From dca3abce84c4a0c6937baca369e9a7c0c1b1a524 Mon Sep 17 00:00:00 2001 From: Marta Rybczynska <marta.rybczynska@linaro.org> Date: Fri, 25 Nov 2022 11:40:46 +0100 Subject: [PATCH] security guide: update formatting Update table and variables formatting. Signed-off-by: Marta Rybczynska <marta.rybczynska@linaro.org> --- security/guide.rst | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/security/guide.rst b/security/guide.rst index 742cb0d..c9a7501 100644 --- a/security/guide.rst +++ b/security/guide.rst @@ -55,11 +55,17 @@ and ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_allocator_perf. | Config option | Oniro state | +=====================================+=============+ | ``CONFIG_SLAB_FREELIST_RANDOM`` | On | ++-------------------------------------+-------------+ | ``CONFIG_SLAB_FREELIST_HARDENED`` | On | ++-------------------------------------+-------------+ | ``CONFIG_SHUFFLE_PAGE_ALLOCATOR`` | On | ++-------------------------------------+-------------+ | ``CONFIG_PAGE_POISONING`` | On | ++-------------------------------------+-------------+ | ``CONFIG_PAGE_POISONING_NO_SANITY`` | On | ++-------------------------------------+-------------+ | ``CONFIG_PAGE_POISONING_ZERO`` | On | ++-------------------------------------+-------------+ | ``CONFIG_INIT_ON_ALLOC_DEFAULT_ON`` | On | +-------------------------------------+-------------+ @@ -152,7 +158,9 @@ make attacks easier: | Config option | Oniro state | +=====================================+=============+ | ``CONFIG_COMPAT_BRK`` | Off | ++-------------------------------------+-------------+ | ``CONFIG_PROC_KCORE`` | Off | ++-------------------------------------+-------------+ | ``CONFIG_BINFMT_MISC`` | Off | +-------------------------------------+-------------+ @@ -245,6 +253,7 @@ unsafe memory permissions: | Config option | Oniro state | +==================================+=============+ | ``CONFIG_DEBUG_WX`` | On | ++----------------------------------+-------------+ | ``CONFIG_DEVMEM`` | Off | +----------------------------------+-------------+ @@ -290,6 +299,7 @@ the user space: | Config option | Oniro state | +=======================================+=============+ | ``CONFIG_HARDENED_USERCOPY`` | On | ++---------------------------------------+-------------+ | ``CONFIG_HARDENED_USERCOPY_FALLBACK`` | Off | +---------------------------------------+-------------+ @@ -337,9 +347,13 @@ With those options we add verification of the internal kernel data structures: | Config option | Oniro state | +=====================================+=============+ | ``CONFIG_DEBUG_NOTIFIERS`` | On | ++-------------------------------------+-------------+ | ``CONFIG_DEBUG_LIST`` | On | ++-------------------------------------+-------------+ | ``CONFIG_DEBUG_SG`` | On | ++-------------------------------------+-------------+ | ``CONFIG_BUG_ON_DATA_CORRUPTION`` | On | ++-------------------------------------+-------------+ | ``CONFIG_SCHED_STACK_END_CHECK`` | On | +-------------------------------------+-------------+ @@ -427,10 +441,10 @@ IOMMU is not enabled yet. KSPP [2]_ recomends setting up the following: -``` -CONFIG_PANIC_ON_OOPS=y -CONFIG_PANIC_TIMEOUT=-1 -``` +.. code-block:: console + + CONFIG_PANIC_ON_OOPS=y + CONFIG_PANIC_TIMEOUT=-1 They cause the kernel to reboot on serious error (Oops, see ``the Oops Wikipedia page <https://en.wikipedia.org/wiki/Linux_kernel_oops>`` -- GitLab