2018-12-22 01:37:40 +08:00
|
|
|
CONFIG_LOCALVERSION=""
|
|
|
|
CONFIG_DEFAULT_HOSTNAME="clr"
|
2019-02-04 01:43:52 +08:00
|
|
|
CONFIG_EXTRA_FIRMWARE="i915/skl_dmc_ver1_26.bin i915/kbl_dmc_ver1_01.bin i915/kbl_huc_ver02_00_1810.bin i915/bxt_dmc_ver1_07.bin i915/bxt_guc_ver9_29.bin i915/bxt_huc_ver01_07_1398.bin intel/reef-apl.ri intel/reef-apl.tplg"
|
2018-12-22 01:37:40 +08:00
|
|
|
CONFIG_EXTRA_FIRMWARE_DIR="firmware"
|
|
|
|
CONFIG_E100=m
|
|
|
|
CONFIG_E1000=m
|
|
|
|
# CONFIG_SECURITY_SELINUX is not set
|
|
|
|
CONFIG_DEFAULT_SECURITY_DAC=y
|
|
|
|
CONFIG_DEFAULT_SECURITY=""
|
2019-01-10 08:16:04 +08:00
|
|
|
CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE=y
|
|
|
|
# CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND is not set
|
2019-02-21 18:19:25 +08:00
|
|
|
CONFIG_DRM_I915_LOW_LEVEL_TRACEPOINTS=y
|
2019-03-16 15:32:34 +08:00
|
|
|
|
|
|
|
# The following settins are from kernel-config package
|
|
|
|
#
|
|
|
|
# Clear Linux Securty Mandatory Settings
|
|
|
|
#
|
|
|
|
|
|
|
|
# KASLR is required as a basic security hardening
|
|
|
|
CONFIG_RANDOMIZE_BASE=y
|
|
|
|
CONFIG_RANDOMIZE_MEMORY=y
|
|
|
|
|
|
|
|
# NX is important for buffer overflow exploit hardening
|
|
|
|
CONFIG_STRICT_KERNEL_RWX=y
|
|
|
|
|
|
|
|
# Stack Protector is for buffer overflow detection and hardening
|
2019-03-16 15:44:04 +08:00
|
|
|
CONFIG_STACKPROTECTOR=y
|
2019-03-16 15:32:34 +08:00
|
|
|
|
|
|
|
# /dev/mem is dangerous and has no legitimate users anymore
|
|
|
|
# CONFIG_DEVMEM is not set
|
|
|
|
|
|
|
|
# /dev/mem is dangerous and access must be strictly limited
|
|
|
|
CONFIG_STRICT_DEVMEM=y
|
|
|
|
CONFIG_IO_STRICT_DEVMEM=y
|
|
|
|
|
|
|
|
# Needed to protect against targeted corruption by rootkits
|
|
|
|
CONFIG_DEBUG_CREDENTIALS=y
|
|
|
|
CONFIG_DEBUG_NOTIFIERS=y
|
|
|
|
CONFIG_DEBUG_LIST=y
|
|
|
|
CONFIG_DEBUG_SG=y
|
|
|
|
CONFIG_SCHED_STACK_END_CHECK=y
|
|
|
|
|
|
|
|
# Needed to protect against Spectre V2
|
|
|
|
CONFIG_RETPOLINE=y
|
|
|
|
|
|
|
|
# Seccomp is a security feature needed by systemd
|
|
|
|
CONFIG_SECCOMP=y
|
|
|
|
CONFIG_SECCOMP_FILTER=y
|
|
|
|
|
|
|
|
# Protect against ioctl buffer overflows
|
|
|
|
CONFIG_HARDENED_USERCOPY=y
|
|
|
|
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set
|
|
|
|
|
|
|
|
# Harden the slab free list with randomization
|
|
|
|
CONFIG_SLAB_FREELIST_RANDOM=y
|
|
|
|
CONFIG_SLAB_FREELIST_HARDENED=y
|
|
|
|
|
|
|
|
# Guard pages for kernel stacks
|
|
|
|
CONFIG_VMAP_STACK=y
|
|
|
|
# TODO: Fixme we need to delete the next line
|
|
|
|
# CONFIG_VMAP_STACK is not set
|
|
|
|
|
|
|
|
# Perform extensive checks on reference counting
|
|
|
|
CONFIG_REFCOUNT_FULL=y
|
|
|
|
|
|
|
|
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.
|
|
|
|
CONFIG_FORTIFY_SOURCE=y
|
|
|
|
|
|
|
|
# Dangerous; enabling this allows direct physical memory writing
|
|
|
|
# CONFIG_ACPI_CUSTOM_METHOD is not set
|
|
|
|
|
|
|
|
# Dangerous; enabling this disables brk ASLR
|
|
|
|
# CONFIG_COMPAT_BRK is not set
|
|
|
|
|
|
|
|
# Dangerous; enabling this allows direct kernel memory writing.
|
|
|
|
# CONFIG_DEVKMEM is not set
|
|
|
|
|
|
|
|
# Dangerous; exposes kernel text image layout
|
|
|
|
# CONFIG_PROC_KCORE is not set
|
|
|
|
|
|
|
|
# Dangerous; enabling this disables VDSO ASLR
|
|
|
|
# CONFIG_COMPAT_VDSO is not set
|
|
|
|
|
|
|
|
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled
|
|
|
|
# CONFIG_INET_DIAG is not set
|
|
|
|
|
|
|
|
# Use the modern PTY interface (devpts) only
|
|
|
|
# CONFIG_LEGACY_PTYS is not set
|
|
|
|
|
|
|
|
# Ensure modules have NX enabled
|
|
|
|
CONFIG_DEBUG_SET_MODULE_RONX=y
|
|
|
|
CONFIG_STRICT_MODULE_RWX=y
|
|
|
|
|
|
|
|
# Signing of kernel modules is required
|
|
|
|
CONFIG_MODULE_SIG=y
|
|
|
|
|
|
|
|
# Enforce module signing
|
|
|
|
CONFIG_MODULE_SIG_FORCE=y
|
|
|
|
|
|
|
|
# Use SHA512 for kernel module signing
|
|
|
|
CONFIG_MODULE_SIG_SHA512=y
|
|
|
|
|
|
|
|
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
|
|
|
|
CONFIG_LEGACY_VSYSCALL_NONE=y
|
|
|
|
|
|
|
|
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
|
|
|
|
CONFIG_PAGE_TABLE_ISOLATION=y
|
|
|
|
|
|
|
|
# X32 is rarely used and provides only attack surface
|
|
|
|
# CONFIG_X86_X32 is not set
|
|
|
|
|
|
|
|
# Unused dangerous option
|
|
|
|
# CONFIG_MODIFY_LDT_SYSCALL is not set
|