From 538528fa9af96b44f6aeddf4783872d0520e2dc6 Mon Sep 17 00:00:00 2001
From: Penny Zheng <penny.zheng@arm.com>
Date: Tue, 7 Apr 2020 10:58:24 +0800
Subject: [PATCH] configs: re-organize security-related configs

There exists a few security-related configs, which are x86-64 specific.
CONFIG_LEGACY_VSYSCALL_NONE=y
CONFIG_RETPOLINE=y

CONFIG_RELOCATABLE and CONFIG_RANDOMIZE_BASE are kinds of tangled on
aarch64, if CONFIG_RANDOMIZE_BASE=y, then CONFIG_RELOCATABLE will be
selected automatically.
CONFIG_RANDOMIZE_BASE will randomize the virtual address at which the
kernel image is loaded, which as a security feature could deter exploit
attempts relying on knowledge of the location of kernel internals.

Fixes: #1004

Signed-off-by: Penny Zheng <penny.zheng@arm.com>
---
 kernel/configs/fragments/common/base.conf | 6 +-----
 kernel/configs/fragments/x86_64/base.conf | 4 ++++
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/kernel/configs/fragments/common/base.conf b/kernel/configs/fragments/common/base.conf
index 8bd72a009..55289654d 100644
--- a/kernel/configs/fragments/common/base.conf
+++ b/kernel/configs/fragments/common/base.conf
@@ -21,7 +21,6 @@ CONFIG_FUTEX=y
 CONFIG_HIGH_RES_TIMERS=y
 CONFIG_GENERIC_MSI_IRQ_DOMAIN=y
 CONFIG_GENERIC_MSI_IRQ=y
-CONFIG_LEGACY_VSYSCALL_NONE=y
 CONFIG_NO_HZ=y
 CONFIG_NO_HZ_FULL=y
 CONFIG_POSIX_MQUEUE=y
@@ -32,14 +31,11 @@ CONFIG_SHMEM=y
 
 # For security...
 CONFIG_RELOCATABLE=y
-# FIXME - check if we should be setting this
-# https://github.com/kata-containers/packaging/issues/483
-#CONFIG_RANDOMIZE_BASE=y
+CONFIG_RANDOMIZE_BASE=y
 # FIXME - check if we should be setting this
 # https://github.com/kata-containers/packaging/issues/483
 # I have a feeling it effects our memory hotplug maybe?
 # PHYSICAL_ALIGN=0x1000000
-CONFIG_RETPOLINE=y
 
 # This would only affect two drivers, neither of which we have enabled.
 # The recommendation is to have it on, and you will see if in a diff if you
diff --git a/kernel/configs/fragments/x86_64/base.conf b/kernel/configs/fragments/x86_64/base.conf
index 08023e8ca..a7969c751 100644
--- a/kernel/configs/fragments/x86_64/base.conf
+++ b/kernel/configs/fragments/x86_64/base.conf
@@ -10,3 +10,7 @@ CONFIG_KVM_GUEST=y
 
 # Use the maximum number of CPUs supported by KVM (240)
 CONFIG_NR_CPUS=240
+
+# For security
+CONFIG_LEGACY_VSYSCALL_NONE=y
+CONFIG_RETPOLINE=y