mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-12-04 09:34:12 +08:00
ed2bbd2b85
It's sometimes handy to have a config that boots a bit like a system under secure boot (forcing lockdown=integrity, without needing any extra stuff like a command line option). This config file allows that, and also turns on a few assorted security and hardening options for good measure. Suggested-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Daniel Axtens <dja@axtens.net> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Link: https://lore.kernel.org/r/20201203042807.1293655-1-dja@axtens.net
15 lines
468 B
Plaintext
15 lines
468 B
Plaintext
# This is the equivalent of booting with lockdown=integrity
|
|
CONFIG_SECURITY=y
|
|
CONFIG_SECURITYFS=y
|
|
CONFIG_SECURITY_LOCKDOWN_LSM=y
|
|
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
|
|
CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
|
|
|
|
# These are some general, reasonably inexpensive hardening options
|
|
CONFIG_HARDENED_USERCOPY=y
|
|
CONFIG_FORTIFY_SOURCE=y
|
|
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
|
|
|
|
# UBSAN bounds checking is very cheap and good for hardening
|
|
CONFIG_UBSAN=y
|
|
# CONFIG_UBSAN_MISC is not set |