Skip to content

Commit

Permalink
hardening: Enable KFENCE in the hardening config
Browse files Browse the repository at this point in the history 
KFENCE is not a security mitigation mechanism (due to sampling), but has
the performance characteristics of unintrusive hardening techniques.
When used at scale, however, it improves overall security by allowing
kernel developers to detect heap memory-safety bugs cheaply.

Link: https://lkml.kernel.org/r/79B9A832-B3DE-4229-9D87-748B2CFB7D12@kernel.org
Cc: Matthieu Baerts <matttbe@kernel.org>
Cc: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Marco Elver <elver@google.com>
Link: https://lore.kernel.org/r/20240212130116.997627-1-elver@google.com
Signed-off-by: Kees Cook <keescook@chromium.org>
  • Loading branch information
Marco Elver authored and Kees Cook committed Feb 21, 2024
1 parent 7b3133a commit de2683e
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions kernel/configs/hardening.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,9 @@ CONFIG_UBSAN_BOUNDS=y
# CONFIG_UBSAN_ENUM
# CONFIG_UBSAN_ALIGNMENT

# Sampling-based heap out-of-bounds and use-after-free detection.
CONFIG_KFENCE=y

# Linked list integrity checking.
CONFIG_LIST_HARDENED=y

Expand Down

0 comments on commit de2683e

Please sign in to comment.