tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

hardening: Enable KCFI and some other options

Add some stuff that got missed along the way:

- CONFIG_UNWIND_PATCH_PAC_INTO_SCS=y so SCS vs PAC is hardware
selectable.

- CONFIG_X86_KERNEL_IBT=y while a default, just be sure.

- CONFIG_CFI_CLANG=y globally.

- CONFIG_PAGE_TABLE_CHECK=y for userspace mapping sanity.

Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Link: https://lore.kernel.org/r/20240501193709.make.982-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>

Kees Cook a284e438 fb28a886

+12
+1
arch/arm64/configs/hardening.config
··· 5 5 6 6 # Software Shadow Stack or PAC 7 7 CONFIG_SHADOW_CALL_STACK=y 8 + CONFIG_UNWIND_PATCH_PAC_INTO_SCS=y 8 9 9 10 # Pointer authentication (ARMv8.3 and later). If hardware actually supports 10 11 # it, one can turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.
+3
arch/x86/configs/hardening.config
··· 10 10 CONFIG_INTEL_IOMMU_SVM=y 11 11 CONFIG_AMD_IOMMU=y 12 12 13 + # Enforce CET Indirect Branch Tracking in the kernel. 14 + CONFIG_X86_KERNEL_IBT=y 15 + 13 16 # Enable CET Shadow Stack for userspace. 14 17 CONFIG_X86_USER_SHADOW_STACK=y
+8
kernel/configs/hardening.config
··· 23 23 CONFIG_SHUFFLE_PAGE_ALLOCATOR=y 24 24 CONFIG_RANDOM_KMALLOC_CACHES=y 25 25 26 + # Sanity check userspace page table mappings. 27 + CONFIG_PAGE_TABLE_CHECK=y 28 + CONFIG_PAGE_TABLE_CHECK_ENFORCED=y 29 + 26 30 # Randomize kernel stack offset on syscall entry. 27 31 CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y 28 32 ··· 84 80 85 81 # Provides some protections against SYN flooding. 86 82 CONFIG_SYN_COOKIES=y 83 + 84 + # Enable Kernel Control Flow Integrity (currently Clang only). 85 + CONFIG_CFI_CLANG=y 86 + # CONFIG_CFI_PERMISSIVE is not set 87 87 88 88 # Attack surface reduction: do not autoload TTY line disciplines. 89 89 # CONFIG_LDISC_AUTOLOAD is not set