xref: /linux/kernel/configs/hardening.config (revision e6a901a00822659181c93c86d8bbc2a17779fddc) 
1# Help: Basic kernel hardening options
2#
3# These are considered the basic kernel hardening, self-protection, and
4# attack surface reduction options. They are expected to have low (or
5# no) performance impact on most workloads, and have a reasonable level
6# of legacy API removals.
7
8# Make sure reporting of various hardening actions is possible.
9CONFIG_BUG=y
10
11# Basic kernel memory permission enforcement.
12CONFIG_STRICT_KERNEL_RWX=y
13CONFIG_STRICT_MODULE_RWX=y
14CONFIG_VMAP_STACK=y
15
16# Kernel image and memory ASLR.
17CONFIG_RANDOMIZE_BASE=y
18CONFIG_RANDOMIZE_MEMORY=y
19
20# Randomize allocator freelists, harden metadata.
21CONFIG_SLAB_FREELIST_RANDOM=y
22CONFIG_SLAB_FREELIST_HARDENED=y
23CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
24CONFIG_RANDOM_KMALLOC_CACHES=y
25
26# Randomize kernel stack offset on syscall entry.
27CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
28
29# Basic stack frame overflow protection.
30CONFIG_STACKPROTECTOR=y
31CONFIG_STACKPROTECTOR_STRONG=y
32
33# Basic buffer length bounds checking.
34CONFIG_HARDENED_USERCOPY=y
35CONFIG_FORTIFY_SOURCE=y
36
37# Basic array index bounds checking.
38CONFIG_UBSAN=y
39CONFIG_UBSAN_TRAP=y
40CONFIG_UBSAN_BOUNDS=y
41# CONFIG_UBSAN_SHIFT is not set
42# CONFIG_UBSAN_DIV_ZERO is not set
43# CONFIG_UBSAN_UNREACHABLE is not set
44# CONFIG_UBSAN_SIGNED_WRAP is not set
45# CONFIG_UBSAN_BOOL is not set
46# CONFIG_UBSAN_ENUM is not set
47# CONFIG_UBSAN_ALIGNMENT is not set
48
49# Sampling-based heap out-of-bounds and use-after-free detection.
50CONFIG_KFENCE=y
51
52# Linked list integrity checking.
53CONFIG_LIST_HARDENED=y
54
55# Initialize all heap variables to zero on allocation.
56CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
57
58# Initialize all stack variables to zero on function entry.
59CONFIG_INIT_STACK_ALL_ZERO=y
60
61# Wipe RAM at reboot via EFI. For more details, see:
62# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
63# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
64CONFIG_RESET_ATTACK_MITIGATION=y
65
66# Disable DMA between EFI hand-off and the kernel's IOMMU setup.
67CONFIG_EFI_DISABLE_PCI_DMA=y
68
69# Force IOMMU TLB invalidation so devices will never be able to access stale
70# data content.
71CONFIG_IOMMU_SUPPORT=y
72CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
73
74# Do not allow direct physical memory access to non-device memory.
75CONFIG_STRICT_DEVMEM=y
76CONFIG_IO_STRICT_DEVMEM=y
77
78# Provide userspace with seccomp BPF API for syscall attack surface reduction.
79CONFIG_SECCOMP=y
80CONFIG_SECCOMP_FILTER=y
81
82# Provides some protections against SYN flooding.
83CONFIG_SYN_COOKIES=y
84
85# Attack surface reduction: do not autoload TTY line disciplines.
86# CONFIG_LDISC_AUTOLOAD is not set
87
88# Dangerous; enabling this disables userspace brk ASLR.
89# CONFIG_COMPAT_BRK is not set
90
91# Dangerous; exposes kernel text image layout.
92# CONFIG_PROC_KCORE is not set
93
94# Dangerous; enabling this disables userspace VDSO ASLR.
95# CONFIG_COMPAT_VDSO is not set
96
97# Attack surface reduction: Use the modern PTY interface (devpts) only.
98# CONFIG_LEGACY_PTYS is not set
99