coreos-kernel: more security option updates

- Enable RANDOMIZE_BASE, hopefully Xen is ok with this now. - Disable HIBERNATE/KEXEC_JUMP, we don't need these features. - Fix RO/NX settings in the arm64 kernel.
2025-08-23 07:21:14 +02:00 · 2015-11-11 10:34:51 -08:00 · 2015-11-11 10:34:51 -08:00 · 58ea72b512
commit 58ea72b512
parent 71fd1532e9
3 changed files with 3 additions and 2 deletions
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.2.2-r7.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.2.2-r7.ebuild
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.2
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.2
@ -93,11 +93,10 @@ CONFIG_KEXEC_FILE=y
 CONFIG_KEXEC_VERIFY_SIG=y
 CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
 CONFIG_CRASH_DUMP=y
-CONFIG_KEXEC_JUMP=y
+CONFIG_RANDOMIZE_BASE=y
 CONFIG_PHYSICAL_ALIGN=0x1000000
 CONFIG_CMDLINE_BOOL=y
 CONFIG_CMDLINE="rootflags=rw mount.usrflags=ro"
-CONFIG_HIBERNATION=y
 # CONFIG_ACPI_AC is not set
 # CONFIG_ACPI_BATTERY is not set
 CONFIG_ACPI_BUTTON=m
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.2
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.2
@ -228,7 +228,9 @@ CONFIG_SCHEDSTATS=y
 # CONFIG_DEBUG_PREEMPT is not set
 CONFIG_DEBUG_CREDENTIALS=y
 # CONFIG_FTRACE is not set
+CONFIG_DEBUG_SET_MODULE_RONX=y
 CONFIG_DEBUG_RODATA=y
+CONFIG_DEBUG_ALIGN_RODATA=y
 CONFIG_SECURITY=y
 CONFIG_CRYPTO_ANSI_CPRNG=y
 CONFIG_ARM64_CRYPTO=y