[linux-yocto][yocto-kernel-cache yocto-6.1|master][PATCH 1/1] feature/security: add security options for aarch64/arm64

Mon, 19 Feb 2024 21:28:20 -0800 

From: Xiangyu Chen <xiangyu.c...@windriver.com>

According to the kernel self protection page[1], add recommended options to
features/security for aarch64/arm64.

Ref:
[1] 
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings#arm64

Signed-off-by: Xiangyu Chen <xiangyu.c...@windriver.com>
---
 features/security/security-arm64.cfg | 29 ++++++++++++++++++++++++++++
 features/security/security.scc       |  4 ++++
 2 files changed, 33 insertions(+)
 create mode 100644 features/security/security-arm64.cfg

diff --git a/features/security/security-arm64.cfg 
b/features/security/security-arm64.cfg
new file mode 100644
index 00000000..5222afb3
--- /dev/null
+++ b/features/security/security-arm64.cfg
@@ -0,0 +1,29 @@
+# SPDX-License-Identifier: MIT
+
+# Make sure PAN emulation is enabled.
+CONFIG_ARM64_SW_TTBR0_PAN=y
+
+# Enable Kernel Page Table Isolation to remove an entire class of cache timing 
side-channels.
+CONFIG_UNMAP_KERNEL_AT_EL0=y
+
+# Software Shadow Stack or PAC
+CONFIG_SHADOW_CALL_STACK=y
+
+# Pointer authentication (ARMv8.3 and later). If hardware actually supports 
it, one can
+# turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.
+CONFIG_ARM64_PTR_AUTH=y
+CONFIG_ARM64_PTR_AUTH_KERNEL=y
+
+# Available in ARMv8.5 and later.
+CONFIG_ARM64_BTI=y
+CONFIG_ARM64_BTI_KERNEL=y
+CONFIG_ARM64_MTE=y
+CONFIG_KASAN_HW_TAGS=y
+CONFIG_ARM64_E0PD=y
+
+# Available in ARMv8.7 and later.
+CONFIG_ARM64_EPAN=y
+
+# Enable Control Flow Integrity
+CONFIG_CFI_CLANG=y
+# CONFIG_CFI_PERMISSIVE is not set
diff --git a/features/security/security.scc b/features/security/security.scc
index c6ca31f0..f3a651c0 100644
--- a/features/security/security.scc
+++ b/features/security/security.scc
@@ -7,3 +7,7 @@ kconf non-hardware security.cfg
 if [ "$KARCH" = "x86_64" ]; then
     kconf non-hardware security-x86_64.cfg
 fi
+
+if [ "$KARCH" = "arm64" ]; then
+    kconf non-hardware security-arm64.cfg
+fi
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#13584): 
https://lists.yoctoproject.org/g/linux-yocto/message/13584
Mute This Topic: https://lists.yoctoproject.org/mt/104462797/21656
Group Owner: linux-yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/linux-yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to