On Wed, Jun 26, 2019 at 11:02 PM wrote:
>
> From: He Zhe
>
> Signed-off-by: He Zhe
> ---
> v2: Add a note for people using uvesafb or other similar things.
>
merged.
Bruce
> features/security/security.cfg | 18 ++
> 1 file changed, 18 insertions(+)
>
> diff --git a/features/security/security.cfg b/features/security/security.cfg
> index 87408b6..0a4e246 100644
> --- a/features/security/security.cfg
> +++ b/features/security/security.cfg
> @@ -11,6 +11,7 @@ CONFIG_SLAB_FREELIST_HARDENED=y
>
> # Stack Protector is for buffer overflow detection and hardening
> CONFIG_STACKPROTECTOR=y
> +CONFIG_STACKPROTECTOR_STRONG=y
>
> # Perform extensive checks on reference counting
> CONFIG_REFCOUNT_FULL=y
> @@ -34,6 +35,8 @@ CONFIG_LEGACY_VSYSCALL_NONE=y
> # CONFIG_INET_DIAG is not set
>
> # Do not allow direct physical memory access (enable only STRICT mode...)
> +# Note that drivers like uvesafb/v86d depending on direct physical memory
> +# access would be affected.
> # CONFIG_DEVMEM is not set
> CONFIG_STRICT_DEVMEM=y
> CONFIG_IO_STRICT_DEVMEM=y
> @@ -44,3 +47,18 @@ CONFIG_DEBUG_LIST=y
> CONFIG_DEBUG_SG=y
> CONFIG_DEBUG_NOTIFIERS=y
> CONFIG_DEBUG_CREDENTIALS=y
> +
> +# Information exposure
> +CONFIG_PAGE_POISONING=y
> +
> +# Kernel Address Space Layout Randomization (KASLR)
> +CONFIG_RANDOMIZE_BASE=y
> +CONFIG_RANDOMIZE_MEMORY=y
> +
> +# Direct kernel overwrite
> +CONFIG_STRICT_KERNEL_RWX=y
> +CONFIG_STRICT_MODULE_RWX=y
> +
> +# Meltdown and Spectre
> +CONFIG_PAGE_TABLE_ISOLATION=y
> +CONFIG_RETPOLINE=y
> --
> 2.7.4
>
--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II
--
___
linux-yocto mailing list
linux-yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/linux-yocto
