X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kernel_hardening_checker%2Fconfig_files%2Fkspp-recommendations%2Fkspp-kconfig-arm.config;h=3a1f67b307be8fc09f36391637de42ad90f2c04b;hb=b0a5937d6c0102adc9b24e89899681059c3af3a4;hp=e0818e342a9dd62bc995cb74cdf844cb7c954a2e;hpb=b22708589a1f4138db2fbb192cd28b00d046cdaa;p=kconfig-hardened-check.git diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config index e0818e3..3a1f67b 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config @@ -142,6 +142,7 @@ CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y +# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y @@ -151,6 +152,10 @@ CONFIG_HW_RANDOM_TPM=y CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y +# Randomize the layout of system structures. This may have dramatic performance impact, so +# use with caution. If using GCC, you can check if using CONFIG_RANDSTRUCT_PERFORMANCE=y is better. +CONFIG_RANDSTRUCT_FULL=y + # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y @@ -242,14 +247,10 @@ CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set -# Randomize the layout of system structures. This may have dramatic performance impact, so -# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y -CONFIG_GCC_PLUGIN_RANDSTRUCT=y -# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set - # arm CONFIG_ARM=y +CONFIG_CC_IS_GCC=y # Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). CONFIG_DEFAULT_MMAP_MIN_ADDR=32768