On Wed, Jun 26, 2019 at 11:02 PM <zhe...@windriver.com> wrote: > > From: He Zhe <zhe...@windriver.com> > > Signed-off-by: He Zhe <zhe...@windriver.com> > --- > v2: Add a note for people using uvesafb or other similar things. >
merged. Bruce > features/security/security.cfg | 18 ++++++++++++++++++ > 1 file changed, 18 insertions(+) > > diff --git a/features/security/security.cfg b/features/security/security.cfg > index 87408b6..0a4e246 100644 > --- a/features/security/security.cfg > +++ b/features/security/security.cfg > @@ -11,6 +11,7 @@ CONFIG_SLAB_FREELIST_HARDENED=y > > # Stack Protector is for buffer overflow detection and hardening > CONFIG_STACKPROTECTOR=y > +CONFIG_STACKPROTECTOR_STRONG=y > > # Perform extensive checks on reference counting > CONFIG_REFCOUNT_FULL=y > @@ -34,6 +35,8 @@ CONFIG_LEGACY_VSYSCALL_NONE=y > # CONFIG_INET_DIAG is not set > > # Do not allow direct physical memory access (enable only STRICT mode...) > +# Note that drivers like uvesafb/v86d depending on direct physical memory > +# access would be affected. > # CONFIG_DEVMEM is not set > CONFIG_STRICT_DEVMEM=y > CONFIG_IO_STRICT_DEVMEM=y > @@ -44,3 +47,18 @@ CONFIG_DEBUG_LIST=y > CONFIG_DEBUG_SG=y > CONFIG_DEBUG_NOTIFIERS=y > CONFIG_DEBUG_CREDENTIALS=y > + > +# Information exposure > +CONFIG_PAGE_POISONING=y > + > +# Kernel Address Space Layout Randomization (KASLR) > +CONFIG_RANDOMIZE_BASE=y > +CONFIG_RANDOMIZE_MEMORY=y > + > +# Direct kernel overwrite > +CONFIG_STRICT_KERNEL_RWX=y > +CONFIG_STRICT_MODULE_RWX=y > + > +# Meltdown and Spectre > +CONFIG_PAGE_TABLE_ISOLATION=y > +CONFIG_RETPOLINE=y > -- > 2.7.4 > -- - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II -- _______________________________________________ linux-yocto mailing list linux-yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/linux-yocto
