONFIG_SECURITY_SELINUX_AVC_STATS=y
 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
 CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
@@ -10904,7 +10904,7 @@ CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
 # CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
 CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
-# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y
 CONFIG_SECURITY_LANDLOCK=y
 CONFIG_INTEGRITY=y
 CONFIG_INTEGRITY_SIGNATURE=y
@@ -11495,18 +11495,19 @@ CONFIG_UBSAN_TRAP=y
 CONFIG_CC_HAS_UBSAN_BOUNDS=y
 CONFIG_UBSAN_BOUNDS=y
 CONFIG_UBSAN_ONLY_BOUNDS=y
-CONFIG_UBSAN_SHIFT=y
+# CONFIG_UBSAN_SHIFT is not set
 # CONFIG_UBSAN_DIV_ZERO is not set
-CONFIG_UBSAN_BOOL=y
-CONFIG_UBSAN_ENUM=y
+# CONFIG_UBSAN_BOOL is not set
+# CONFIG_UBSAN_ENUM is not set
 # CONFIG_UBSAN_ALIGNMENT is not set
 CONFIG_UBSAN_SANITIZE_ALL=y
-# CONFIG_TEST_UBSAN is not set
+CONFIG_TEST_UBSAN=y
 CONFIG_HAVE_ARCH_KCSAN=y
 CONFIG_HAVE_KCSAN_COMPILER=y
 # CONFIG_KCSAN is not set
 # end of Generic Kernel Debugging Instruments
-
+CONFIG_CFI_CLANG=y
+# CONFIG_CFI_PERMISSIVE is not set
 #
 # Networking Debugging
 #
@@ -11752,7 +11753,7 @@ CONFIG_HAVE_SAMPLE_FTRACE_DIRECT=y
 CONFIG_HAVE_SAMPLE_FTRACE_DIRECT_MULTI=y
 CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y
 CONFIG_STRICT_DEVMEM=y
-# CONFIG_IO_STRICT_DEVMEM is not set
+CONFIG_IO_STRICT_DEVMEM=y
 
 #
 # x86 Debugging