From: He Zhe <zhe...@windriver.com> Signed-off-by: He Zhe <zhe...@windriver.com> --- v2: Add a note for people using uvesafb or other similar things.
features/security/security.cfg | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/features/security/security.cfg b/features/security/security.cfg index 87408b6..0a4e246 100644 --- a/features/security/security.cfg +++ b/features/security/security.cfg @@ -11,6 +11,7 @@ CONFIG_SLAB_FREELIST_HARDENED=y # Stack Protector is for buffer overflow detection and hardening CONFIG_STACKPROTECTOR=y +CONFIG_STACKPROTECTOR_STRONG=y # Perform extensive checks on reference counting CONFIG_REFCOUNT_FULL=y @@ -34,6 +35,8 @@ CONFIG_LEGACY_VSYSCALL_NONE=y # CONFIG_INET_DIAG is not set # Do not allow direct physical memory access (enable only STRICT mode...) +# Note that drivers like uvesafb/v86d depending on direct physical memory +# access would be affected. # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y @@ -44,3 +47,18 @@ CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_CREDENTIALS=y + +# Information exposure +CONFIG_PAGE_POISONING=y + +# Kernel Address Space Layout Randomization (KASLR) +CONFIG_RANDOMIZE_BASE=y +CONFIG_RANDOMIZE_MEMORY=y + +# Direct kernel overwrite +CONFIG_STRICT_KERNEL_RWX=y +CONFIG_STRICT_MODULE_RWX=y + +# Meltdown and Spectre +CONFIG_PAGE_TABLE_ISOLATION=y +CONFIG_RETPOLINE=y -- 2.7.4 -- _______________________________________________ linux-yocto mailing list linux-yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/linux-yocto