185 lines
6.2 KiB
Text
185 lines
6.2 KiB
Text
menu "Kernel hacking"
|
|
|
|
source "lib/Kconfig.debug"
|
|
|
|
config FRAME_POINTER
|
|
bool
|
|
default y
|
|
|
|
config STRICT_DEVMEM
|
|
bool "Filter access to /dev/mem"
|
|
depends on MMU
|
|
help
|
|
If this option is disabled, you allow userspace (root) access to all
|
|
of memory, including kernel and userspace memory. Accidental
|
|
access to this is obviously disastrous, but specific access can
|
|
be used by people debugging the kernel.
|
|
|
|
If this option is switched on, the /dev/mem file only allows
|
|
userspace access to memory mapped peripherals.
|
|
|
|
If in doubt, say Y.
|
|
|
|
config ARM64_PTDUMP
|
|
bool "Export kernel pagetable layout to userspace via debugfs"
|
|
depends on DEBUG_KERNEL
|
|
select DEBUG_FS
|
|
help
|
|
Say Y here if you want to show the kernel pagetable layout in a
|
|
debugfs file. This information is only useful for kernel developers
|
|
who are working in architecture specific areas of the kernel.
|
|
It is probably not a good idea to enable this feature in a production
|
|
kernel.
|
|
If in doubt, say "N"
|
|
|
|
config PID_IN_CONTEXTIDR
|
|
bool "Write the current PID to the CONTEXTIDR register"
|
|
help
|
|
Enabling this option causes the kernel to write the current PID to
|
|
the CONTEXTIDR register, at the expense of some additional
|
|
instructions during context switch. Say Y here only if you are
|
|
planning to use hardware trace tools with this kernel.
|
|
|
|
config ARM64_RANDOMIZE_TEXT_OFFSET
|
|
bool "Randomize TEXT_OFFSET at build time"
|
|
help
|
|
Say Y here if you want the image load offset (AKA TEXT_OFFSET)
|
|
of the kernel to be randomized at build-time. When selected,
|
|
this option will cause TEXT_OFFSET to be randomized upon any
|
|
build of the kernel, and the offset will be reflected in the
|
|
text_offset field of the resulting Image. This can be used to
|
|
fuzz-test bootloaders which respect text_offset.
|
|
|
|
This option is intended for bootloader and/or kernel testing
|
|
only. Bootloaders must make no assumptions regarding the value
|
|
of TEXT_OFFSET and platforms must not require a specific
|
|
value.
|
|
|
|
config DEBUG_SET_MODULE_RONX
|
|
bool "Set loadable kernel module data as NX and text as RO"
|
|
depends on MODULES
|
|
help
|
|
This option helps catch unintended modifications to loadable
|
|
kernel module's text and read-only data. It also prevents execution
|
|
of module data. Such protection may interfere with run-time code
|
|
patching and dynamic kernel tracing - and they might also protect
|
|
against certain classes of kernel exploits.
|
|
If in doubt, say "N".
|
|
|
|
config FORCE_PAGES
|
|
bool "Force lowmem to be mapped with 4K pages"
|
|
depends on !DEBUG_RODATA
|
|
help
|
|
There are some advanced debug features that can only be done when
|
|
memory is mapped with pages instead of sections. Enable this option
|
|
to always map lowmem pages with pages. This may have a performance
|
|
cost due to increased TLB pressure.
|
|
|
|
If unsure say N.
|
|
|
|
config FREE_PAGES_RDONLY
|
|
bool "Set pages as read only while on the buddy list"
|
|
select FORCE_PAGES
|
|
select DEBUG_PAGEALLOC
|
|
help
|
|
Pages are always mapped in the kernel. This means that anyone
|
|
can write to the page if they have the address. Enable this option
|
|
to mark pages as read only to trigger a fault if any code attempts
|
|
to write to a page on the buddy list. This may have a performance
|
|
impact.
|
|
|
|
If unsure, say N.
|
|
|
|
config KERNEL_TEXT_RDONLY
|
|
bool "Set kernel text section pages as read only"
|
|
depends on FREE_PAGES_RDONLY
|
|
help
|
|
The kernel text pages are always mapped in the kernel.
|
|
This means that anyone can write to the page if they have
|
|
the address. Enable this option to mark the kernel text pages
|
|
as read only to trigger a fault if any code attempts to write
|
|
to a page part of the kernel text section. This may have a
|
|
performance impact.
|
|
|
|
If unsure, say N.
|
|
|
|
config DEBUG_RODATA
|
|
bool "Make kernel text and rodata read-only"
|
|
help
|
|
If this is set, kernel text and rodata will be made read-only. This
|
|
is to help catch accidental or malicious attempts to change the
|
|
kernel's executable code. Additionally splits rodata from kernel
|
|
text so it can be made explicitly non-executable.
|
|
|
|
If in doubt, say Y
|
|
|
|
config DEBUG_ALIGN_RODATA
|
|
depends on DEBUG_RODATA && !ARM64_64K_PAGES
|
|
bool "Align linker sections up to SECTION_SIZE"
|
|
help
|
|
If this option is enabled, sections that may potentially be marked as
|
|
read only or non-executable will be aligned up to the section size of
|
|
the kernel. This prevents sections from being split into pages and
|
|
avoids a potential TLB penalty. The downside is an increase in
|
|
alignment and potentially wasted space. Turn on this option if
|
|
performance is more important than memory pressure.
|
|
|
|
If in doubt, say N
|
|
|
|
comment "PowerManagement Feature"
|
|
menuconfig SEC_PM
|
|
bool "Samsung TN PowerManagement Feature"
|
|
default y
|
|
help
|
|
Samsung TN PowerManagement Feature.
|
|
|
|
if SEC_PM
|
|
config SEC_PM_DEBUG
|
|
bool "Samsung TN PowerManagement Debug Feature"
|
|
default n
|
|
help
|
|
Samsung TN PowerManagement Debug Feature.
|
|
|
|
endif
|
|
|
|
comment "Samsung Rooting Restriction Feature"
|
|
config SEC_RESTRICT_ROOTING
|
|
bool "Samsung Rooting Restriction Feature"
|
|
default n
|
|
help
|
|
Restrict unauthorized executions with root permission.
|
|
|
|
config SEC_RESTRICT_SETUID
|
|
bool "Restrict changing root privilege except allowed process"
|
|
depends on SEC_RESTRICT_ROOTING
|
|
default y
|
|
help
|
|
Say Y here if you want to restrict functions related setuid. Only allowed
|
|
process can chanage ROOT privilege. Saying N will not restrict changing
|
|
permission.
|
|
|
|
config SEC_RESTRICT_FORK
|
|
bool "Restrict forking process except allowed process"
|
|
depends on SEC_RESTRICT_ROOTING
|
|
default y
|
|
help
|
|
Say Y here if you want to restrict function related fork. Process matched
|
|
special condition will be not forked. Saying N will not restrict forking
|
|
process.
|
|
|
|
config SEC_RESTRICT_ROOTING_LOG
|
|
bool "Print restricted result to kernel log"
|
|
depends on SEC_RESTRICT_ROOTING
|
|
default n
|
|
help
|
|
Say Y here if you want to see result of restricting SETUID or FORK. It will
|
|
be displayed by kernel error log. Saying N will not be displayed anything.
|
|
|
|
comment "BSP Feature"
|
|
menuconfig SEC_BSP
|
|
bool "Samsung TN BSP Feature"
|
|
default n
|
|
help
|
|
Samsung TN BSP Feature.
|
|
|
|
endmenu
|