configs/hardening: Enable CONFIG_KSTACK_ERASE

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Since we can wipe the stack with both Clang and GCC plugins, enable this
for the "hardening.config" for wider testing.

Link: https://lore.kernel.org/r/20250717232519.2984886-12-kees@kernel.org
Signed-off-by: Kees Cook <kees@kernel.org>

Kees Cook 11 months ago 4c56d9f7 76261fc7

1 changed file

expand all

kernel

configs

hardening.config

kernel/configs/hardening.config

··· 63 63 # Initialize all stack variables to zero on function entry. 64 64 CONFIG_INIT_STACK_ALL_ZERO=y 65 65 66 + # Wipe kernel stack after syscall completion to reduce stale data lifetime. 67 + CONFIG_KSTACK_ERASE=y 68 + 66 69 # Wipe RAM at reboot via EFI. For more details, see: 67 70 # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ 68 71 # https://bugzilla.redhat.com/show_bug.cgi?id=1532058

Configure Feed

Configure Feed