# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
CONFIG_IOMMU_SUPPORT=y
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
+# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set
# Enable feeding RNG entropy from TPM, if available.
CONFIG_HW_RANDOM_TPM=y
CONFIG_RANDOM_TRUST_BOOTLOADER=y
CONFIG_RANDOM_TRUST_CPU=y
+# Randomize the layout of system structures. This may have dramatic performance impact, so
+# use with caution. If using GCC, you can check if using CONFIG_RANDSTRUCT_PERFORMANCE=y is better.
+CONFIG_RANDSTRUCT_FULL=y
+
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
CONFIG_SCHED_CORE=y
# CONFIG_STACKLEAK_METRICS is not set
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
-# Randomize the layout of system structures. This may have dramatic performance impact, so
-# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
-CONFIG_GCC_PLUGIN_RANDSTRUCT=y
-# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set
-
# arm
CONFIG_ARM=y
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
CONFIG_IOMMU_SUPPORT=y
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
+# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set
# Enable feeding RNG entropy from TPM, if available.
CONFIG_HW_RANDOM_TPM=y
CONFIG_RANDOM_TRUST_BOOTLOADER=y
CONFIG_RANDOM_TRUST_CPU=y
+# Randomize the layout of system structures. This may have dramatic performance impact, so
+# use with caution. If using GCC, you can check if using CONFIG_RANDSTRUCT_PERFORMANCE=y is better.
+CONFIG_RANDSTRUCT_FULL=y
+
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
CONFIG_SCHED_CORE=y
# CONFIG_STACKLEAK_METRICS is not set
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
-# Randomize the layout of system structures. This may have dramatic performance impact, so
-# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
-CONFIG_GCC_PLUGIN_RANDSTRUCT=y
-# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set
-
# arm64
CONFIG_ARM64=y
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
CONFIG_IOMMU_SUPPORT=y
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
+# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set
# Enable feeding RNG entropy from TPM, if available.
CONFIG_HW_RANDOM_TPM=y
CONFIG_RANDOM_TRUST_BOOTLOADER=y
CONFIG_RANDOM_TRUST_CPU=y
+# Randomize the layout of system structures. This may have dramatic performance impact, so
+# use with caution. If using GCC, you can check if using CONFIG_RANDSTRUCT_PERFORMANCE=y is better.
+CONFIG_RANDSTRUCT_FULL=y
+
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
CONFIG_SCHED_CORE=y
# CONFIG_STACKLEAK_METRICS is not set
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
-# Randomize the layout of system structures. This may have dramatic performance impact, so
-# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
-CONFIG_GCC_PLUGIN_RANDSTRUCT=y
-# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set
-
# arm64
CONFIG_ARM64=y
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
CONFIG_IOMMU_SUPPORT=y
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
+# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set
# Enable feeding RNG entropy from TPM, if available.
CONFIG_HW_RANDOM_TPM=y
CONFIG_RANDOM_TRUST_BOOTLOADER=y
CONFIG_RANDOM_TRUST_CPU=y
+# Randomize the layout of system structures. This may have dramatic performance impact, so
+# use with caution. If using GCC, you can check if using CONFIG_RANDSTRUCT_PERFORMANCE=y is better.
+CONFIG_RANDSTRUCT_FULL=y
+
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
CONFIG_SCHED_CORE=y
# CONFIG_STACKLEAK_METRICS is not set
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
-# Randomize the layout of system structures. This may have dramatic performance impact, so
-# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
-CONFIG_GCC_PLUGIN_RANDSTRUCT=y
-# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set
-
# x86_32
CONFIG_X86_32=y
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
CONFIG_IOMMU_SUPPORT=y
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
+# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set
# Enable feeding RNG entropy from TPM, if available.
CONFIG_HW_RANDOM_TPM=y
CONFIG_RANDOM_TRUST_BOOTLOADER=y
CONFIG_RANDOM_TRUST_CPU=y
+# Randomize the layout of system structures. This may have dramatic performance impact, so
+# use with caution. If using GCC, you can check if using CONFIG_RANDSTRUCT_PERFORMANCE=y is better.
+CONFIG_RANDSTRUCT_FULL=y
+
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
CONFIG_SCHED_CORE=y
# CONFIG_STACKLEAK_METRICS is not set
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
-# Randomize the layout of system structures. This may have dramatic performance impact, so
-# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
-CONFIG_GCC_PLUGIN_RANDSTRUCT=y
-# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set
-
# x86_64
# Full 64-bit means PAE and NX bit.
CONFIG_LEGACY_VSYSCALL_NONE=y
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
-CONFIG_PAGE_TABLE_ISOLATION=y
+CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y
# Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18)
CONFIG_X86_KERNEL_IBT=y
CONFIG_AMD_IOMMU_V2=y
# Straight-Line-Speculation
-CONFIG_SLS=y
+CONFIG_MITIGATION_SLS=y
# Enable Control Flow Integrity (since v6.1).
CONFIG_CFI_CLANG=y
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
CONFIG_IOMMU_SUPPORT=y
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
+# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set
# Enable feeding RNG entropy from TPM, if available.
CONFIG_HW_RANDOM_TPM=y
CONFIG_RANDOM_TRUST_BOOTLOADER=y
CONFIG_RANDOM_TRUST_CPU=y
+# Randomize the layout of system structures. This may have dramatic performance impact, so
+# use with caution. If using GCC, you can check if using CONFIG_RANDSTRUCT_PERFORMANCE=y is better.
+CONFIG_RANDSTRUCT_FULL=y
+
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
CONFIG_SCHED_CORE=y
# CONFIG_STACKLEAK_METRICS is not set
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
-# Randomize the layout of system structures. This may have dramatic performance impact, so
-# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
-CONFIG_GCC_PLUGIN_RANDSTRUCT=y
-# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set
-
# x86_64
# Full 64-bit means PAE and NX bit.
CONFIG_LEGACY_VSYSCALL_NONE=y
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
-CONFIG_PAGE_TABLE_ISOLATION=y
+CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y
# Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18)
CONFIG_X86_KERNEL_IBT=y
CONFIG_AMD_IOMMU_V2=y
# Straight-Line-Speculation
-CONFIG_SLS=y
+CONFIG_MITIGATION_SLS=y
# Enable Control Flow Integrity (since v6.1).
CONFIG_CFI_CLANG=y
kernel.printk = 3 4 1 7
kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
-kernel.disable_modules = 1
+kernel.modules_disabled = 1
kernel.perf_event_paranoid = 3
kernel.kexec_load_disabled = 1
kernel.randomize_va_space = 2
projects / kconfig-hardened-check.git / commitdiff