1 # Help: Basic kernel hardening options 2 # 3 # These are considered the basic kernel hardening, self-protection, and 4 # attack surface reduction options. They are expected to have low (or 5 # no) performance impact on most workloads, and have a reasonable level 6 # of legacy API removals. 7 8 # Make sure reporting of various hardening actions is possible. 9 CONFIG_BUG=y 10 11 # Basic kernel memory permission enforcement. 12 CONFIG_STRICT_KERNEL_RWX=y 13 CONFIG_STRICT_MODULE_RWX=y 14 CONFIG_VMAP_STACK=y 15 16 # Kernel image and memory ASLR. 17 CONFIG_RANDOMIZE_BASE=y 18 CONFIG_RANDOMIZE_MEMORY=y 19 20 # Randomize allocator freelists, harden metadata. 21 CONFIG_SLAB_FREELIST_RANDOM=y 22 CONFIG_SLAB_FREELIST_HARDENED=y 23 CONFIG_SLAB_BUCKETS=y 24 CONFIG_SHUFFLE_PAGE_ALLOCATOR=y 25 CONFIG_RANDOM_KMALLOC_CACHES=y 26 27 # Sanity check userspace page table mappings. 28 CONFIG_PAGE_TABLE_CHECK=y 29 CONFIG_PAGE_TABLE_CHECK_ENFORCED=y 30 31 # Randomize kernel stack offset on syscall entry. 32 CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y 33 34 # Basic stack frame overflow protection. 35 CONFIG_STACKPROTECTOR=y 36 CONFIG_STACKPROTECTOR_STRONG=y 37 38 # Basic buffer length bounds checking. 39 CONFIG_HARDENED_USERCOPY=y 40 CONFIG_FORTIFY_SOURCE=y 41 42 # Basic array index bounds checking. 43 CONFIG_UBSAN=y 44 CONFIG_UBSAN_TRAP=y 45 CONFIG_UBSAN_BOUNDS=y 46 # CONFIG_UBSAN_SHIFT is not set 47 # CONFIG_UBSAN_DIV_ZERO is not set 48 # CONFIG_UBSAN_UNREACHABLE is not set 49 # CONFIG_UBSAN_SIGNED_WRAP is not set 50 # CONFIG_UBSAN_BOOL is not set 51 # CONFIG_UBSAN_ENUM is not set 52 # CONFIG_UBSAN_ALIGNMENT is not set 53 54 # Sampling-based heap out-of-bounds and use-after-free detection. 55 CONFIG_KFENCE=y 56 57 # Linked list integrity checking. 58 CONFIG_LIST_HARDENED=y 59 60 # Initialize all heap variables to zero on allocation. 61 CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y 62 63 # Initialize all stack variables to zero on function entry. 64 CONFIG_INIT_STACK_ALL_ZERO=y 65 66 # Wipe RAM at reboot via EFI. For more details, see: 67 # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ 68 # https://bugzilla.redhat.com/show_bug.cgi?id=1532058 69 CONFIG_RESET_ATTACK_MITIGATION=y 70 71 # Disable DMA between EFI hand-off and the kernel's IOMMU setup. 72 CONFIG_EFI_DISABLE_PCI_DMA=y 73 74 # Force IOMMU TLB invalidation so devices will never be able to access stale 75 # data content. 76 CONFIG_IOMMU_SUPPORT=y 77 CONFIG_IOMMU_DEFAULT_DMA_STRICT=y 78 79 # Do not allow direct physical memory access to non-device memory. 80 CONFIG_STRICT_DEVMEM=y 81 CONFIG_IO_STRICT_DEVMEM=y 82 83 # Provide userspace with seccomp BPF API for syscall attack surface reduction. 84 CONFIG_SECCOMP=y 85 CONFIG_SECCOMP_FILTER=y 86 87 # Provides some protections against SYN flooding. 88 CONFIG_SYN_COOKIES=y 89 90 # Enable Kernel Control Flow Integrity (currently Clang only). 91 CONFIG_CFI_CLANG=y 92 # CONFIG_CFI_PERMISSIVE is not set 93 94 # Attack surface reduction: do not autoload TTY line disciplines. 95 # CONFIG_LDISC_AUTOLOAD is not set 96 97 # Dangerous; enabling this disables userspace brk ASLR. 98 # CONFIG_COMPAT_BRK is not set 99 100 # Dangerous; exposes kernel text image layout. 101 # CONFIG_PROC_KCORE is not set 102 103 # Dangerous; enabling this disables userspace VDSO ASLR. 104 # CONFIG_COMPAT_VDSO is not set 105 106 # Attack surface reduction: Use the modern PTY interface (devpts) only. 107 # CONFIG_LEGACY_PTYS is not set
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.