diff options
| author |  Marco Elver <elver@google.com>
| 2024-02-12 14:01:09 +0100 |
|---|---|---|
| committer |  Kees Cook <keescook@chromium.org>
| 2024-02-20 20:47:32 -0800 |
| commit | de2683e7fdac0c33c4c2c115e69dbbbe904a2224 (patch) | |
| tree | bb7afb4bdee8d5759f6052664f5766a33f9505b6 /kernel/configs | |
| parent | hardening: drop obsolete DRM_LEGACY from config fragment (diff) | |
| download | linux-de2683e7fdac0c33c4c2c115e69dbbbe904a2224.tar.gz linux-de2683e7fdac0c33c4c2c115e69dbbbe904a2224.tar.bz2 linux-de2683e7fdac0c33c4c2c115e69dbbbe904a2224.zip | |
hardening: Enable KFENCE in the hardening config
KFENCE is not a security mitigation mechanism (due to sampling), but has
the performance characteristics of unintrusive hardening techniques.
When used at scale, however, it improves overall security by allowing
kernel developers to detect heap memory-safety bugs cheaply.
Link: https://lkml.kernel.org/r/79B9A832-B3DE-4229-9D87-748B2CFB7D12@kernel.org
Cc: Matthieu Baerts <matttbe@kernel.org>
Cc: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Marco Elver <elver@google.com>
Link: https://lore.kernel.org/r/20240212130116.997627-1-elver@google.com
Signed-off-by: Kees Cook <keescook@chromium.org>
Diffstat (limited to 'kernel/configs')
| -rw-r--r-- | kernel/configs/hardening.config | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/kernel/configs/hardening.config b/kernel/configs/hardening.config index ed126d7b5e83..7a5bbfc024b7 100644 --- a/kernel/configs/hardening.config +++ b/kernel/configs/hardening.config @@ -45,6 +45,9 @@ CONFIG_UBSAN_BOUNDS=y # CONFIG_UBSAN_ENUM # CONFIG_UBSAN_ALIGNMENT +# Sampling-based heap out-of-bounds and use-after-free detection. +CONFIG_KFENCE=y + # Linked list integrity checking. CONFIG_LIST_HARDENED=y |