From: sathyanarayanan kuppuswamy <sathyanarayanan.kuppuswamy@intel.com>
Date: Wed, 11 Jan 2012 21:09:53 +0000 (-0800)
Subject: Recommended kernel config options for more secure system
X-Git-Tag: 2.1b_release~1474
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=fde3c918df9605ebc449f18b28bcc0e4dd5172db;p=kernel%2Fkernel-mfld-blackbay.git

Recommended kernel config options for more secure system

BZ 19489

enable  : CONFIG_DEBUG_SET_MODULE_RONX
disable : CONFIG_DEVMEM
set     : CONFIG_DEFAULT_MMAP_MIN_ADDR=65536

CONFIG_DEBUG_SET_MODULE_RONX=y
Enabling this will cause the kernel modules to also get NX/RO protection, not just the core kernel;
no perf impact (few hundred cycles on loading a module, but no runtime impact)

CONFIG_DEVMEM=n
Nothing SHOULD be using it in a non-legacy-linux environment.

CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
64Kb is a better/safer default without negative impact to userspace in practice.

Change-Id: Ic5cc04f678688eb9c08c2fa68898eaf0385d5499
Reviewed-on: http://android.intel.com:8080/31582
Reviewed-by: Yang, Fei <fei.yang@intel.com>
Tested-by: Yang, Fei <fei.yang@intel.com>
Reviewed-by: Gross, Mark <mark.gross@intel.com>
Reviewed-by: Koskinen, Ilkka <ilkka.koskinen@intel.com>
Reviewed-by: Tardy, Pierre <pierre.tardy@intel.com>
Reviewed-by: buildbot <buildbot@intel.com>
Tested-by: buildbot <buildbot@intel.com>
---

diff --git a/arch/x86/configs/i386_mfld_defconfig b/arch/x86/configs/i386_mfld_defconfig
index 7b6c8ae..236f32f 100644
--- a/arch/x86/configs/i386_mfld_defconfig
+++ b/arch/x86/configs/i386_mfld_defconfig
@@ -398,7 +398,7 @@ CONFIG_ZONE_DMA_FLAG=1
 CONFIG_BOUNCE=y
 CONFIG_VIRT_TO_BUS=y
 # CONFIG_KSM is not set
-CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
 CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y
 # CONFIG_MEMORY_FAILURE is not set
 # CONFIG_TRANSPARENT_HUGEPAGE is not set
@@ -1266,7 +1266,7 @@ CONFIG_SERIAL_NONSTANDARD=y
 CONFIG_N_GSM=y
 CONFIG_TRACE_ROUTER=y
 CONFIG_TRACE_SINK=y
-CONFIG_DEVMEM=y
+# CONFIG_DEVMEM is not set
 # CONFIG_DEVKMEM is not set
 # CONFIG_STALDRV is not set
 
@@ -2679,7 +2679,7 @@ CONFIG_EARLY_PRINTK_INTEL_MID=y
 # CONFIG_X86_PTDUMP is not set
 CONFIG_DEBUG_RODATA=y
 # CONFIG_DEBUG_RODATA_TEST is not set
-# CONFIG_DEBUG_SET_MODULE_RONX is not set
+CONFIG_DEBUG_SET_MODULE_RONX=y
 # CONFIG_DEBUG_NX_TEST is not set
 CONFIG_DOUBLEFAULT=y
 # CONFIG_IOMMU_STRESS is not set