1# Help: Basic kernel hardening options
 2#
 3# These are considered the basic kernel hardening, self-protection, and
 4# attack surface reduction options. They are expected to have low (or
 5# no) performance impact on most workloads, and have a reasonable level
 6# of legacy API removals.
 7
 8# Make sure reporting of various hardening actions is possible.
 9CONFIG_BUG=y
10
11# Basic kernel memory permission enforcement.
12CONFIG_STRICT_KERNEL_RWX=y
13CONFIG_STRICT_MODULE_RWX=y
14CONFIG_VMAP_STACK=y
15
16# Kernel image and memory ASLR.
17CONFIG_RANDOMIZE_BASE=y
18CONFIG_RANDOMIZE_MEMORY=y
19
20# Randomize allocator freelists, harden metadata.
21CONFIG_SLAB_FREELIST_RANDOM=y
22CONFIG_SLAB_FREELIST_HARDENED=y
23CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
24CONFIG_RANDOM_KMALLOC_CACHES=y
25
26# Randomize kernel stack offset on syscall entry.
27CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
28
29# Basic stack frame overflow protection.
30CONFIG_STACKPROTECTOR=y
31CONFIG_STACKPROTECTOR_STRONG=y
32
33# Basic buffer length bounds checking.
34CONFIG_HARDENED_USERCOPY=y
35CONFIG_FORTIFY_SOURCE=y
36
37# Basic array index bounds checking.
38CONFIG_UBSAN=y
39CONFIG_UBSAN_TRAP=y
40CONFIG_UBSAN_BOUNDS=y
41# CONFIG_UBSAN_SHIFT is not set
42# CONFIG_UBSAN_DIV_ZERO
43# CONFIG_UBSAN_UNREACHABLE
44# CONFIG_UBSAN_BOOL
45# CONFIG_UBSAN_ENUM
46# CONFIG_UBSAN_ALIGNMENT
47CONFIG_UBSAN_SANITIZE_ALL=y
48
49# Linked list integrity checking.
50CONFIG_LIST_HARDENED=y
51
52# Initialize all heap variables to zero on allocation.
53CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
54
55# Initialize all stack variables to zero on function entry.
56CONFIG_INIT_STACK_ALL_ZERO=y
57
58# Wipe RAM at reboot via EFI. For more details, see:
59# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
60# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
61CONFIG_RESET_ATTACK_MITIGATION=y
62
63# Disable DMA between EFI hand-off and the kernel's IOMMU setup.
64CONFIG_EFI_DISABLE_PCI_DMA=y
65
66# Force IOMMU TLB invalidation so devices will never be able to access stale
67# data content.
68CONFIG_IOMMU_SUPPORT=y
69CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
70
71# Do not allow direct physical memory access to non-device memory.
72CONFIG_STRICT_DEVMEM=y
73CONFIG_IO_STRICT_DEVMEM=y
74
75# Provide userspace with seccomp BPF API for syscall attack surface reduction.
76CONFIG_SECCOMP=y
77CONFIG_SECCOMP_FILTER=y
78
79# Provides some protections against SYN flooding.
80CONFIG_SYN_COOKIES=y
81
82# Attack surface reduction: do not autoload TTY line disciplines.
83# CONFIG_LDISC_AUTOLOAD is not set
84
85# Dangerous; enabling this disables userspace brk ASLR.
86# CONFIG_COMPAT_BRK is not set
87
88# Dangerous; exposes kernel text image layout.
89# CONFIG_PROC_KCORE is not set
90
91# Dangerous; enabling this disables userspace VDSO ASLR.
92# CONFIG_COMPAT_VDSO is not set
93
94# Attack surface reduction: Use the modern PTY interface (devpts) only.
95# CONFIG_LEGACY_PTYS is not set
96
97# Attack surface reduction: Use only modesetting video drivers.
98# CONFIG_DRM_LEGACY is not set