# Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)
CONFIG_INIT_STACK_ALL=y
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)
CONFIG_INIT_STACK_ALL_ZERO=y
# Adds guard pages to kernel stacks (not all architectures support this yet).
CONFIG_VMAP_STACK=y
...
...
@@ -83,6 +83,24 @@ CONFIG_FORTIFY_SOURCE=y
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)
CONFIG_SECURITY_DMESG_RESTRICT=y
# Randomize kernel stack offset on syscall entry (since v5.13).
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
# Enable sampling-based overflow detection. This is similar to KASAN coverage, but with almost zero runtime overhead.
CONFIG_KFENCE=y
# Do not ignore compile-time warnings (since v5.15)
CONFIG_WERROR=y
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
CONFIG_SCHED_CORE=y
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers)
CONFIG_ZERO_CALL_USED_REGS=y
# Dangerous; enabling this allows direct physical memory writing.
# Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)
CONFIG_INIT_STACK_ALL=y
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)
CONFIG_INIT_STACK_ALL_ZERO=y
# Adds guard pages to kernel stacks (not all architectures support this yet).
CONFIG_VMAP_STACK=y
...
...
@@ -83,6 +83,24 @@ CONFIG_FORTIFY_SOURCE=y
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)
CONFIG_SECURITY_DMESG_RESTRICT=y
# Randomize kernel stack offset on syscall entry (since v5.13).
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
# Enable sampling-based overflow detection. This is similar to KASAN coverage, but with almost zero runtime overhead.
CONFIG_KFENCE=y
# Do not ignore compile-time warnings (since v5.15)
CONFIG_WERROR=y
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
CONFIG_SCHED_CORE=y
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers)
CONFIG_ZERO_CALL_USED_REGS=y
# Dangerous; enabling this allows direct physical memory writing.
# Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)
CONFIG_INIT_STACK_ALL=y
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)
CONFIG_INIT_STACK_ALL_ZERO=y
# Adds guard pages to kernel stacks (not all architectures support this yet).
CONFIG_VMAP_STACK=y
...
...
@@ -83,6 +83,24 @@ CONFIG_FORTIFY_SOURCE=y
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)
CONFIG_SECURITY_DMESG_RESTRICT=y
# Randomize kernel stack offset on syscall entry (since v5.13).
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
# Enable sampling-based overflow detection. This is similar to KASAN coverage, but with almost zero runtime overhead.
CONFIG_KFENCE=y
# Do not ignore compile-time warnings (since v5.15)
CONFIG_WERROR=y
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
CONFIG_SCHED_CORE=y
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers)
CONFIG_ZERO_CALL_USED_REGS=y
# Dangerous; enabling this allows direct physical memory writing.
# Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)
CONFIG_INIT_STACK_ALL=y
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)
CONFIG_INIT_STACK_ALL_ZERO=y
# Adds guard pages to kernel stacks (not all architectures support this yet).
CONFIG_VMAP_STACK=y
...
...
@@ -83,6 +83,24 @@ CONFIG_FORTIFY_SOURCE=y
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)
CONFIG_SECURITY_DMESG_RESTRICT=y
# Randomize kernel stack offset on syscall entry (since v5.13).
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
# Enable sampling-based overflow detection. This is similar to KASAN coverage, but with almost zero runtime overhead.
CONFIG_KFENCE=y
# Do not ignore compile-time warnings (since v5.15)
CONFIG_WERROR=y
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
CONFIG_SCHED_CORE=y
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers)
CONFIG_ZERO_CALL_USED_REGS=y
# Dangerous; enabling this allows direct physical memory writing.