mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-09 22:50:41 +00:00
powerpc: add security.config, enforcing lockdown=integrity
It's sometimes handy to have a config that boots a bit like a system under secure boot (forcing lockdown=integrity, without needing any extra stuff like a command line option). This config file allows that, and also turns on a few assorted security and hardening options for good measure. Suggested-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Daniel Axtens <dja@axtens.net> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Link: https://lore.kernel.org/r/20201203042807.1293655-1-dja@axtens.net
This commit is contained in:
Daniel Axtens
Michael Ellerman
parent
1f69aa0b89
commit
ed2bbd2b85
15
arch/powerpc/configs/security.config
Normal file
15
arch/powerpc/configs/security.config
Normal file
@ -0,0 +1,15 @@
|
||||
# This is the equivalent of booting with lockdown=integrity
|
||||
CONFIG_SECURITY=y
|
||||
CONFIG_SECURITYFS=y
|
||||
CONFIG_SECURITY_LOCKDOWN_LSM=y
|
||||
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
|
||||
CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
|
||||
|
||||
# These are some general, reasonably inexpensive hardening options
|
||||
CONFIG_HARDENED_USERCOPY=y
|
||||
CONFIG_FORTIFY_SOURCE=y
|
||||
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
|
||||
|
||||
# UBSAN bounds checking is very cheap and good for hardening
|
||||
CONFIG_UBSAN=y
|
||||
# CONFIG_UBSAN_MISC is not set
|
||||
Loading…
x
Reference in New Issue
Block a user