Skip to content

added new hardening recommendations#252

Merged
gehoern merged 2 commits intomainfrom
hardenupd
Feb 17, 2026
Merged

added new hardening recommendations#252
gehoern merged 2 commits intomainfrom
hardenupd

Conversation

@gehoern
Copy link
Contributor

@gehoern gehoern commented Feb 17, 2026

adding security recommendation to harden the kernel image:see also gardenlinux/gardenlinux#4282

added for cloud and for metal

CONFIG_SCHED_CORE=y
CONFIG_X86_16BIT=n
CONFIG_X86_VSYSCALL_EMULATION=n
CONFIG_LEGACY_VSYSCALL_NONE=y

CONFIG_KVM_WERROR=y

CONFIG_SLAB_MERGE_DEFAULT=n

CONFIG_RANDOM_KMALLOC_CACHES=y
CONFIG_COMPAT_BRK=n
CONFIG_KSM=n

CONFIG_PROC_KCORE=n

CONFIG_HARDENED_USERCOPY_FALLBACK=n
CONFIG_HARDENED_USERCOPY_PAGESPAN=n

CONFIG_INIT_ON_FREE_DEFAULT_ON=y
CONFIG_ZERO_CALL_USED_REGS=y

CONFIG_RANDSTRUCT_NONE=n
CONFIG_RANDSTRUCT_FULL=y

CONFIG_DEBUG_NOTIFIERS=y

only for metal

CONFIG_XEN=n
CONFIG_PARAVIRT=n
CONFIG_HYPERVISOR_GUEST=n
CONFIG_MODIFY_LDT_SYSCALL=n
CONFIG_IA32_EMULATION=n
CONFIG_X86_X32_ABI=n

CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
CONFIG_IOMMU_DEFAULT_PASSTHROUGH=n

CONFIG_INTEL_IOMMU_DEFAULT_ON=y

CONFIG_PAGE_TABLE_CHECK=y
CONFIG_PAGE_TABLE_CHECK_ENFORCED=y
CONFIG_KFENCE_SAMPLE_INTERVAL=100

#CONFIG_MODULE_SIG_FORCE=y
#CONFIG_MODULE_SIG_ALL=y
#CONFIG_MODULE_SIG_SHA512=y

#CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y

@gehoern gehoern requested a review from 5kt February 17, 2026 15:32
@gehoern gehoern merged commit f6a6dab into main Feb 17, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nkraetzschmar nkraetzschmar nkraetzschmar approved these changes

@5kt 5kt Awaiting requested review from 5kt

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gehoern @nkraetzschmar