projects / kernel / kernel-mfld-blackbay.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c825feb)
Recommended kernel config options for more secure system
authorsathyanarayanan kuppuswamy <sathyanarayanan.kuppuswamy@intel.com>
Wed, 11 Jan 2012 21:09:53 +0000 (13:09 -0800)
committerbuildbot <buildbot@intel.com>
Thu, 9 Feb 2012 20:27:10 +0000 (12:27 -0800)
BZ 19489

enable  : CONFIG_DEBUG_SET_MODULE_RONX
disable : CONFIG_DEVMEM
set     : CONFIG_DEFAULT_MMAP_MIN_ADDR=65536

CONFIG_DEBUG_SET_MODULE_RONX=y
Enabling this will cause the kernel modules to also get NX/RO protection, not just the core kernel;
no perf impact (few hundred cycles on loading a module, but no runtime impact)

CONFIG_DEVMEM=n
Nothing SHOULD be using it in a non-legacy-linux environment.

CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
64Kb is a better/safer default without negative impact to userspace in practice.

Change-Id: Ic5cc04f678688eb9c08c2fa68898eaf0385d5499
Reviewed-on: http://android.intel.com:8080/31582
Reviewed-by: Yang, Fei <fei.yang@intel.com>
Tested-by: Yang, Fei <fei.yang@intel.com>
Reviewed-by: Gross, Mark <mark.gross@intel.com>
Reviewed-by: Koskinen, Ilkka <ilkka.koskinen@intel.com>
Reviewed-by: Tardy, Pierre <pierre.tardy@intel.com>
Reviewed-by: buildbot <buildbot@intel.com>
Tested-by: buildbot <buildbot@intel.com>
arch/x86/configs/i386_mfld_defconfig patch | blob | history

diff --git a/arch/x86/configs/i386_mfld_defconfig b/arch/x86/configs/i386_mfld_defconfig
index 7b6c8ae..236f32f 100644 (file)
--- a/arch/x86/configs/i386_mfld_defconfig
+++ b/arch/x86/configs/i386_mfld_defconfig
@@ -398,7 +398,7 @@ CONFIG_ZONE_DMA_FLAG=1
 CONFIG_BOUNCE=y
 CONFIG_VIRT_TO_BUS=y
 # CONFIG_KSM is not set
-CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
 CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y
 # CONFIG_MEMORY_FAILURE is not set
 # CONFIG_TRANSPARENT_HUGEPAGE is not set
@@ -1266,7 +1266,7 @@ CONFIG_SERIAL_NONSTANDARD=y
 CONFIG_N_GSM=y
 CONFIG_TRACE_ROUTER=y
 CONFIG_TRACE_SINK=y
-CONFIG_DEVMEM=y
+# CONFIG_DEVMEM is not set
 # CONFIG_DEVKMEM is not set
 # CONFIG_STALDRV is not set
 
@@ -2679,7 +2679,7 @@ CONFIG_EARLY_PRINTK_INTEL_MID=y
 # CONFIG_X86_PTDUMP is not set
 CONFIG_DEBUG_RODATA=y
 # CONFIG_DEBUG_RODATA_TEST is not set
-# CONFIG_DEBUG_SET_MODULE_RONX is not set
+CONFIG_DEBUG_SET_MODULE_RONX=y
 # CONFIG_DEBUG_NX_TEST is not set
 CONFIG_DOUBLEFAULT=y
 # CONFIG_IOMMU_STRESS is not set
Domain: System / Kernel;