-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathhardened-arm64.config
34 lines (26 loc) · 1.06 KB
/
hardened-arm64.config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
## Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768
## Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).
CONFIG_RANDOMIZE_BASE=y
## Make sure PAN emulation is enabled.
CONFIG_ARM64_SW_TTBR0_PAN=y
## Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
CONFIG_UNMAP_KERNEL_AT_EL0=y
# Enable Software Shadow Stack when hardware Pointer Authentication (PAC) isn't available.
CONFIG_SHADOW_CALL_STACK=y
CONFIG_UNWIND_PATCH_PAC_INTO_SCS=y
# Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can
# turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.
CONFIG_ARM64_PTR_AUTH=y
CONFIG_ARM64_PTR_AUTH_KERNEL=y
# Available in ARMv8.5 and later.
CONFIG_ARM64_BTI=y
CONFIG_ARM64_BTI_KERNEL=y
CONFIG_ARM64_MTE=y
CONFIG_KASAN_HW_TAGS=y
CONFIG_ARM64_E0PD=y
# Available in ARMv8.7 and later.
CONFIG_ARM64_EPAN=y
# Enable Control Flow Integrity
CONFIG_CFI_CLANG=y
# CONFIG_CFI_PERMISSIVE is not set