Skip to content
Snippets Groups Projects
Commit dca3abce authored by Marta Rybczynska's avatar Marta Rybczynska
Browse files

security guide: update formatting


Update table and variables formatting.

Signed-off-by: default avatarMarta Rybczynska <marta.rybczynska@linaro.org>
parent d529382b
No related branches found
No related tags found
No related merge requests found
Pipeline #13006 failed with stages
......@@ -55,11 +55,17 @@ and ``oniro/meta-oniro-core/recipes-kernel/linux/linux/hardening_allocator_perf.
| Config option | Oniro state |
+=====================================+=============+
| ``CONFIG_SLAB_FREELIST_RANDOM`` | On |
+-------------------------------------+-------------+
| ``CONFIG_SLAB_FREELIST_HARDENED`` | On |
+-------------------------------------+-------------+
| ``CONFIG_SHUFFLE_PAGE_ALLOCATOR`` | On |
+-------------------------------------+-------------+
| ``CONFIG_PAGE_POISONING`` | On |
+-------------------------------------+-------------+
| ``CONFIG_PAGE_POISONING_NO_SANITY`` | On |
+-------------------------------------+-------------+
| ``CONFIG_PAGE_POISONING_ZERO`` | On |
+-------------------------------------+-------------+
| ``CONFIG_INIT_ON_ALLOC_DEFAULT_ON`` | On |
+-------------------------------------+-------------+
......@@ -152,7 +158,9 @@ make attacks easier:
| Config option | Oniro state |
+=====================================+=============+
| ``CONFIG_COMPAT_BRK`` | Off |
+-------------------------------------+-------------+
| ``CONFIG_PROC_KCORE`` | Off |
+-------------------------------------+-------------+
| ``CONFIG_BINFMT_MISC`` | Off |
+-------------------------------------+-------------+
......@@ -245,6 +253,7 @@ unsafe memory permissions:
| Config option | Oniro state |
+==================================+=============+
| ``CONFIG_DEBUG_WX`` | On |
+----------------------------------+-------------+
| ``CONFIG_DEVMEM`` | Off |
+----------------------------------+-------------+
......@@ -290,6 +299,7 @@ the user space:
| Config option | Oniro state |
+=======================================+=============+
| ``CONFIG_HARDENED_USERCOPY`` | On |
+---------------------------------------+-------------+
| ``CONFIG_HARDENED_USERCOPY_FALLBACK`` | Off |
+---------------------------------------+-------------+
......@@ -337,9 +347,13 @@ With those options we add verification of the internal kernel data structures:
| Config option | Oniro state |
+=====================================+=============+
| ``CONFIG_DEBUG_NOTIFIERS`` | On |
+-------------------------------------+-------------+
| ``CONFIG_DEBUG_LIST`` | On |
+-------------------------------------+-------------+
| ``CONFIG_DEBUG_SG`` | On |
+-------------------------------------+-------------+
| ``CONFIG_BUG_ON_DATA_CORRUPTION`` | On |
+-------------------------------------+-------------+
| ``CONFIG_SCHED_STACK_END_CHECK`` | On |
+-------------------------------------+-------------+
......@@ -427,10 +441,10 @@ IOMMU is not enabled yet.
KSPP [2]_ recomends setting up the following:
```
CONFIG_PANIC_ON_OOPS=y
CONFIG_PANIC_TIMEOUT=-1
```
.. code-block:: console
CONFIG_PANIC_ON_OOPS=y
CONFIG_PANIC_TIMEOUT=-1
They cause the kernel to reboot on serious error (Oops, see
``the Oops Wikipedia page <https://en.wikipedia.org/wiki/Linux_kernel_oops>``
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment