feat: hardend

This commit is contained in:
Euiseo Cha 2023-03-25 15:08:14 +09:00
parent e98162dfb2
commit adf818b9b3
No known key found for this signature in database
GPG key ID: 220CC17AA79A0AEA

View file

@ -439,7 +439,7 @@ CONFIG_MICROCODE=y
CONFIG_MICROCODE_INTEL=y CONFIG_MICROCODE_INTEL=y
CONFIG_MICROCODE_AMD=y CONFIG_MICROCODE_AMD=y
# CONFIG_MICROCODE_LATE_LOADING is not set # CONFIG_MICROCODE_LATE_LOADING is not set
CONFIG_X86_MSR=m # CONFIG_X86_MSR is not set
CONFIG_X86_CPUID=m CONFIG_X86_CPUID=m
CONFIG_X86_5LEVEL=y CONFIG_X86_5LEVEL=y
CONFIG_X86_DIRECT_GBPAGES=y CONFIG_X86_DIRECT_GBPAGES=y
@ -471,7 +471,7 @@ CONFIG_X86_UMIP=y
CONFIG_CC_HAS_IBT=y CONFIG_CC_HAS_IBT=y
CONFIG_X86_KERNEL_IBT=y CONFIG_X86_KERNEL_IBT=y
CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
# CONFIG_X86_INTEL_TSX_MODE_OFF is not set CONFIG_X86_INTEL_TSX_MODE_OFF=y
# CONFIG_X86_INTEL_TSX_MODE_ON is not set # CONFIG_X86_INTEL_TSX_MODE_ON is not set
CONFIG_X86_INTEL_TSX_MODE_AUTO=y CONFIG_X86_INTEL_TSX_MODE_AUTO=y
CONFIG_X86_SGX=y CONFIG_X86_SGX=y
@ -487,7 +487,7 @@ CONFIG_HZ_250=y
# CONFIG_HZ_1000 is not set # CONFIG_HZ_1000 is not set
CONFIG_HZ=250 CONFIG_HZ=250
CONFIG_SCHED_HRTICK=y CONFIG_SCHED_HRTICK=y
CONFIG_KEXEC=y # CONFIG_KEXEC is not set
CONFIG_KEXEC_FILE=y CONFIG_KEXEC_FILE=y
CONFIG_ARCH_HAS_KEXEC_PURGATORY=y CONFIG_ARCH_HAS_KEXEC_PURGATORY=y
CONFIG_KEXEC_SIG=y CONFIG_KEXEC_SIG=y
@ -508,9 +508,9 @@ CONFIG_HOTPLUG_CPU=y
# CONFIG_DEBUG_HOTPLUG_CPU0 is not set # CONFIG_DEBUG_HOTPLUG_CPU0 is not set
# CONFIG_COMPAT_VDSO is not set # CONFIG_COMPAT_VDSO is not set
CONFIG_LEGACY_VSYSCALL_XONLY=y CONFIG_LEGACY_VSYSCALL_XONLY=y
# CONFIG_LEGACY_VSYSCALL_NONE is not set CONFIG_LEGACY_VSYSCALL_NONE=y
# CONFIG_CMDLINE_BOOL is not set # CONFIG_CMDLINE_BOOL is not set
CONFIG_MODIFY_LDT_SYSCALL=y # CONFIG_MODIFY_LDT_SYSCALL is not set
# CONFIG_STRICT_SIGALTSTACK_SIZE is not set # CONFIG_STRICT_SIGALTSTACK_SIZE is not set
CONFIG_HAVE_LIVEPATCH=y CONFIG_HAVE_LIVEPATCH=y
CONFIG_LIVEPATCH=y CONFIG_LIVEPATCH=y
@ -546,7 +546,7 @@ CONFIG_SUSPEND=y
CONFIG_SUSPEND_FREEZER=y CONFIG_SUSPEND_FREEZER=y
# CONFIG_SUSPEND_SKIP_SYNC is not set # CONFIG_SUSPEND_SKIP_SYNC is not set
CONFIG_HIBERNATE_CALLBACKS=y CONFIG_HIBERNATE_CALLBACKS=y
CONFIG_HIBERNATION=y # CONFIG_HIBERNATION is not set
CONFIG_HIBERNATION_SNAPSHOT_DEV=y CONFIG_HIBERNATION_SNAPSHOT_DEV=y
CONFIG_PM_STD_PARTITION="" CONFIG_PM_STD_PARTITION=""
CONFIG_PM_SLEEP=y CONFIG_PM_SLEEP=y
@ -715,10 +715,10 @@ CONFIG_AMD_NB=y
# #
# Binary Emulations # Binary Emulations
# #
CONFIG_IA32_EMULATION=y # CONFIG_IA32_EMULATION is not set
# CONFIG_X86_X32_ABI is not set # CONFIG_X86_X32_ABI is not set
CONFIG_COMPAT_32=y CONFIG_COMPAT_32=y
CONFIG_COMPAT=y # CONFIG_COMPAT is not set
CONFIG_COMPAT_FOR_U64_ALIGNMENT=y CONFIG_COMPAT_FOR_U64_ALIGNMENT=y
# end of Binary Emulations # end of Binary Emulations
@ -914,7 +914,7 @@ CONFIG_FUNCTION_ALIGNMENT=16
CONFIG_RT_MUTEXES=y CONFIG_RT_MUTEXES=y
CONFIG_BASE_SMALL=0 CONFIG_BASE_SMALL=0
CONFIG_MODULE_SIG_FORMAT=y CONFIG_MODULE_SIG_FORMAT=y
CONFIG_MODULES=y # CONFIG_MODULES is not set
# CONFIG_MODULE_FORCE_LOAD is not set # CONFIG_MODULE_FORCE_LOAD is not set
CONFIG_MODULE_UNLOAD=y CONFIG_MODULE_UNLOAD=y
# CONFIG_MODULE_FORCE_UNLOAD is not set # CONFIG_MODULE_FORCE_UNLOAD is not set
@ -1033,7 +1033,7 @@ CONFIG_COMPAT_BINFMT_ELF=y
CONFIG_ELFCORE=y CONFIG_ELFCORE=y
CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y
CONFIG_BINFMT_SCRIPT=y CONFIG_BINFMT_SCRIPT=y
CONFIG_BINFMT_MISC=m # CONFIG_BINFMT_MISC is not set
CONFIG_COREDUMP=y CONFIG_COREDUMP=y
# end of Executable file formats # end of Executable file formats
@ -1067,7 +1067,7 @@ CONFIG_ZSMALLOC=y
CONFIG_SLUB=y CONFIG_SLUB=y
# CONFIG_SLOB_DEPRECATED is not set # CONFIG_SLOB_DEPRECATED is not set
# CONFIG_SLUB_TINY is not set # CONFIG_SLUB_TINY is not set
CONFIG_SLAB_MERGE_DEFAULT=y # CONFIG_SLAB_MERGE_DEFAULT is not set
CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_RANDOM=y
CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_SLAB_FREELIST_HARDENED=y
# CONFIG_SLUB_STATS is not set # CONFIG_SLUB_STATS is not set
@ -1232,7 +1232,7 @@ CONFIG_INET_IPCOMP=m
CONFIG_INET_TABLE_PERTURB_ORDER=16 CONFIG_INET_TABLE_PERTURB_ORDER=16
CONFIG_INET_XFRM_TUNNEL=m CONFIG_INET_XFRM_TUNNEL=m
CONFIG_INET_TUNNEL=m CONFIG_INET_TUNNEL=m
CONFIG_INET_DIAG=m # CONFIG_INET_DIAG is not set
CONFIG_INET_TCP_DIAG=m CONFIG_INET_TCP_DIAG=m
CONFIG_INET_UDP_DIAG=m CONFIG_INET_UDP_DIAG=m
CONFIG_INET_RAW_DIAG=m CONFIG_INET_RAW_DIAG=m
@ -4534,10 +4534,10 @@ CONFIG_VT_CONSOLE_SLEEP=y
CONFIG_HW_CONSOLE=y CONFIG_HW_CONSOLE=y
CONFIG_VT_HW_CONSOLE_BINDING=y CONFIG_VT_HW_CONSOLE_BINDING=y
CONFIG_UNIX98_PTYS=y CONFIG_UNIX98_PTYS=y
CONFIG_LEGACY_PTYS=y # CONFIG_LEGACY_PTYS is not set
CONFIG_LEGACY_PTY_COUNT=0 CONFIG_LEGACY_PTY_COUNT=0
CONFIG_LEGACY_TIOCSTI=y CONFIG_LEGACY_TIOCSTI=y
CONFIG_LDISC_AUTOLOAD=y # CONFIG_LDISC_AUTOLOAD is not set
# #
# Serial drivers # Serial drivers
@ -4654,7 +4654,7 @@ CONFIG_IPWIRELESS=m
# end of PCMCIA character devices # end of PCMCIA character devices
CONFIG_MWAVE=m CONFIG_MWAVE=m
CONFIG_DEVMEM=y # CONFIG_DEVMEM is not set
CONFIG_NVRAM=m CONFIG_NVRAM=m
CONFIG_DEVPORT=y CONFIG_DEVPORT=y
CONFIG_HPET=y CONFIG_HPET=y
@ -9479,17 +9479,17 @@ CONFIG_IOMMU_IO_PGTABLE=y
# end of Generic IOMMU Pagetable Support # end of Generic IOMMU Pagetable Support
# CONFIG_IOMMU_DEBUGFS is not set # CONFIG_IOMMU_DEBUGFS is not set
# CONFIG_IOMMU_DEFAULT_DMA_STRICT is not set CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
CONFIG_IOMMU_DEFAULT_DMA_LAZY=y CONFIG_IOMMU_DEFAULT_DMA_LAZY=y
# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set # CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set
CONFIG_IOMMU_DMA=y CONFIG_IOMMU_DMA=y
CONFIG_IOMMU_SVA=y CONFIG_IOMMU_SVA=y
CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU=y
CONFIG_AMD_IOMMU_V2=m CONFIG_AMD_IOMMU_V2=y
CONFIG_DMAR_TABLE=y CONFIG_DMAR_TABLE=y
CONFIG_INTEL_IOMMU=y CONFIG_INTEL_IOMMU=y
CONFIG_INTEL_IOMMU_SVM=y CONFIG_INTEL_IOMMU_SVM=y
# CONFIG_INTEL_IOMMU_DEFAULT_ON is not set CONFIG_INTEL_IOMMU_DEFAULT_ON=y
CONFIG_INTEL_IOMMU_FLOPPY_WA=y CONFIG_INTEL_IOMMU_FLOPPY_WA=y
# CONFIG_INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON is not set # CONFIG_INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON is not set
# CONFIG_IOMMUFD is not set # CONFIG_IOMMUFD is not set
@ -10583,7 +10583,7 @@ CONFIG_NTFS3_FS_POSIX_ACL=y
# Pseudo filesystems # Pseudo filesystems
# #
CONFIG_PROC_FS=y CONFIG_PROC_FS=y
CONFIG_PROC_KCORE=y # CONFIG_PROC_KCORE is not set
CONFIG_PROC_VMCORE=y CONFIG_PROC_VMCORE=y
CONFIG_PROC_VMCORE_DEVICE_DUMP=y CONFIG_PROC_VMCORE_DEVICE_DUMP=y
CONFIG_PROC_SYSCTL=y CONFIG_PROC_SYSCTL=y
@ -10872,9 +10872,9 @@ CONFIG_HARDENED_USERCOPY=y
CONFIG_FORTIFY_SOURCE=y CONFIG_FORTIFY_SOURCE=y
CONFIG_STATIC_USERMODEHELPER=y CONFIG_STATIC_USERMODEHELPER=y
CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
# CONFIG_SECURITY_SELINUX_DISABLE is not set # CONFIG_SECURITY_SELINUX_DISABLE is not set
CONFIG_SECURITY_SELINUX_DEVELOP=y # CONFIG_SECURITY_SELINUX_DEVELOP is not set
CONFIG_SECURITY_SELINUX_AVC_STATS=y CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9 CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
@ -10904,7 +10904,7 @@ CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set
CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y
CONFIG_SECURITY_LANDLOCK=y CONFIG_SECURITY_LANDLOCK=y
CONFIG_INTEGRITY=y CONFIG_INTEGRITY=y
CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY_SIGNATURE=y
@ -11495,18 +11495,19 @@ CONFIG_UBSAN_TRAP=y
CONFIG_CC_HAS_UBSAN_BOUNDS=y CONFIG_CC_HAS_UBSAN_BOUNDS=y
CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_BOUNDS=y
CONFIG_UBSAN_ONLY_BOUNDS=y CONFIG_UBSAN_ONLY_BOUNDS=y
CONFIG_UBSAN_SHIFT=y # CONFIG_UBSAN_SHIFT is not set
# CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_DIV_ZERO is not set
CONFIG_UBSAN_BOOL=y # CONFIG_UBSAN_BOOL is not set
CONFIG_UBSAN_ENUM=y # CONFIG_UBSAN_ENUM is not set
# CONFIG_UBSAN_ALIGNMENT is not set # CONFIG_UBSAN_ALIGNMENT is not set
CONFIG_UBSAN_SANITIZE_ALL=y CONFIG_UBSAN_SANITIZE_ALL=y
# CONFIG_TEST_UBSAN is not set CONFIG_TEST_UBSAN=y
CONFIG_HAVE_ARCH_KCSAN=y CONFIG_HAVE_ARCH_KCSAN=y
CONFIG_HAVE_KCSAN_COMPILER=y CONFIG_HAVE_KCSAN_COMPILER=y
# CONFIG_KCSAN is not set # CONFIG_KCSAN is not set
# end of Generic Kernel Debugging Instruments # end of Generic Kernel Debugging Instruments
CONFIG_CFI_CLANG=y
# CONFIG_CFI_PERMISSIVE is not set
# #
# Networking Debugging # Networking Debugging
# #
@ -11752,7 +11753,7 @@ CONFIG_HAVE_SAMPLE_FTRACE_DIRECT=y
CONFIG_HAVE_SAMPLE_FTRACE_DIRECT_MULTI=y CONFIG_HAVE_SAMPLE_FTRACE_DIRECT_MULTI=y
CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y
CONFIG_STRICT_DEVMEM=y CONFIG_STRICT_DEVMEM=y
# CONFIG_IO_STRICT_DEVMEM is not set CONFIG_IO_STRICT_DEVMEM=y
# #
# x86 Debugging # x86 Debugging