From: Xiangyu Chen <[email protected]> Add some configs to harden protection: CONFIG_HW_RANDOM_TPM=y Exposing the TPM's Random Number Generator as a hwrng device. CONFIG_DEBUG_WX=y Warn on W+X mappings at boot. CONFIG_SECURITY_DMESG_RESTRICT=y Restrict unprivileged access to the kernel syslog. CONFIG_LDISC_AUTOLOAD=n Disable automatically load TTY Line Disciplines.
Signed-off-by: Xiangyu Chen <[email protected]> --- features/security/security.cfg | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/features/security/security.cfg b/features/security/security.cfg index 6c096739..92325ccb 100644 --- a/features/security/security.cfg +++ b/features/security/security.cfg @@ -56,3 +56,15 @@ CONFIG_STRICT_MODULE_RWX=y # Meltdown and Spectre CONFIG_PAGE_TABLE_ISOLATION=y CONFIG_RETPOLINE=y + +# Exposing the TPM's Random Number Generator as a hwrng device. +CONFIG_HW_RANDOM_TPM=y + +# Warn on W+X mappings at boot +CONFIG_DEBUG_WX=y + +# Restrict unprivileged access to the kernel syslog +CONFIG_SECURITY_DMESG_RESTRICT=y + +# The kernel will automatically load the module of any line dicipline that is asked for. +CONFIG_LDISC_AUTOLOAD=n -- 2.35.5
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#13486): https://lists.yoctoproject.org/g/linux-yocto/message/13486 Mute This Topic: https://lists.yoctoproject.org/mt/103758930/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/linux-yocto/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
