CONFIG_DEBUG_NOTIFIERS=y
CONFIG_DEBUG_LIST=y
CONFIG_DEBUG_SG=y
+CONFIG_DEBUG_VIRTUAL=y
CONFIG_BUG_ON_DATA_CORRUPTION=y
CONFIG_SCHED_STACK_END_CHECK=y
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y
+# Make sure line disciplines can't be autoloaded (since v5.1).
+# CONFIG_LDISC_AUTOLOAD is not set
+
# Provide userspace with ptrace ancestry protections.
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.
CONFIG_SECURITY=y
CONFIG_SECURITY_LANDLOCK=y
# Make sure SELinux cannot be disabled trivially.
-# SECURITY_SELINUX_BOOTPARAM is not set
-# SECURITY_SELINUX_DEVELOP is not set
+# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
+# CONFIG_SECURITY_SELINUX_DEVELOP is not set
# CONFIG_SECURITY_WRITABLE_HOOKS is not set
# Enable "lockdown" LSM for bright line between the root user and kernel memory.
CONFIG_ZERO_CALL_USED_REGS=y
# Wipe RAM at reboot via EFI.
+# For more details, see:
+# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
+# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
CONFIG_RESET_ATTACK_MITIGATION=y
+# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk
+CONFIG_STATIC_USERMODEHELPER=y
+
# Dangerous; enabling this allows direct physical memory writing.
# CONFIG_ACPI_CUSTOM_METHOD is not set
# Dangerous; old interfaces and needless additional attack surface.
# CONFIG_OABI_COMPAT is not set
-
-
projects / kconfig-hardened-check.git / blobdiff