From: Xiangyu Chen <xiangyu.c...@windriver.com> According to the kernel self protection page[1], add recommended options to features/security for aarch64/arm64.
Ref: [1] https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings#arm64 Signed-off-by: Xiangyu Chen <xiangyu.c...@windriver.com> --- features/security/security-arm64.cfg | 29 ++++++++++++++++++++++++++++ features/security/security.scc | 4 ++++ 2 files changed, 33 insertions(+) create mode 100644 features/security/security-arm64.cfg diff --git a/features/security/security-arm64.cfg b/features/security/security-arm64.cfg new file mode 100644 index 00000000..5222afb3 --- /dev/null +++ b/features/security/security-arm64.cfg @@ -0,0 +1,29 @@ +# SPDX-License-Identifier: MIT + +# Make sure PAN emulation is enabled. +CONFIG_ARM64_SW_TTBR0_PAN=y + +# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. +CONFIG_UNMAP_KERNEL_AT_EL0=y + +# Software Shadow Stack or PAC +CONFIG_SHADOW_CALL_STACK=y + +# Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can +# turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. +CONFIG_ARM64_PTR_AUTH=y +CONFIG_ARM64_PTR_AUTH_KERNEL=y + +# Available in ARMv8.5 and later. +CONFIG_ARM64_BTI=y +CONFIG_ARM64_BTI_KERNEL=y +CONFIG_ARM64_MTE=y +CONFIG_KASAN_HW_TAGS=y +CONFIG_ARM64_E0PD=y + +# Available in ARMv8.7 and later. +CONFIG_ARM64_EPAN=y + +# Enable Control Flow Integrity +CONFIG_CFI_CLANG=y +# CONFIG_CFI_PERMISSIVE is not set diff --git a/features/security/security.scc b/features/security/security.scc index c6ca31f0..f3a651c0 100644 --- a/features/security/security.scc +++ b/features/security/security.scc @@ -7,3 +7,7 @@ kconf non-hardware security.cfg if [ "$KARCH" = "x86_64" ]; then kconf non-hardware security-x86_64.cfg fi + +if [ "$KARCH" = "arm64" ]; then + kconf non-hardware security-arm64.cfg +fi -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#13584): https://lists.yoctoproject.org/g/linux-yocto/message/13584 Mute This Topic: https://lists.yoctoproject.org/mt/104462797/21656 Group Owner: linux-yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/linux-yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-