configs: re-organize security-related configs

There exists a few security-related configs, which are x86-64 specific.
CONFIG_LEGACY_VSYSCALL_NONE=y
CONFIG_RETPOLINE=y

CONFIG_RELOCATABLE and CONFIG_RANDOMIZE_BASE are kinds of tangled on
aarch64, if CONFIG_RANDOMIZE_BASE=y, then CONFIG_RELOCATABLE will be
selected automatically.
CONFIG_RANDOMIZE_BASE will randomize the virtual address at which the
kernel image is loaded, which as a security feature could deter exploit
attempts relying on knowledge of the location of kernel internals.

Fixes: #1004

Signed-off-by: Penny Zheng <penny.zheng@arm.com>

kernel/configs/fragments/common/base.conf

@@ -21,7 +21,6 @@ CONFIG_FUTEX=y
 CONFIG_HIGH_RES_TIMERS=y
 CONFIG_GENERIC_MSI_IRQ_DOMAIN=y
 CONFIG_GENERIC_MSI_IRQ=y
-CONFIG_LEGACY_VSYSCALL_NONE=y
 CONFIG_NO_HZ=y
 CONFIG_NO_HZ_FULL=y
 CONFIG_POSIX_MQUEUE=y
@@ -32,14 +31,11 @@ CONFIG_SHMEM=y
 
 # For security...
 CONFIG_RELOCATABLE=y
-# FIXME - check if we should be setting this
-# https://github.com/kata-containers/packaging/issues/483
-#CONFIG_RANDOMIZE_BASE=y
+CONFIG_RANDOMIZE_BASE=y
 # FIXME - check if we should be setting this
 # https://github.com/kata-containers/packaging/issues/483
 # I have a feeling it effects our memory hotplug maybe?
 # PHYSICAL_ALIGN=0x1000000
-CONFIG_RETPOLINE=y
 
 # This would only affect two drivers, neither of which we have enabled.
 # The recommendation is to have it on, and you will see if in a diff if you

kernel/configs/fragments/x86_64/base.conf

@@ -10,3 +10,7 @@ CONFIG_KVM_GUEST=y
 
 # Use the maximum number of CPUs supported by KVM (240)
 CONFIG_NR_CPUS=240
+
+# For security
+CONFIG_LEGACY_VSYSCALL_NONE=y
+CONFIG_RETPOLINE=y