1# Help: Basic kernel hardening options 2# 3# These are considered the basic kernel hardening, self-protection, and 4# attack surface reduction options. They are expected to have low (or 5# no) performance impact on most workloads, and have a reasonable level 6# of legacy API removals. 7 8# Make sure reporting of various hardening actions is possible. 9CONFIG_BUG=y 10 11# Basic kernel memory permission enforcement. 12CONFIG_STRICT_KERNEL_RWX=y 13CONFIG_STRICT_MODULE_RWX=y 14CONFIG_VMAP_STACK=y 15 16# Kernel image and memory ASLR. 17CONFIG_RANDOMIZE_BASE=y 18CONFIG_RANDOMIZE_MEMORY=y 19 20# Randomize allocator freelists, harden metadata. 21CONFIG_SLAB_FREELIST_RANDOM=y 22CONFIG_SLAB_FREELIST_HARDENED=y 23CONFIG_SLAB_BUCKETS=y 24CONFIG_SHUFFLE_PAGE_ALLOCATOR=y 25CONFIG_RANDOM_KMALLOC_CACHES=y 26 27# Sanity check userspace page table mappings. 28CONFIG_PAGE_TABLE_CHECK=y 29CONFIG_PAGE_TABLE_CHECK_ENFORCED=y 30 31# Randomize kernel stack offset on syscall entry. 32CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y 33 34# Basic stack frame overflow protection. 35CONFIG_STACKPROTECTOR=y 36CONFIG_STACKPROTECTOR_STRONG=y 37 38# Basic buffer length bounds checking. 39CONFIG_HARDENED_USERCOPY=y 40CONFIG_FORTIFY_SOURCE=y 41 42# Basic array index bounds checking. 43CONFIG_UBSAN=y 44CONFIG_UBSAN_TRAP=y 45CONFIG_UBSAN_BOUNDS=y 46# CONFIG_UBSAN_SHIFT is not set 47# CONFIG_UBSAN_DIV_ZERO is not set 48# CONFIG_UBSAN_UNREACHABLE is not set 49# CONFIG_UBSAN_INTEGER_WRAP is not set 50# CONFIG_UBSAN_BOOL is not set 51# CONFIG_UBSAN_ENUM is not set 52# CONFIG_UBSAN_ALIGNMENT is not set 53 54# Sampling-based heap out-of-bounds and use-after-free detection. 55CONFIG_KFENCE=y 56 57# Linked list integrity checking. 58CONFIG_LIST_HARDENED=y 59 60# Initialize all heap variables to zero on allocation. 61CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y 62 63# Initialize all heap variables to zero on free to reduce stale data lifetime. 64CONFIG_INIT_ON_FREE_DEFAULT_ON=y 65 66# Initialize all stack variables to zero on function entry. 67CONFIG_INIT_STACK_ALL_ZERO=y 68 69# Wipe kernel stack after syscall completion to reduce stale data lifetime. 70CONFIG_KSTACK_ERASE=y 71 72# Wipe RAM at reboot via EFI. For more details, see: 73# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ 74# https://bugzilla.redhat.com/show_bug.cgi?id=1532058 75CONFIG_RESET_ATTACK_MITIGATION=y 76 77# Disable DMA between EFI hand-off and the kernel's IOMMU setup. 78CONFIG_EFI_DISABLE_PCI_DMA=y 79 80# Force IOMMU TLB invalidation so devices will never be able to access stale 81# data content. 82CONFIG_IOMMU_SUPPORT=y 83CONFIG_IOMMU_DEFAULT_DMA_STRICT=y 84 85# Do not allow direct physical memory access to non-device memory. 86CONFIG_STRICT_DEVMEM=y 87CONFIG_IO_STRICT_DEVMEM=y 88 89# Provide userspace with seccomp BPF API for syscall attack surface reduction. 90CONFIG_SECCOMP=y 91CONFIG_SECCOMP_FILTER=y 92 93# Provides some protections against SYN flooding. 94CONFIG_SYN_COOKIES=y 95 96# Enable Kernel Control Flow Integrity (currently Clang only). 97CONFIG_CFI_CLANG=y 98# CONFIG_CFI_PERMISSIVE is not set 99 100# Attack surface reduction: do not autoload TTY line disciplines. 101# CONFIG_LDISC_AUTOLOAD is not set 102 103# Dangerous; enabling this disables userspace brk ASLR. 104# CONFIG_COMPAT_BRK is not set 105 106# Dangerous; exposes kernel text image layout. 107# CONFIG_PROC_KCORE is not set 108 109# Dangerous; enabling this disables userspace VDSO ASLR. 110# CONFIG_COMPAT_VDSO is not set 111 112# Attack surface reduction: Use the modern PTY interface (devpts) only. 113# CONFIG_LEGACY_PTYS is not set 114