configs/hardening: Enable CONFIG_KSTACK_ERASE

author Kees Cook <kees@kernel.org>

Thu, 17 Jul 2025 23:25:17 +0000 (16:25 -0700)

committer Kees Cook <kees@kernel.org>

Tue, 22 Jul 2025 04:41:48 +0000 (21:41 -0700)
author Kees Cook <kees@kernel.org>
Thu, 17 Jul 2025 23:25:17 +0000 (16:25 -0700)
committer Kees Cook <kees@kernel.org>
Tue, 22 Jul 2025 04:41:48 +0000 (21:41 -0700)
diff --git a/kernel/configs/hardening.config b/kernel/configs/hardening.config

index dd7c32fb5ac1bc72097ccd171a2cff2f0abe9b23..d24c2772d04d7f7444b04084c8764d95735b5b87 100644 (file)
--- a/kernel/configs/hardening.config
+++ b/kernel/configs/hardening.config
@@ -63,6 +63,9 @@ CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
  # Initialize all stack variables to zero on function entry.
  CONFIG_INIT_STACK_ALL_ZERO=y
  
+# Wipe kernel stack after syscall completion to reduce stale data lifetime.
+CONFIG_KSTACK_ERASE=y
+
  # Wipe RAM at reboot via EFI. For more details, see:
  # https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
  # https://bugzilla.redhat.com/show_bug.cgi?id=1532058
author	Kees Cook <kees@kernel.org>
	Thu, 17 Jul 2025 23:25:17 +0000 (16:25 -0700)
committer	Kees Cook <kees@kernel.org>
	Tue, 22 Jul 2025 04:41:48 +0000 (21:41 -0700)