Commit de2683e7 authored by Marco Elver's avatar Marco Elver Committed by Kees Cook
Browse files

hardening: Enable KFENCE in the hardening config 

KFENCE is not a security mitigation mechanism (due to sampling), but has
the performance characteristics of unintrusive hardening techniques.
When used at scale, however, it improves overall security by allowing
kernel developers to detect heap memory-safety bugs cheaply.

Link: https://lkml.kernel.org/r/79B9A832-B3DE-4229-9D87-748B2CFB7D12@kernel.org


Cc: Matthieu Baerts <matttbe@kernel.org>
Cc: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: default avatarMarco Elver <elver@google.com>
Link: https://lore.kernel.org/r/20240212130116.997627-1-elver@google.com


Signed-off-by: default avatarKees Cook <keescook@chromium.org>
parent 7b3133aa

kernel/configs/hardening.config

+3 −0
Original line number Diff line number Diff line
@@ -45,6 +45,9 @@ CONFIG_UBSAN_BOUNDS=y 
# CONFIG_UBSAN_ENUM

# CONFIG_UBSAN_ALIGNMENT



# Sampling-based heap out-of-bounds and use-after-free detection.

CONFIG_KFENCE=y



# Linked list integrity checking.

CONFIG_LIST_HARDENED=y