Skip to content

security(kernel): enable hardening config defaults#16714

Open
rlmenge wants to merge 5 commits intotomls/base/mainfrom
rlmenge/tomls/kernel/hardening
Open

security(kernel): enable hardening config defaults#16714
rlmenge wants to merge 5 commits intotomls/base/mainfrom
rlmenge/tomls/kernel/hardening

Conversation

@rlmenge
Copy link
Copy Markdown
Contributor

@rlmenge rlmenge commented Apr 17, 2026
edited
Loading

Summary

Layer five surgical kernel hardening changes from KSPP (via https://github.com/a13xp0p0v/kernel-hardening-checker/)

  • Data-corruption detection — CONFIG_BUG_ON_DATA_CORRUPTION=y plus CONFIG_DEBUG_LIST/PLIST/SG/NOTIFIERS=y so linked-list / sg / notifier-chain corruption panics instead of silently continuing.
  • Slab de-merging — # CONFIG_SLAB_MERGE_DEFAULT is not set to prevent cross-cache use-after-free exploitation. slab_merge can still be re-enabled at boot if ever needed.
  • CET/IBT + vsyscall lockdown — CONFIG_X86_KERNEL_IBT=y (ROP/JOP mitigation on supported CPUs) and CONFIG_LEGACY_VSYSCALL_NONE=y (remove the legacy fixed-address vsyscall page).
  • LSM mmap floor + SMMU bypass off — CONFIG_LSM_MMAP_MIN_ADDR=65536 (block NULL-ptr-deref exploit mmaps); on aarch64, CONFIG_ARM_SMMU_DISABLE_BYPASS_BY_DEFAULT=y so unconfigured devices can't DMA around the IOMMU.
  • LIST_HARDENED — CONFIG_LIST_HARDENED=y for cheap inline list corruption checks.
Change Log
  • enabled hardening defaults
Associated issues
Test Methodology

Task ID: 1504330

  • qemu test
[test@azurelinux-vm ~]$ grep -E "^(# )?CONFIG_(SLAB_MERGE_DEFAULT|X86_KERNEL_IBT|LEGACY_VSYSCALL_NONE|LSM_MMAP_MIN_ADDR|LIST_HARDENED|BUG_ON_DATA_CORRUPTION|DEBUG_LIST|DEBUG_SG|DEBUG_NOTIFIERS|DEBUG_PLIST|IOMMU_DEFAULT_DMA)[ =]" /boot/config-$(uname -r) | sort
CONFIG_BUG_ON_DATA_CORRUPTION=y
CONFIG_DEBUG_LIST=y
CONFIG_DEBUG_NOTIFIERS=y
CONFIG_DEBUG_PLIST=y
CONFIG_DEBUG_SG=y
CONFIG_LEGACY_VSYSCALL_NONE=y
CONFIG_LIST_HARDENED=y
CONFIG_LSM_MMAP_MIN_ADDR=65536
# CONFIG_SLAB_MERGE_DEFAULT is not set
CONFIG_X86_KERNEL_IBT=y
[test@azurelinux-vm ~]$ uname -a
Linux azurelinux-vm 6.18.5-1.9.azl4.x86_64 #1 SMP Thu Apr 16 22:43:26 UTC 2026 x86_64 GNU/Linux
[test@azurelinux-vm ~]$

rlmenge added 5 commits April 17, 2026 20:32
@rlmenge
security(kernel): enable kernel data-structure corruption detection
391c8b2 
Enable LIST_HARDENED and BUG_ON_DATA_CORRUPTION on both x86_64 and
aarch64, which pulls in DEBUG_LIST, DEBUG_PLIST, DEBUG_SG, and
DEBUG_NOTIFIERS. Kernel panics on detected list-head/scatterlist/
notifier/credential corruption; KSPP recommended.
@rlmenge
security(kernel): disable slab cache merging by default
58d0e57 
Set CONFIG_SLAB_MERGE_DEFAULT=n on x86_64 and aarch64 so distinct
allocation sites get distinct slab caches. Makes heap-spray attacks
harder by eliminating cross-site cache aliasing. Small memory overhead
(~few MB). Runtime-overridable via the slab_merge= boot parameter if a
regression is observed. KSPP recommended.
@rlmenge
security(kernel): enable CET/IBT and remove legacy vsyscall on x86_64
83e91bf 
Enable CONFIG_X86_KERNEL_IBT to turn on Indirect Branch Tracking via
Intel CET, blocking indirect-branch-based ROP/JOP gadgets at the
hardware level. No cost on modern CPUs (Tiger Lake+/Zen3+); gracefully
disabled on older CPUs.

Switch from LEGACY_VSYSCALL_XONLY to LEGACY_VSYSCALL_NONE to remove
the legacy vsyscall page entirely. Userspace has used the vDSO for
years; the vsyscall=emulate boot parameter remains available as an
escape hatch for very old containers.
@rlmenge
security(kernel): LSM mmap floor on x86_64, SMMU default-deny on aarch64
c2f4107 
x86_64:
  - Raise CONFIG_LSM_MMAP_MIN_ADDR from 0 to 65536 so LSMs enforce
    the same mmap floor as vm.mmap_min_addr, blocking NULL-deref
    kernel-exploit primitives.

aarch64:
  - Enable CONFIG_ARM_SMMU_DISABLE_BYPASS_BY_DEFAULT so unassigned
    devices cannot DMA through the SMMU without an explicit mapping.
@rlmenge
kernel: bump azl_pkgrelease to 9 for hardening changes
bdfb314 
Rebuild kernel RPMs to pick up the hardening config changes
(data-structure corruption detection, slab de-merge, x86 CET/IBT,
LEGACY_VSYSCALL_NONE, LSM mmap floor, SMMU default-deny).
@rlmenge rlmenge force-pushed the rlmenge/tomls/kernel/hardening branch from 08d9550 to bdfb314 Compare April 17, 2026 20:34
@rlmenge rlmenge marked this pull request as ready for review April 17, 2026 21:33
Copilot AI review requested due to automatic review settings April 17, 2026 21:33
Copilot AI reviewed Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Azure Linux kernel component to enable several KSPP-recommended hardening defaults by adjusting the shipped per-arch kernel .config files and bumping the kernel package release to produce a new build.

Changes:

  • Bump azl_pkgrelease for the kernel component to publish a new kernel release.
  • Enable multiple hardening-related kernel config options on x86_64 (IBT, vsyscall removal, slab de-merging, list/debug corruption checks, mmap floor).
  • Enable multiple hardening-related kernel config options on aarch64 (slab de-merging, list/debug corruption checks, SMMU bypass disable).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
base/comps/kernel/kernel.comp.toml Bumps kernel package release macro used by the spec.
base/comps/kernel/6.18-x86_64-azl.config Enables x86_64 hardening options (IBT, vsyscall none, mmap floor, corruption/debug checks, slab de-merging).
base/comps/kernel/6.18-aarch64-azl.config Enables aarch64 hardening options (SMMU bypass disable, corruption/debug checks, slab de-merging).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread base/comps/kernel/kernel.comp.toml
Comment thread base/comps/kernel/6.18-aarch64-azl.config
Comment on lines +13541 to +13542
CONFIG_LIST_HARDENED=y
CONFIG_BUG_ON_DATA_CORRUPTION=y
Copy link

Copilot AI Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR description calls out setting an LSM mmap floor (CONFIG_LSM_MMAP_MIN_ADDR=65536), but the aarch64 config still leaves CONFIG_LSM_MMAP_MIN_ADDR=0 (see file contents around line ~13413). If the hardening is intended for all arches, this should be updated in the aarch64 config as well; if it’s intentionally x86_64-only, please clarify that in the PR description/commit message.

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Contributor Author

@rlmenge rlmenge Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good callout. 3.0 uses CONFIG_LSM_MMAP_MIN_ADDR=4096 for arm64

christopherco
christopherco requested changes Apr 18, 2026
View reviewed changes
Comment thread base/comps/kernel/6.18-aarch64-azl.config
# CONFIG_DEBUG_SG is not set
# CONFIG_DEBUG_NOTIFIERS is not set
CONFIG_DEBUG_LIST=y
CONFIG_DEBUG_PLIST=y
Copy link
Copy Markdown
Collaborator

@christopherco christopherco Apr 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue: commit message indicates DEBUG_LIST, DEBUG_PLIST, DEBUG_SG, DEBUG_NOTIFIERS are enabled due to LIST_HARDENED and BUG_ON_DATA_CORRUPTION, but that doesn't look accurate from looking at the Kconfig selectors upstream:

security(kernel): enable kernel data-structure corruption detection
Enable LIST_HARDENED and BUG_ON_DATA_CORRUPTION on both x86_64 and
aarch64, which pulls in DEBUG_LIST, DEBUG_PLIST, DEBUG_SG, and
DEBUG_NOTIFIERS. Kernel panics on detected list-head/scatterlist/
notifier/credential corruption; KSPP recommended.

Can you clarify how these 4 DEBUG_* are being force-enabled? Do they help with enabling these other hardening configurations?

Note: I also do worry about performance penalty with the DEBUG options. But we should iterate on this with perf data to understand how much we're trading off for what we gain.

Copy link
Copy Markdown
Contributor Author

@rlmenge rlmenge Apr 20, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ack. We for sure want LIST_HARDENED as that has been beneficial in the past. I will confirm whether the DEBUG_* are also needed. I did check prior to this PR and they are enabled in our 3.0 offering except for DEBUG_PLIST.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@christopherco christopherco christopherco requested changes

@ddstreetmicrosoft ddstreetmicrosoft Awaiting requested review from ddstreetmicrosoft ddstreetmicrosoft is a code owner

@reubeno reubeno Awaiting requested review from reubeno reubeno is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rlmenge @christopherco