- کانفیگ hardening شده هسته Linux برای محیط production x64:
(قبل از کامپایل هسته Linux بهمین شکل پارامترهارو داخل فایل .config موجود در سورس لینوکس تون اعمال کنید)
CONFIG_64BIT=y # CONFIG_X86_32 is not set CONFIG_X86_64=y CONFIG_OUTPUT_FORMAT="elf64-x86-64" # Linux <= 5.15.* CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig" CONFIG_BROKEN_ON_SMP=y CONFIG_BUG=y CONFIG_LOCALVERSION_AUTO=y CONFIG_GCC_PLUGINS=y # CONFIG_KERNEL_GZIP is not set CONFIG_KERNEL_LZMA=y # Disallow 16-bit programs. # CONFIG_MODIFY_LDT_SYSCALL is not set # CONFIG_UNUSED_SYMBOLS is not set # Linux >= 5.15.* CONFIG_WERROR=y # CONFIG_LEGACY_PTYS is not set CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=30 CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # CONFIG_FAULT_INJECTION is not set # For firmware tests. CONFIG_CGROUP_FREEZER=y CONFIG_DMI_SYSFS=y CONFIG_EFI_TEST=m CONFIG_DEFAULT_HOSTNAME="(none)" # CONFIG_X86_MSR is not set CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y CONFIG_PAGE_TABLE_ISOLATION=y CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_IKCONFIG=m CONFIG_IKCONFIG_PROC=y CONFIG_COREDUMP=y # CONFIG_DEBUG_PAGEALLOC is not set CONFIG_DEBUG_WX=y # CONFIG_KASAN is not set # CONFIG_DEBUG_KMEMLEAK is not set CONFIG_SCHED_STACK_END_CHECK=y CONFIG_DEBUG_FS_DISALLOW_MOUNT=y CONFIG_NETCONSOLE=m # CONFIG_KGDB is not set # Optional. CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_ALL=y CONFIG_VMAP_STACK=y CONFIG_FORTIFY_SOURCE=y CONFIG_SECURITY_DMESG_RESTRICT=y CONFIG_SECURITY_LOADPIN_ENFORCE=y CONFIG_SECURITY_WRITABLE_HOOKS=y CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y CONFIG_KFENCE=y CONFIG_SCHED_CORE=y CONFIG_ZERO_CALL_USED_REGS=y # CONFIG_ACPI_CUSTOM_METHOD is not set # CONFIG_COMPAT_BRK is not set # CONFIG_PROC_KCORE is not set # CONFIG_COMPAT_VDSO is not set # Optional. # CONFIG_KEXEC is not set # CONFIG_HIBERNATION is not set # CONFIG_INET_DIAG is not set # CONFIG_BINFMT_MISC is not set # CONFIG_PROVE_LOCKING is not set CONFIG_SYN_COOKIES=y CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set CONFIG_SECURITY_LANDLOCK=y CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y CONFIG_DEBUG_KERNEL=y CONFIG_STRICT_KERNEL_RWX=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_BUG_ON_DATA_CORRUPTION=y # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_IO_STRICT_DEVMEM=y CONFIG_ARCH_MMAP_RND_BITS=32 CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y CONFIG_GCC_PLUGIN_STACKLEAK=y CONFIG_PCIEASPM=y CONFIG_PCIEASPM_DEFAULT=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y CONFIG_INTEGRITY=y # CONFIG_FAIL_FUTEX is not set # CONFIG_SECURITY_SELINUX_DISABLE is not set # CONFIG_MMIOTRACE_TEST is not set # CONFIG_VIDEO_VIVID is not set CONFIG_REFCOUNT_FULL=y CONFIG_INIT_STACK_ALL_ZERO=y
- کانفیگ هسته Linux برای محیط debugging:
(قبل از کامپایل هسته Linux بهمین شکل پارامترهارو داخل فایل .config موجود در سورس لینوکس تون اعمال کنید)
# Enable only for non-embedded systems. CONFIG_BUG=y # For old buggy drivers that don't do proper locking. CONFIG_BROKEN_ON_SMP=y CONFIG_LOCALVERSION="-debug" # CONFIG_LOCALVERSION_AUTO is not set # Allow 16-bit programs. CONFIG_MODIFY_LDT_SYSCALL=y # Enable in-kernel .config file. CONFIG_IKCONFIG=m CONFIG_IKCONFIG_PROC=y # Prints symbolic crash information and symbolic stack backtraces. CONFIG_KALLSYMS=y CONFIG_KALLSYMS_ALL=y # Generates crash dump and used by `kdump` program. CONFIG_CRASH_DUMP=y # Enable support for performing core dumps. CONFIG_COREDUMP=y CONFIG_DYNAMIC_FTRACE=y CONFIG_FAULT_INJECTION=y # CONFIG_SECURITY_DMESG_RESTRICT is not set CONFIG_DEBUG_PAGEALLOC=y CONFIG_SCHED_STACK_END_CHECK=y # Enabling(=y) this option may freeze your system. # CONFIG_KASAN is not set CONFIG_DEBUG_WX=y CONFIG_DEBUG_KMEMLEAK=y # CONFIG_MODULE_SIG is not set CONFIG_UNUSED_SYMBOLS=y # CONFIG_DEBUG_FS_DISALLOW_MOUNT is not set CONFIG_UBSAN=y CONFIG_KCSAN=y CONFIG_MAGIC_SYSRQ=y CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x1 CONFIG_MAGIC_SYSRQ_SERIAL=y CONFIG_NETCONSOLE=m CONFIG_NETCONSOLE_DYNAMIC=y # Enable remote debugging. CONFIG_KGDB=y CONFIG_DEBUG_BUGVERBOSE=y CONFIG_DYNAMIC_DEBUG=y CONFIG_DYNAMIC_DEBUG_CORE=y CONFIG_DEBUG_INFO=y # Kernel >= 5.15 CONFIG_WERROR=y # Warning! CONFIG_ACPI_CUSTOM_METHOD=y # Warning! CONFIG_PROC_KCORE=y # Warning! CONFIG_COMPAT_VDSO=y # Warning! CONFIG_KEXEC=y CONFIG_HIBERNATION=y CONFIG_LEGACY_PTYS=y # CONFIG_PANIC_ON_OOPS is not set CONFIG_PANIC_TIMEOUT=0 CONFIG_PROVE_LOCKING=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_LATENCYTOP=y CONFIG_LOCK_STAT=y CONFIG_DEBUG_ATOMIC_SLEEP=y CONFIG_BUG_ON_DATA_CORRUPTION=y # For firmware tests. CONFIG_CGROUP_FREEZER=y CONFIG_DMI_SYSFS=m CONFIG_EFI_TEST=m # Warning! # CONFIG_DEVMEM is not set CONFIG_STRICT_DEVMEM=y CONFIG_FUNCTION_TRACER=y CONFIG_FUNCTION_GRAPH_TRACER=y CONFIG_ARCH_MMAP_RND_BITS=28 CONFIG_GCC_PLUGINS=y CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y CONFIG_PCIEASPM=y CONFIG_PCIEASPM_DEFAULT=y CONFIG_KPROBES=y # Warning! CONFIG_DEVKMEM=y CONFIG_MMIOTRACE_TEST=y
با یه سی پی یو ۴ کور چقدر طول میکشه کامپایل بشه ؟