machine: linux: add kernel cmdline parameters for security

Follows ANSI-BP28-R8 These parameters may impact RT performance. A benchmark is advised. Signed-off-by: Enguerrand de Ribaucourt <[email protected]>
seapath · Dec 10, 2024 · 2fb5106 · 2fb5106
1 parent c09dd1e
commit 2fb5106
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 2 deletions.
diff --git a/conf/machine/seapath-machine-common.inc b/conf/machine/seapath-machine-common.inc
@@ -17,4 +17,10 @@ APPEND += " \
     slab_nomerge \
     slub_debug=ZF \
     rootfstype=ext4 \
+    page_poison=on \
+    spec_store_bypass_disable=auto \
+    mds=full,nosmt \
+    mce=0 \
+    page_alloc.shuffle=1 \
+    rng_core.default_quality=500 \
 "
diff --git a/recipes-kernel/linux/linux-mainline-rt/defconfig b/recipes-kernel/linux/linux-mainline-rt/defconfig
@@ -38,7 +38,7 @@ CONFIG_EXPERT=y
 # CONFIG_COMPAT_BRK is not set
 CONFIG_SLAB_FREELIST_RANDOM=y
 CONFIG_SLAB_FREELIST_HARDENED=y
-# CONFIG_SHUFFLE_PAGE_ALLOCATOR is not set
+CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
 CONFIG_PROFILING=y
 CONFIG_SMP=y
 CONFIG_X86_X2APIC=y

diff --git a/recipes-kernel/linux/linux-mainline-rt_6.6/defconfig b/recipes-kernel/linux/linux-mainline-rt_6.6/defconfig
@@ -78,7 +78,7 @@ CONFIG_PARTITION_ADVANCED=y
 # CONFIG_COREDUMP is not set
 CONFIG_SLAB_FREELIST_RANDOM=y
 CONFIG_SLAB_FREELIST_HARDENED=y
-# CONFIG_SHUFFLE_PAGE_ALLOCATOR is not set
+CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
 # CONFIG_COMPAT_BRK is not set
 CONFIG_MEMORY_HOTPLUG=y
 CONFIG_MEMORY_HOTREMOVE=y