hardening: Enable KFENCE in the hardening config

KFENCE is not a security mitigation mechanism (due to sampling), but has the performance characteristics of unintrusive hardening techniques. When used at scale, however, it improves overall security by allowing kernel developers to detect heap memory-safety bugs cheaply. Link: https://lkml.kernel.org/r/[email protected] Cc: Matthieu Baerts <[email protected]> Cc: Jakub Kicinski <[email protected]> Signed-off-by: Marco Elver <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Kees Cook <[email protected]>
author: Marco Elver <[email protected]> 2024-02-12 14:01:09 +0100
committer: Kees Cook <[email protected]> 2024-02-20 20:47:32 -0800
commit: de2683e7fdac0c33c4c2c115e69dbbbe904a2224 (patch)
tree: bb7afb4bdee8d5759f6052664f5766a33f9505b6
parent: 7b3133aa4b9eba9cdf3905e3f7c8b6687ff4615b (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/kernel/configs/hardening.config b/kernel/configs/hardening.config
index ed126d7b5e83..7a5bbfc024b7 100644
--- a/kernel/configs/hardening.config
+++ b/kernel/configs/hardening.config
@@ -45,6 +45,9 @@ CONFIG_UBSAN_BOUNDS=y
 # CONFIG_UBSAN_ENUM
 # CONFIG_UBSAN_ALIGNMENT
 
+# Sampling-based heap out-of-bounds and use-after-free detection.
+CONFIG_KFENCE=y
+
 # Linked list integrity checking.
 CONFIG_LIST_HARDENED=y
author	Marco Elver <[email protected]>	2024-02-12 14:01:09 +0100
committer	Kees Cook <[email protected]>	2024-02-20 20:47:32 -0800
commit	de2683e7fdac0c33c4c2c115e69dbbbe904a2224 (patch)
tree	bb7afb4bdee8d5759f6052664f5766a33f9505b6
parent	7b3133aa4b9eba9cdf3905e3f7c8b6687ff4615b (diff)