CONFIG_LOCALVERSION="" CONFIG_DEFAULT_HOSTNAME="clr" CONFIG_EXTRA_FIRMWARE="i915/skl_dmc_ver1_26.bin i915/kbl_dmc_ver1_01.bin i915/kbl_huc_ver02_00_1810.bin i915/bxt_dmc_ver1_07.bin i915/bxt_guc_ver9_29.bin i915/bxt_huc_ver01_07_1398.bin intel/reef-apl.ri intel/reef-apl.tplg" CONFIG_EXTRA_FIRMWARE_DIR="firmware" CONFIG_E100=m CONFIG_E1000=m # CONFIG_SECURITY_SELINUX is not set CONFIG_DEFAULT_SECURITY_DAC=y CONFIG_DEFAULT_SECURITY="" CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE=y # CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND is not set CONFIG_DRM_I915_LOW_LEVEL_TRACEPOINTS=y # The following settins are from kernel-config package # # Clear Linux Securty Mandatory Settings # # KASLR is required as a basic security hardening CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y # NX is important for buffer overflow exploit hardening CONFIG_STRICT_KERNEL_RWX=y # Stack Protector is for buffer overflow detection and hardening CONFIG_STACKPROTECTOR=y # /dev/mem is dangerous and has no legitimate users anymore # CONFIG_DEVMEM is not set # /dev/mem is dangerous and access must be strictly limited CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y # Needed to protect against targeted corruption by rootkits CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_SCHED_STACK_END_CHECK=y # Needed to protect against Spectre V2 CONFIG_RETPOLINE=y # Seccomp is a security feature needed by systemd CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Protect against ioctl buffer overflows CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # Harden the slab free list with randomization CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y # Guard pages for kernel stacks CONFIG_VMAP_STACK=y # TODO: Fixme we need to delete the next line # CONFIG_VMAP_STACK is not set # Perform extensive checks on reference counting CONFIG_REFCOUNT_FULL=y # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. CONFIG_FORTIFY_SOURCE=y # Dangerous; enabling this allows direct physical memory writing # CONFIG_ACPI_CUSTOM_METHOD is not set # Dangerous; enabling this disables brk ASLR # CONFIG_COMPAT_BRK is not set # Dangerous; enabling this allows direct kernel memory writing. # CONFIG_DEVKMEM is not set # Dangerous; exposes kernel text image layout # CONFIG_PROC_KCORE is not set # Dangerous; enabling this disables VDSO ASLR # CONFIG_COMPAT_VDSO is not set # Prior to v4.1, assists heap memory attacks; best to keep interface disabled # CONFIG_INET_DIAG is not set # Use the modern PTY interface (devpts) only # CONFIG_LEGACY_PTYS is not set # Ensure modules have NX enabled CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_STRICT_MODULE_RWX=y # Signing of kernel modules is required CONFIG_MODULE_SIG=y # Enforce module signing CONFIG_MODULE_SIG_FORCE=y # Use SHA512 for kernel module signing CONFIG_MODULE_SIG_SHA512=y # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y # X32 is rarely used and provides only attack surface # CONFIG_X86_X32 is not set # Unused dangerous option # CONFIG_MODIFY_LDT_SYSCALL is not set