feat: hardend
This commit is contained in:
parent
e98162dfb2
commit
adf818b9b3
1 changed files with 29 additions and 28 deletions
|
@ -439,7 +439,7 @@ CONFIG_MICROCODE=y
|
||||||
CONFIG_MICROCODE_INTEL=y
|
CONFIG_MICROCODE_INTEL=y
|
||||||
CONFIG_MICROCODE_AMD=y
|
CONFIG_MICROCODE_AMD=y
|
||||||
# CONFIG_MICROCODE_LATE_LOADING is not set
|
# CONFIG_MICROCODE_LATE_LOADING is not set
|
||||||
CONFIG_X86_MSR=m
|
# CONFIG_X86_MSR is not set
|
||||||
CONFIG_X86_CPUID=m
|
CONFIG_X86_CPUID=m
|
||||||
CONFIG_X86_5LEVEL=y
|
CONFIG_X86_5LEVEL=y
|
||||||
CONFIG_X86_DIRECT_GBPAGES=y
|
CONFIG_X86_DIRECT_GBPAGES=y
|
||||||
|
@ -471,7 +471,7 @@ CONFIG_X86_UMIP=y
|
||||||
CONFIG_CC_HAS_IBT=y
|
CONFIG_CC_HAS_IBT=y
|
||||||
CONFIG_X86_KERNEL_IBT=y
|
CONFIG_X86_KERNEL_IBT=y
|
||||||
CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
|
CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
|
||||||
# CONFIG_X86_INTEL_TSX_MODE_OFF is not set
|
CONFIG_X86_INTEL_TSX_MODE_OFF=y
|
||||||
# CONFIG_X86_INTEL_TSX_MODE_ON is not set
|
# CONFIG_X86_INTEL_TSX_MODE_ON is not set
|
||||||
CONFIG_X86_INTEL_TSX_MODE_AUTO=y
|
CONFIG_X86_INTEL_TSX_MODE_AUTO=y
|
||||||
CONFIG_X86_SGX=y
|
CONFIG_X86_SGX=y
|
||||||
|
@ -487,7 +487,7 @@ CONFIG_HZ_250=y
|
||||||
# CONFIG_HZ_1000 is not set
|
# CONFIG_HZ_1000 is not set
|
||||||
CONFIG_HZ=250
|
CONFIG_HZ=250
|
||||||
CONFIG_SCHED_HRTICK=y
|
CONFIG_SCHED_HRTICK=y
|
||||||
CONFIG_KEXEC=y
|
# CONFIG_KEXEC is not set
|
||||||
CONFIG_KEXEC_FILE=y
|
CONFIG_KEXEC_FILE=y
|
||||||
CONFIG_ARCH_HAS_KEXEC_PURGATORY=y
|
CONFIG_ARCH_HAS_KEXEC_PURGATORY=y
|
||||||
CONFIG_KEXEC_SIG=y
|
CONFIG_KEXEC_SIG=y
|
||||||
|
@ -508,9 +508,9 @@ CONFIG_HOTPLUG_CPU=y
|
||||||
# CONFIG_DEBUG_HOTPLUG_CPU0 is not set
|
# CONFIG_DEBUG_HOTPLUG_CPU0 is not set
|
||||||
# CONFIG_COMPAT_VDSO is not set
|
# CONFIG_COMPAT_VDSO is not set
|
||||||
CONFIG_LEGACY_VSYSCALL_XONLY=y
|
CONFIG_LEGACY_VSYSCALL_XONLY=y
|
||||||
# CONFIG_LEGACY_VSYSCALL_NONE is not set
|
CONFIG_LEGACY_VSYSCALL_NONE=y
|
||||||
# CONFIG_CMDLINE_BOOL is not set
|
# CONFIG_CMDLINE_BOOL is not set
|
||||||
CONFIG_MODIFY_LDT_SYSCALL=y
|
# CONFIG_MODIFY_LDT_SYSCALL is not set
|
||||||
# CONFIG_STRICT_SIGALTSTACK_SIZE is not set
|
# CONFIG_STRICT_SIGALTSTACK_SIZE is not set
|
||||||
CONFIG_HAVE_LIVEPATCH=y
|
CONFIG_HAVE_LIVEPATCH=y
|
||||||
CONFIG_LIVEPATCH=y
|
CONFIG_LIVEPATCH=y
|
||||||
|
@ -546,7 +546,7 @@ CONFIG_SUSPEND=y
|
||||||
CONFIG_SUSPEND_FREEZER=y
|
CONFIG_SUSPEND_FREEZER=y
|
||||||
# CONFIG_SUSPEND_SKIP_SYNC is not set
|
# CONFIG_SUSPEND_SKIP_SYNC is not set
|
||||||
CONFIG_HIBERNATE_CALLBACKS=y
|
CONFIG_HIBERNATE_CALLBACKS=y
|
||||||
CONFIG_HIBERNATION=y
|
# CONFIG_HIBERNATION is not set
|
||||||
CONFIG_HIBERNATION_SNAPSHOT_DEV=y
|
CONFIG_HIBERNATION_SNAPSHOT_DEV=y
|
||||||
CONFIG_PM_STD_PARTITION=""
|
CONFIG_PM_STD_PARTITION=""
|
||||||
CONFIG_PM_SLEEP=y
|
CONFIG_PM_SLEEP=y
|
||||||
|
@ -715,10 +715,10 @@ CONFIG_AMD_NB=y
|
||||||
#
|
#
|
||||||
# Binary Emulations
|
# Binary Emulations
|
||||||
#
|
#
|
||||||
CONFIG_IA32_EMULATION=y
|
# CONFIG_IA32_EMULATION is not set
|
||||||
# CONFIG_X86_X32_ABI is not set
|
# CONFIG_X86_X32_ABI is not set
|
||||||
CONFIG_COMPAT_32=y
|
CONFIG_COMPAT_32=y
|
||||||
CONFIG_COMPAT=y
|
# CONFIG_COMPAT is not set
|
||||||
CONFIG_COMPAT_FOR_U64_ALIGNMENT=y
|
CONFIG_COMPAT_FOR_U64_ALIGNMENT=y
|
||||||
# end of Binary Emulations
|
# end of Binary Emulations
|
||||||
|
|
||||||
|
@ -914,7 +914,7 @@ CONFIG_FUNCTION_ALIGNMENT=16
|
||||||
CONFIG_RT_MUTEXES=y
|
CONFIG_RT_MUTEXES=y
|
||||||
CONFIG_BASE_SMALL=0
|
CONFIG_BASE_SMALL=0
|
||||||
CONFIG_MODULE_SIG_FORMAT=y
|
CONFIG_MODULE_SIG_FORMAT=y
|
||||||
CONFIG_MODULES=y
|
# CONFIG_MODULES is not set
|
||||||
# CONFIG_MODULE_FORCE_LOAD is not set
|
# CONFIG_MODULE_FORCE_LOAD is not set
|
||||||
CONFIG_MODULE_UNLOAD=y
|
CONFIG_MODULE_UNLOAD=y
|
||||||
# CONFIG_MODULE_FORCE_UNLOAD is not set
|
# CONFIG_MODULE_FORCE_UNLOAD is not set
|
||||||
|
@ -1033,7 +1033,7 @@ CONFIG_COMPAT_BINFMT_ELF=y
|
||||||
CONFIG_ELFCORE=y
|
CONFIG_ELFCORE=y
|
||||||
CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y
|
CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y
|
||||||
CONFIG_BINFMT_SCRIPT=y
|
CONFIG_BINFMT_SCRIPT=y
|
||||||
CONFIG_BINFMT_MISC=m
|
# CONFIG_BINFMT_MISC is not set
|
||||||
CONFIG_COREDUMP=y
|
CONFIG_COREDUMP=y
|
||||||
# end of Executable file formats
|
# end of Executable file formats
|
||||||
|
|
||||||
|
@ -1067,7 +1067,7 @@ CONFIG_ZSMALLOC=y
|
||||||
CONFIG_SLUB=y
|
CONFIG_SLUB=y
|
||||||
# CONFIG_SLOB_DEPRECATED is not set
|
# CONFIG_SLOB_DEPRECATED is not set
|
||||||
# CONFIG_SLUB_TINY is not set
|
# CONFIG_SLUB_TINY is not set
|
||||||
CONFIG_SLAB_MERGE_DEFAULT=y
|
# CONFIG_SLAB_MERGE_DEFAULT is not set
|
||||||
CONFIG_SLAB_FREELIST_RANDOM=y
|
CONFIG_SLAB_FREELIST_RANDOM=y
|
||||||
CONFIG_SLAB_FREELIST_HARDENED=y
|
CONFIG_SLAB_FREELIST_HARDENED=y
|
||||||
# CONFIG_SLUB_STATS is not set
|
# CONFIG_SLUB_STATS is not set
|
||||||
|
@ -1232,7 +1232,7 @@ CONFIG_INET_IPCOMP=m
|
||||||
CONFIG_INET_TABLE_PERTURB_ORDER=16
|
CONFIG_INET_TABLE_PERTURB_ORDER=16
|
||||||
CONFIG_INET_XFRM_TUNNEL=m
|
CONFIG_INET_XFRM_TUNNEL=m
|
||||||
CONFIG_INET_TUNNEL=m
|
CONFIG_INET_TUNNEL=m
|
||||||
CONFIG_INET_DIAG=m
|
# CONFIG_INET_DIAG is not set
|
||||||
CONFIG_INET_TCP_DIAG=m
|
CONFIG_INET_TCP_DIAG=m
|
||||||
CONFIG_INET_UDP_DIAG=m
|
CONFIG_INET_UDP_DIAG=m
|
||||||
CONFIG_INET_RAW_DIAG=m
|
CONFIG_INET_RAW_DIAG=m
|
||||||
|
@ -4534,10 +4534,10 @@ CONFIG_VT_CONSOLE_SLEEP=y
|
||||||
CONFIG_HW_CONSOLE=y
|
CONFIG_HW_CONSOLE=y
|
||||||
CONFIG_VT_HW_CONSOLE_BINDING=y
|
CONFIG_VT_HW_CONSOLE_BINDING=y
|
||||||
CONFIG_UNIX98_PTYS=y
|
CONFIG_UNIX98_PTYS=y
|
||||||
CONFIG_LEGACY_PTYS=y
|
# CONFIG_LEGACY_PTYS is not set
|
||||||
CONFIG_LEGACY_PTY_COUNT=0
|
CONFIG_LEGACY_PTY_COUNT=0
|
||||||
CONFIG_LEGACY_TIOCSTI=y
|
CONFIG_LEGACY_TIOCSTI=y
|
||||||
CONFIG_LDISC_AUTOLOAD=y
|
# CONFIG_LDISC_AUTOLOAD is not set
|
||||||
|
|
||||||
#
|
#
|
||||||
# Serial drivers
|
# Serial drivers
|
||||||
|
@ -4654,7 +4654,7 @@ CONFIG_IPWIRELESS=m
|
||||||
# end of PCMCIA character devices
|
# end of PCMCIA character devices
|
||||||
|
|
||||||
CONFIG_MWAVE=m
|
CONFIG_MWAVE=m
|
||||||
CONFIG_DEVMEM=y
|
# CONFIG_DEVMEM is not set
|
||||||
CONFIG_NVRAM=m
|
CONFIG_NVRAM=m
|
||||||
CONFIG_DEVPORT=y
|
CONFIG_DEVPORT=y
|
||||||
CONFIG_HPET=y
|
CONFIG_HPET=y
|
||||||
|
@ -9479,17 +9479,17 @@ CONFIG_IOMMU_IO_PGTABLE=y
|
||||||
# end of Generic IOMMU Pagetable Support
|
# end of Generic IOMMU Pagetable Support
|
||||||
|
|
||||||
# CONFIG_IOMMU_DEBUGFS is not set
|
# CONFIG_IOMMU_DEBUGFS is not set
|
||||||
# CONFIG_IOMMU_DEFAULT_DMA_STRICT is not set
|
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
|
||||||
CONFIG_IOMMU_DEFAULT_DMA_LAZY=y
|
CONFIG_IOMMU_DEFAULT_DMA_LAZY=y
|
||||||
# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set
|
# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set
|
||||||
CONFIG_IOMMU_DMA=y
|
CONFIG_IOMMU_DMA=y
|
||||||
CONFIG_IOMMU_SVA=y
|
CONFIG_IOMMU_SVA=y
|
||||||
CONFIG_AMD_IOMMU=y
|
CONFIG_AMD_IOMMU=y
|
||||||
CONFIG_AMD_IOMMU_V2=m
|
CONFIG_AMD_IOMMU_V2=y
|
||||||
CONFIG_DMAR_TABLE=y
|
CONFIG_DMAR_TABLE=y
|
||||||
CONFIG_INTEL_IOMMU=y
|
CONFIG_INTEL_IOMMU=y
|
||||||
CONFIG_INTEL_IOMMU_SVM=y
|
CONFIG_INTEL_IOMMU_SVM=y
|
||||||
# CONFIG_INTEL_IOMMU_DEFAULT_ON is not set
|
CONFIG_INTEL_IOMMU_DEFAULT_ON=y
|
||||||
CONFIG_INTEL_IOMMU_FLOPPY_WA=y
|
CONFIG_INTEL_IOMMU_FLOPPY_WA=y
|
||||||
# CONFIG_INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON is not set
|
# CONFIG_INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON is not set
|
||||||
# CONFIG_IOMMUFD is not set
|
# CONFIG_IOMMUFD is not set
|
||||||
|
@ -10583,7 +10583,7 @@ CONFIG_NTFS3_FS_POSIX_ACL=y
|
||||||
# Pseudo filesystems
|
# Pseudo filesystems
|
||||||
#
|
#
|
||||||
CONFIG_PROC_FS=y
|
CONFIG_PROC_FS=y
|
||||||
CONFIG_PROC_KCORE=y
|
# CONFIG_PROC_KCORE is not set
|
||||||
CONFIG_PROC_VMCORE=y
|
CONFIG_PROC_VMCORE=y
|
||||||
CONFIG_PROC_VMCORE_DEVICE_DUMP=y
|
CONFIG_PROC_VMCORE_DEVICE_DUMP=y
|
||||||
CONFIG_PROC_SYSCTL=y
|
CONFIG_PROC_SYSCTL=y
|
||||||
|
@ -10872,9 +10872,9 @@ CONFIG_HARDENED_USERCOPY=y
|
||||||
CONFIG_FORTIFY_SOURCE=y
|
CONFIG_FORTIFY_SOURCE=y
|
||||||
CONFIG_STATIC_USERMODEHELPER=y
|
CONFIG_STATIC_USERMODEHELPER=y
|
||||||
CONFIG_SECURITY_SELINUX=y
|
CONFIG_SECURITY_SELINUX=y
|
||||||
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
|
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
|
||||||
# CONFIG_SECURITY_SELINUX_DISABLE is not set
|
# CONFIG_SECURITY_SELINUX_DISABLE is not set
|
||||||
CONFIG_SECURITY_SELINUX_DEVELOP=y
|
# CONFIG_SECURITY_SELINUX_DEVELOP is not set
|
||||||
CONFIG_SECURITY_SELINUX_AVC_STATS=y
|
CONFIG_SECURITY_SELINUX_AVC_STATS=y
|
||||||
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
|
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
|
||||||
CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
|
CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
|
||||||
|
@ -10904,7 +10904,7 @@ CONFIG_SECURITY_LOCKDOWN_LSM=y
|
||||||
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
|
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
|
||||||
# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
|
# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
|
||||||
CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
|
CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
|
||||||
# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
|
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y
|
||||||
CONFIG_SECURITY_LANDLOCK=y
|
CONFIG_SECURITY_LANDLOCK=y
|
||||||
CONFIG_INTEGRITY=y
|
CONFIG_INTEGRITY=y
|
||||||
CONFIG_INTEGRITY_SIGNATURE=y
|
CONFIG_INTEGRITY_SIGNATURE=y
|
||||||
|
@ -11495,18 +11495,19 @@ CONFIG_UBSAN_TRAP=y
|
||||||
CONFIG_CC_HAS_UBSAN_BOUNDS=y
|
CONFIG_CC_HAS_UBSAN_BOUNDS=y
|
||||||
CONFIG_UBSAN_BOUNDS=y
|
CONFIG_UBSAN_BOUNDS=y
|
||||||
CONFIG_UBSAN_ONLY_BOUNDS=y
|
CONFIG_UBSAN_ONLY_BOUNDS=y
|
||||||
CONFIG_UBSAN_SHIFT=y
|
# CONFIG_UBSAN_SHIFT is not set
|
||||||
# CONFIG_UBSAN_DIV_ZERO is not set
|
# CONFIG_UBSAN_DIV_ZERO is not set
|
||||||
CONFIG_UBSAN_BOOL=y
|
# CONFIG_UBSAN_BOOL is not set
|
||||||
CONFIG_UBSAN_ENUM=y
|
# CONFIG_UBSAN_ENUM is not set
|
||||||
# CONFIG_UBSAN_ALIGNMENT is not set
|
# CONFIG_UBSAN_ALIGNMENT is not set
|
||||||
CONFIG_UBSAN_SANITIZE_ALL=y
|
CONFIG_UBSAN_SANITIZE_ALL=y
|
||||||
# CONFIG_TEST_UBSAN is not set
|
CONFIG_TEST_UBSAN=y
|
||||||
CONFIG_HAVE_ARCH_KCSAN=y
|
CONFIG_HAVE_ARCH_KCSAN=y
|
||||||
CONFIG_HAVE_KCSAN_COMPILER=y
|
CONFIG_HAVE_KCSAN_COMPILER=y
|
||||||
# CONFIG_KCSAN is not set
|
# CONFIG_KCSAN is not set
|
||||||
# end of Generic Kernel Debugging Instruments
|
# end of Generic Kernel Debugging Instruments
|
||||||
|
CONFIG_CFI_CLANG=y
|
||||||
|
# CONFIG_CFI_PERMISSIVE is not set
|
||||||
#
|
#
|
||||||
# Networking Debugging
|
# Networking Debugging
|
||||||
#
|
#
|
||||||
|
@ -11752,7 +11753,7 @@ CONFIG_HAVE_SAMPLE_FTRACE_DIRECT=y
|
||||||
CONFIG_HAVE_SAMPLE_FTRACE_DIRECT_MULTI=y
|
CONFIG_HAVE_SAMPLE_FTRACE_DIRECT_MULTI=y
|
||||||
CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y
|
CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y
|
||||||
CONFIG_STRICT_DEVMEM=y
|
CONFIG_STRICT_DEVMEM=y
|
||||||
# CONFIG_IO_STRICT_DEVMEM is not set
|
CONFIG_IO_STRICT_DEVMEM=y
|
||||||
|
|
||||||
#
|
#
|
||||||
# x86 Debugging
|
# x86 Debugging
|
||||||
|
|
Reference in a new issue