kernel/config: enable security features

CONFIG_RANDOMIZE_BASE Randomize the physical address at which the kernel image is decompressed and the virtual address where the kernel image is mapped, as a security feature that deters exploit attempts relying on knowledge of the location of kernel code internals CONFIG_RANDOMIZE_MEMORY Randomizes the base virtual address of kernel memory sections. This security feature makes exploits relying on predictable memory locations less reliable CONFIG_STACKPROTECTOR This feature puts, at the beginning of functions, a canary value on the stack just before the return address, and validates the value just before actually returning. Stack based buffer overflows now also overwrite the canary, which gets detected and the attack is then neutralized via a kernel panic. CONFIG_REFCOUNT_FULL Enabling this switches the ref counting infrastructure from a fast unchecked atomic_t implementation to a fully state checked implementation, which can be (slightly) slower but provides protections against various use-after-free conditions that can be used insecurity flaw exploits. CONFIG_HARDENED_USERCOPY This option checks for obviously wrong memory regions when copying memory to/from the kernel (via copy_to_user() and copy_from_user() functions) by rejecting memory ranges that are larger than the specified heap object, span multiple separately allocated pages, are not on the process stack,or are part of the kernel text. This kills entire classes of heap overflow exploits and similar kernel memory exposures. CONFIG_FORTIFY_SOURCE Detect overflows of buffers in common string and memory functionswhere the compiler can determine and validate the buffer sizes. fixes kata-containers#638 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc · Jul 16, 2019 · 38c218b · 38c218b
1 parent 0089d30
commit 38c218b
Showing 1 changed file with 12 additions and 5 deletions.
diff --git a/kernel/configs/x86_64_kata_kvm_4.19.x b/kernel/configs/x86_64_kata_kvm_4.19.x
@@ -362,8 +362,12 @@ CONFIG_SCHED_HRTICK=y
 # CONFIG_CRASH_DUMP is not set
 CONFIG_PHYSICAL_START=0x100000
 CONFIG_RELOCATABLE=y
-# CONFIG_RANDOMIZE_BASE is not set
+CONFIG_RANDOMIZE_BASE=y
+CONFIG_X86_NEED_RELOCS=y
 CONFIG_PHYSICAL_ALIGN=0x1000000
+CONFIG_DYNAMIC_MEMORY_LAYOUT=y
+CONFIG_RANDOMIZE_MEMORY=y
+CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa
 CONFIG_HOTPLUG_CPU=y
 # CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set
 # CONFIG_DEBUG_HOTPLUG_CPU0 is not set
@@ -620,7 +624,8 @@ CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
 CONFIG_SECCOMP_FILTER=y
 CONFIG_HAVE_STACKPROTECTOR=y
 CONFIG_CC_HAS_STACKPROTECTOR_NONE=y
-# CONFIG_STACKPROTECTOR is not set
+CONFIG_STACKPROTECTOR=y
+# CONFIG_STACKPROTECTOR_STRONG is not set
 CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y
 CONFIG_HAVE_CONTEXT_TRACKING=y
 CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
@@ -646,7 +651,7 @@ CONFIG_STRICT_KERNEL_RWX=y
 CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y
 CONFIG_STRICT_MODULE_RWX=y
 CONFIG_ARCH_HAS_REFCOUNT=y
-# CONFIG_REFCOUNT_FULL is not set
+CONFIG_REFCOUNT_FULL=y
 CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y
 
 #
@@ -2725,8 +2730,10 @@ CONFIG_PAGE_TABLE_ISOLATION=y
 # CONFIG_SECURITY_PATH is not set
 # CONFIG_INTEL_TXT is not set
 CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
-# CONFIG_HARDENED_USERCOPY is not set
-# CONFIG_FORTIFY_SOURCE is not set
+CONFIG_HARDENED_USERCOPY=y
+# CONFIG_HARDENED_USERCOPY_FALLBACK is not set
+# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set
+CONFIG_FORTIFY_SOURCE=y
 # CONFIG_STATIC_USERMODEHELPER is not set
 # CONFIG_SECURITY_SMACK is not set
 # CONFIG_SECURITY_TOMOYO is not set