linux: Enable SLAB_FREELIST_HARDENED, SLAB_FREELIST_RANDOM

Enabled in [Arch][1], [Debian][2], [Fedora][3]; no others checked. Recommended by [Kernel Self Protection Project][4]. This should also implicitly enable SHUFFLE_PAGE_ALLOCATOR. Performance impact per upstream: For _HARDENED: > The difference gets lost in the noise, but if the above is to be taken > literally, using CONFIG_FREELIST_HARDENED is 0.07% slower. For _RANDOM: > Performance results highlighted no major changes [1]: 66d72ee54a/trunk/config (L1037-L1038) [2]: 07731f5956/debian/config/config (L6742-6743) [3]: 6d6ad72f0c/f/kernel-x86_64-fedora.config (_6079) [4]: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
2022-08-27 13:45:26 -04:00 · 2022-08-27 13:45:26 -04:00 · 00a45bc41b
commit 00a45bc41b
parent f214afa5fb
1 changed files with 3 additions and 0 deletions
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@ -878,6 +878,9 @@ let
      SCSI_LOGGING = yes; # SCSI logging facility
      SERIAL_8250  = yes; # 8250/16550 and compatible serial support

+      SLAB_FREELIST_HARDENED = whenAtLeast "4.14" yes;
+      SLAB_FREELIST_RANDOM   = whenAtLeast "4.10" yes;
+
      SLIP_COMPRESSED = yes; # CSLIP compressed headers
      SLIP_SMART      = yes;