2 # Linux/arm64 5.17.0 Kernel Configuration
4 # Report BUG() conditions and kill the offending process.
7 # Make sure kernel page tables have safe permissions.
8 CONFIG_STRICT_KERNEL_RWX=y
10 # Report any dangerous memory permissions (not available on all archs).
13 # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
14 # Prior to v4.18, these are:
15 # CONFIG_CC_STACKPROTECTOR=y
16 # CONFIG_CC_STACKPROTECTOR_STRONG=y
17 CONFIG_STACKPROTECTOR=y
18 CONFIG_STACKPROTECTOR_STRONG=y
20 # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)
21 # CONFIG_DEVMEM is not set
22 CONFIG_STRICT_DEVMEM=y
23 CONFIG_IO_STRICT_DEVMEM=y
25 # Provides some protections against SYN flooding.
28 # Perform additional validation of various commonly targeted structures.
29 CONFIG_DEBUG_CREDENTIALS=y
30 CONFIG_DEBUG_NOTIFIERS=y
33 CONFIG_DEBUG_VIRTUAL=y
34 CONFIG_BUG_ON_DATA_CORRUPTION=y
35 CONFIG_SCHED_STACK_END_CHECK=y
37 # Provide userspace with seccomp BPF API for syscall attack surface reduction.
39 CONFIG_SECCOMP_FILTER=y
41 # Make sure line disciplines can't be autoloaded (since v5.1).
42 # CONFIG_LDISC_AUTOLOAD is not set
44 # Provide userspace with ptrace ancestry protections.
45 # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.
47 CONFIG_SECURITY_YAMA=y
49 # Provide userspace with Landlock MAC interface.
50 # Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.
51 CONFIG_SECURITY_LANDLOCK=y
53 # Make sure SELinux cannot be disabled trivially.
54 # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
55 # CONFIG_SECURITY_SELINUX_DEVELOP is not set
56 # CONFIG_SECURITY_WRITABLE_HOOKS is not set
58 # Enable "lockdown" LSM for bright line between the root user and kernel memory.
59 CONFIG_SECURITY_LOCKDOWN_LSM=y
60 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
61 CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y
63 # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)
64 CONFIG_HARDENED_USERCOPY=y
65 # CONFIG_HARDENED_USERCOPY_FALLBACK is not set
66 # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set
68 # Randomize allocator freelists, harden metadata.
69 CONFIG_SLAB_FREELIST_RANDOM=y
70 CONFIG_SLAB_FREELIST_HARDENED=y
72 # Randomize high-order page allocation freelist.
73 CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
75 # Allow allocator validation checking to be enabled (see "slub_debug=P" below).
78 # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).
79 # (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)
80 CONFIG_PAGE_POISONING=y
81 CONFIG_PAGE_POISONING_NO_SANITY=y
82 CONFIG_PAGE_POISONING_ZERO=y
84 # Wipe slab and page allocations (since v5.3)
85 # Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.
86 # The init_on_free is only needed if there is concern about minimizing stale data lifetime.
87 CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
88 CONFIG_INIT_ON_FREE_DEFAULT_ON=y
90 # Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)
91 CONFIG_INIT_STACK_ALL_ZERO=y
93 # Adds guard pages to kernel stacks (not all architectures support this yet).
96 # Perform extensive checks on reference counting.
97 CONFIG_REFCOUNT_FULL=y
99 # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.
100 CONFIG_FORTIFY_SOURCE=y
102 # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)
103 CONFIG_SECURITY_DMESG_RESTRICT=y
105 # Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.
108 CONFIG_UBSAN_BOUNDS=y
109 CONFIG_UBSAN_SANITIZE_ALL=y
110 # CONFIG_UBSAN_SHIFT is not set
111 # CONFIG_UBSAN_DIV_ZERO is not set
112 # CONFIG_UBSAN_UNREACHABLE is not set
113 # CONFIG_UBSAN_BOOL is not set
114 # CONFIG_UBSAN_ENUM is not set
115 # CONFIG_UBSAN_ALIGNMENT is not set
116 # This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:
117 CONFIG_UBSAN_LOCAL_BOUNDS=y
119 # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.
122 # Randomize kernel stack offset on syscall entry (since v5.13).
123 CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
125 # Do not ignore compile-time warnings (since v5.15)
128 # Disable DMA between EFI hand-off and the kernel's IOMMU setup.
129 CONFIG_EFI_DISABLE_PCI_DMA=y
131 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
132 CONFIG_IOMMU_SUPPORT=y
133 CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
135 # Enable feeding RNG entropy from TPM, if available.
136 CONFIG_HW_RANDOM_TPM=y
138 # Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even
139 # malicious sources should not cause problems.
140 CONFIG_RANDOM_TRUST_BOOTLOADER=y
141 CONFIG_RANDOM_TRUST_CPU=y
143 # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
146 # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and
147 # minimizes stale data in registers). (Since v5.15)
148 CONFIG_ZERO_CALL_USED_REGS=y
150 # Wipe RAM at reboot via EFI.
151 # For more details, see:
152 # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
153 # https://bugzilla.redhat.com/show_bug.cgi?id=1532058
154 CONFIG_RESET_ATTACK_MITIGATION=y
156 # This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk
157 CONFIG_STATIC_USERMODEHELPER=y
159 # Dangerous; enabling this allows direct physical memory writing.
160 # CONFIG_ACPI_CUSTOM_METHOD is not set
162 # Dangerous; enabling this disables brk ASLR.
163 # CONFIG_COMPAT_BRK is not set
165 # Dangerous; enabling this allows direct kernel memory writing.
166 # CONFIG_DEVKMEM is not set
168 # Dangerous; exposes kernel text image layout.
169 # CONFIG_PROC_KCORE is not set
171 # Dangerous; enabling this disables VDSO ASLR.
172 # CONFIG_COMPAT_VDSO is not set
174 # Dangerous; enabling this allows replacement of running kernel.
175 # CONFIG_KEXEC is not set
177 # Dangerous; enabling this allows replacement of running kernel.
178 # CONFIG_HIBERNATION is not set
180 # Prior to v4.1, assists heap memory attacks; best to keep interface disabled.
181 # CONFIG_INET_DIAG is not set
183 # Easily confused by misconfigured userspace, keep off.
184 # CONFIG_BINFMT_MISC is not set
186 # Use the modern PTY interface (devpts) only.
187 # CONFIG_LEGACY_PTYS is not set
189 # If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.
190 # CONFIG_SECURITY_SELINUX_DISABLE is not set
192 # Reboot devices immediately if kernel experiences an Oops.
193 CONFIG_PANIC_ON_OOPS=y
194 CONFIG_PANIC_TIMEOUT=-1
196 # Keep root from altering kernel memory via loadable modules.
197 # CONFIG_MODULES is not set
199 # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.
200 CONFIG_STRICT_MODULE_RWX=y
202 CONFIG_MODULE_SIG_FORCE=y
203 CONFIG_MODULE_SIG_ALL=y
204 CONFIG_MODULE_SIG_SHA512=y
205 CONFIG_MODULE_SIG_HASH="sha512"
206 CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
213 # Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
214 CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y
216 # Force all structures to be initialized before they are passed to other functions.
217 # When building with GCC:
218 CONFIG_GCC_PLUGIN_STRUCTLEAK=y
219 CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
221 # Wipe stack contents on syscall exit (reduces stale data lifetime in stack)
222 CONFIG_GCC_PLUGIN_STACKLEAK=y
223 # CONFIG_STACKLEAK_METRICS is not set
224 # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
226 # Randomize the layout of system structures. This may have dramatic performance impact, so
227 # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
228 CONFIG_GCC_PLUGIN_RANDSTRUCT=y
229 # CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set
235 # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).
236 CONFIG_DEFAULT_MMAP_MIN_ADDR=32768
238 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).
239 CONFIG_RANDOMIZE_BASE=y
241 # Make sure PAN emulation is enabled.
242 CONFIG_ARM64_SW_TTBR0_PAN=y
244 # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
245 CONFIG_UNMAP_KERNEL_AT_EL0=y
247 # Software Shadow Stack or PAC
248 CONFIG_SHADOW_CALL_STACK=y
250 # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can
251 # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.
252 CONFIG_ARM64_PTR_AUTH=y
253 CONFIG_ARM64_PTR_AUTH_KERNEL=y
255 # Available in ARMv8.5 and later.
257 CONFIG_ARM64_BTI_KERNEL=y
259 CONFIG_KASAN_HW_TAGS=y
262 # Available in ARMv8.7 and later.
265 # Enable Control Flow Integrity
267 # CONFIG_CFI_PERMISSIVE is not set