Module Name: src
Committed By: christos
Date: Sat May 21 18:31:13 UTC 2016
Modified Files:
src/sys/arch/evbarm/conf: GENERIC.common
Log Message:
Add various security options; enables PaX ASLR/MPROTECT
To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 src/sys/arch/evbarm/conf/GENERIC.common
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/arch/evbarm/conf/GENERIC.common
diff -u src/sys/arch/evbarm/conf/GENERIC.common:1.12 src/sys/arch/evbarm/conf/GENERIC.common:1.13
--- src/sys/arch/evbarm/conf/GENERIC.common:1.12 Thu Nov 12 05:48:30 2015
+++ src/sys/arch/evbarm/conf/GENERIC.common Sat May 21 14:31:13 2016
@@ -1,5 +1,5 @@
#
-# $NetBSD: GENERIC.common,v 1.12 2015/11/12 10:48:30 jmcneill Exp $
+# $NetBSD: GENERIC.common,v 1.13 2016/05/21 18:31:13 christos Exp $
#
# GENERIC evbarm kernel config (template)
#
@@ -163,3 +163,28 @@ pseudo-device pty # pseudo-terminals
#pseudo-device clockctl # user control of clock subsystem
pseudo-device ksyms # /dev/ksyms
pseudo-device lockstat # lock profiling
+
+options FILEASSOC # fileassoc(9) - required for Veriexec
+
+# Veriexec
+#
+# a pseudo device needed for veriexec
+pseudo-device veriexec
+#
+# Uncomment the fingerprint methods below that are desired. Note that
+# removing fingerprint methods will have almost no impact on the kernel
+# code size.
+#
+options VERIFIED_EXEC_FP_RMD160
+options VERIFIED_EXEC_FP_SHA256
+options VERIFIED_EXEC_FP_SHA384
+options VERIFIED_EXEC_FP_SHA512
+options VERIFIED_EXEC_FP_SHA1
+options VERIFIED_EXEC_FP_MD5
+
+
+options PAX_ASLR_DEBUG=1 # PaX ASLR debug
+options PAX_SEGVGUARD=0 # PaX Segmentation fault guard
+options PAX_MPROTECT=1 # PaX mprotect(2) restrictions
+options PAX_MPROTECT_DEBUG=1 # PaX mprotect debug
+options PAX_ASLR=1 # PaX Address Space Layout Randomization
