Enable hardened configs for Fedora and ARK; disable GCC plugins for now (!961) · Merge requests · cki-project / kernel-ark

Josh Poimboeuf requested to merge jpoimboe/kernel-ark:ark-hardened-configs into os-build Mar 10, 2021

Improve Fedora and ARK kernel hardening by enabling the following configs:

CONFIG_SCHED_STACK_END_CHECK
CONFIG_BUG_ON_DATA_CORRUPTION
CONFIG_SLAB_FREELIST_HARDENED (already enabled in Fedora)
CONFIG_PAGE_POISONING

These were tested by the RHEL performance engineering team. No measurable performance impact was detected.

We also want to enable the structleak and stackleak GCC plugins, but currently they're causing a lot of pain with slight GCC mismatches. Until that problem gets resolved upstream, disable them for now.

Edited Mar 10, 2021 by Josh Poimboeuf

Enable hardened configs for Fedora and ARK; disable GCC plugins for now

Merge request reports