X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kernel_hardening_checker%2Fconfig_files%2Fkspp-recommendations%2Fkspp-kconfig-x86-32.config;h=4d1d1d38de43855b4c8823aab5d4bf97e980b750;hb=b0a5937d6c0102adc9b24e89899681059c3af3a4;hp=a88dde5264c5d1aa95f6b2a77472cf19262e5b91;hpb=b22708589a1f4138db2fbb192cd28b00d046cdaa;p=kconfig-hardened-check.git diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config index a88dde5..4d1d1d3 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config @@ -142,6 +142,7 @@ CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y +# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y @@ -151,6 +152,10 @@ CONFIG_HW_RANDOM_TPM=y CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y +# Randomize the layout of system structures. This may have dramatic performance impact, so +# use with caution. If using GCC, you can check if using CONFIG_RANDSTRUCT_PERFORMANCE=y is better. +CONFIG_RANDSTRUCT_FULL=y + # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y @@ -242,14 +247,10 @@ CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set -# Randomize the layout of system structures. This may have dramatic performance impact, so -# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y -CONFIG_GCC_PLUGIN_RANDSTRUCT=y -# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set - # x86_32 CONFIG_X86_32=y +CONFIG_CC_IS_GCC=y # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set