hardening: Enable KFENCE in the hardening config

KFENCE is not a security mitigation mechanism (due to sampling), but has the performance characteristics of unintrusive hardening techniques. When used at scale, however, it improves overall security by allowing kernel developers to detect heap memory-safety bugs cheaply. Link: https://lkml.kernel.org/r/79B9A832-B3DE-4229-9D87-748B2CFB7D12@kernel.org Cc: Matthieu Baerts <matttbe@kernel.org> Cc: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Marco Elver <elver@google.com> Link: https://lore.kernel.org/r/20240212130116.997627-1-elver@google.comSigned-off-by: Kees Cook <keescook@chromium.org>

hardening: Enable KFENCE in the hardening config
KFENCE is not a security mitigation mechanism (due to sampling), but has the performance characteristics of unintrusive hardening techniques. When used at scale, however, it improves overall security by allowing kernel developers to detect heap memory-safety bugs cheaply. Link: https://lkml.kernel.org/r/79B9A832-B3DE-4229-9D87-748B2CFB7D12@kernel.org Cc: Matthieu Baerts <matttbe@kernel.org> Cc: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Marco Elver <elver@google.com> Link: https://lore.kernel.org/r/20240212130116.997627-1-elver@google.comSigned-off-by: Kees Cook <keescook@chromium.org>
de2683e7 · Marco Elver · Kees Cook · 7b3133aa · de2683e7
Commit de2683e7 authored Feb 12, 2024 by Marco Elver Committed by Kees Cook Feb 20, 2024
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

kernel/configs/hardening.config kernel/configs/hardening.config +3 -0

No files found.
--- a/kernel/configs/hardening.config
+++ b/kernel/configs/hardening.config
@@ -45,6 +45,9 @@ CONFIG_UBSAN_BOUNDS=y
 # CONFIG_UBSAN_ENUM
 # CONFIG_UBSAN_ALIGNMENT

+# Sampling-based heap out-of-bounds and use-after-free detection.
+CONFIG_KFENCE=y
+
 # Linked list integrity checking.
 CONFIG_LIST_HARDENED=y