powerpc: add security.config, enforcing lockdown=integrity

It's sometimes handy to have a config that boots a bit like a system under secure boot (forcing lockdown=integrity, without needing any extra stuff like a command line option). This config file allows that, and also turns on a few assorted security and hardening options for good measure. Suggested-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Daniel Axtens <dja@axtens.net> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Link: https://lore.kernel.org/r/20201203042807.1293655-1-dja@axtens.net
KSPP · Dec 3, 2020 · ed2bbd2 · ed2bbd2
1 parent 1f69aa0
commit ed2bbd2
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/arch/powerpc/configs/security.config b/arch/powerpc/configs/security.config
@@ -0,0 +1,15 @@
+# This is the equivalent of booting with lockdown=integrity
+CONFIG_SECURITY=y
+CONFIG_SECURITYFS=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
+
+# These are some general, reasonably inexpensive hardening options
+CONFIG_HARDENED_USERCOPY=y
+CONFIG_FORTIFY_SOURCE=y
+CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
+
+# UBSAN bounds checking is very cheap and good for hardening
+CONFIG_UBSAN=y
+# CONFIG_UBSAN_MISC is not set