xref: /linux/kernel/configs/hardening.config (revision 8e736a2eeaf261213b4557778e015699da1e1c8c)
1# Help: Basic kernel hardening options
2#
3# These are considered the basic kernel hardening, self-protection, and
4# attack surface reduction options. They are expected to have low (or
5# no) performance impact on most workloads, and have a reasonable level
6# of legacy API removals.
7
8# Make sure reporting of various hardening actions is possible.
9CONFIG_BUG=y
10
11# Basic kernel memory permission enforcement.
12CONFIG_STRICT_KERNEL_RWX=y
13CONFIG_STRICT_MODULE_RWX=y
14CONFIG_VMAP_STACK=y
15
16# Kernel image and memory ASLR.
17CONFIG_RANDOMIZE_BASE=y
18CONFIG_RANDOMIZE_MEMORY=y
19
20# Randomize allocator freelists, harden metadata.
21CONFIG_SLAB_FREELIST_RANDOM=y
22CONFIG_SLAB_FREELIST_HARDENED=y
23CONFIG_SLAB_BUCKETS=y
24CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
25CONFIG_RANDOM_KMALLOC_CACHES=y
26
27# Sanity check userspace page table mappings.
28CONFIG_PAGE_TABLE_CHECK=y
29CONFIG_PAGE_TABLE_CHECK_ENFORCED=y
30
31# Randomize kernel stack offset on syscall entry.
32CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
33
34# Basic stack frame overflow protection.
35CONFIG_STACKPROTECTOR=y
36CONFIG_STACKPROTECTOR_STRONG=y
37
38# Basic buffer length bounds checking.
39CONFIG_HARDENED_USERCOPY=y
40CONFIG_FORTIFY_SOURCE=y
41
42# Basic array index bounds checking.
43CONFIG_UBSAN=y
44CONFIG_UBSAN_TRAP=y
45CONFIG_UBSAN_BOUNDS=y
46# CONFIG_UBSAN_SHIFT is not set
47# CONFIG_UBSAN_DIV_ZERO is not set
48# CONFIG_UBSAN_UNREACHABLE is not set
49# CONFIG_UBSAN_INTEGER_WRAP is not set
50# CONFIG_UBSAN_BOOL is not set
51# CONFIG_UBSAN_ENUM is not set
52# CONFIG_UBSAN_ALIGNMENT is not set
53
54# Sampling-based heap out-of-bounds and use-after-free detection.
55CONFIG_KFENCE=y
56
57# Linked list integrity checking.
58CONFIG_LIST_HARDENED=y
59
60# Initialize all heap variables to zero on allocation.
61CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
62
63# Initialize all heap variables to zero on free to reduce stale data lifetime.
64CONFIG_INIT_ON_FREE_DEFAULT_ON=y
65
66# Initialize all stack variables to zero on function entry.
67CONFIG_INIT_STACK_ALL_ZERO=y
68
69# Wipe kernel stack after syscall completion to reduce stale data lifetime.
70CONFIG_KSTACK_ERASE=y
71
72# Wipe RAM at reboot via EFI. For more details, see:
73# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
74# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
75CONFIG_RESET_ATTACK_MITIGATION=y
76
77# Disable DMA between EFI hand-off and the kernel's IOMMU setup.
78CONFIG_EFI_DISABLE_PCI_DMA=y
79
80# Force IOMMU TLB invalidation so devices will never be able to access stale
81# data content.
82CONFIG_IOMMU_SUPPORT=y
83CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
84
85# Do not allow direct physical memory access to non-device memory.
86CONFIG_STRICT_DEVMEM=y
87CONFIG_IO_STRICT_DEVMEM=y
88
89# Provide userspace with seccomp BPF API for syscall attack surface reduction.
90CONFIG_SECCOMP=y
91CONFIG_SECCOMP_FILTER=y
92
93# Provides some protections against SYN flooding.
94CONFIG_SYN_COOKIES=y
95
96# Enable Kernel Control Flow Integrity (currently Clang only).
97CONFIG_CFI_CLANG=y
98# CONFIG_CFI_PERMISSIVE is not set
99
100# Attack surface reduction: do not autoload TTY line disciplines.
101# CONFIG_LDISC_AUTOLOAD is not set
102
103# Dangerous; enabling this disables userspace brk ASLR.
104# CONFIG_COMPAT_BRK is not set
105
106# Dangerous; exposes kernel text image layout.
107# CONFIG_PROC_KCORE is not set
108
109# Dangerous; enabling this disables userspace VDSO ASLR.
110# CONFIG_COMPAT_VDSO is not set
111
112# Attack surface reduction: Use the modern PTY interface (devpts) only.
113# CONFIG_LEGACY_PTYS is not set
114