projects / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: fb28a88) | patch
hardening: Enable KCFI and some other options
authorKees Cook <keescook@chromium.org>
Wed, 1 May 2024 19:37:12 +0000 (12:37 -0700)
committerKees Cook <keescook@chromium.org>
Wed, 1 May 2024 19:38:14 +0000 (12:38 -0700)
commita284e43852380ab71eeb996389e01992d74a8dde
treed6e06644741e293066c71501f65c8b96dc73a7b6tree | snapshot
parentfb28a8862dc4b5bf8e44578338f35d9c6c68339dcommit | diff
hardening: Enable KCFI and some other options

Add some stuff that got missed along the way:

- CONFIG_UNWIND_PATCH_PAC_INTO_SCS=y so SCS vs PAC is hardware
  selectable.

- CONFIG_X86_KERNEL_IBT=y while a default, just be sure.

- CONFIG_CFI_CLANG=y globally.

- CONFIG_PAGE_TABLE_CHECK=y for userspace mapping sanity.

Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Link: https://lore.kernel.org/r/20240501193709.make.982-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
arch/arm64/configs/hardening.config diff | blob | history
arch/x86/configs/hardening.config diff | blob | history
kernel/configs/hardening.config diff | blob | history
ep93xx device tree rework repo: git://git.maquefel.me/linux.git