projects / platform / kernel / kernel-mfld-blackbay.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: c825feb) | patch
Recommended kernel config options for more secure system
authorsathyanarayanan kuppuswamy <sathyanarayanan.kuppuswamy@intel.com>
Wed, 11 Jan 2012 21:09:53 +0000 (13:09 -0800)
committerbuildbot <buildbot@intel.com>
Thu, 9 Feb 2012 20:27:10 +0000 (12:27 -0800)
commitfde3c918df9605ebc449f18b28bcc0e4dd5172db
tree38b48c313645547435bd3a6a521209e86b490240tree | snapshot
parentc825feb0f63c4edc583879931e481f2bca3c59d2commit | diff
Recommended kernel config options for more secure system

BZ 19489

enable  : CONFIG_DEBUG_SET_MODULE_RONX
disable : CONFIG_DEVMEM
set     : CONFIG_DEFAULT_MMAP_MIN_ADDR=65536

CONFIG_DEBUG_SET_MODULE_RONX=y
Enabling this will cause the kernel modules to also get NX/RO protection, not just the core kernel;
no perf impact (few hundred cycles on loading a module, but no runtime impact)

CONFIG_DEVMEM=n
Nothing SHOULD be using it in a non-legacy-linux environment.

CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
64Kb is a better/safer default without negative impact to userspace in practice.

Change-Id: Ic5cc04f678688eb9c08c2fa68898eaf0385d5499
Reviewed-on: http://android.intel.com:8080/31582
Reviewed-by: Yang, Fei <fei.yang@intel.com>
Tested-by: Yang, Fei <fei.yang@intel.com>
Reviewed-by: Gross, Mark <mark.gross@intel.com>
Reviewed-by: Koskinen, Ilkka <ilkka.koskinen@intel.com>
Reviewed-by: Tardy, Pierre <pierre.tardy@intel.com>
Reviewed-by: buildbot <buildbot@intel.com>
Tested-by: buildbot <buildbot@intel.com>
arch/x86/configs/i386_mfld_defconfig diff | blob | history
Domain: System / Uncategorized;