| # This is the equivalent of booting with lockdown=integrity | |
| CONFIG_SECURITY=y | |
| CONFIG_SECURITYFS=y | |
| CONFIG_SECURITY_LOCKDOWN_LSM=y | |
| CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y | |
| CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y | |
| # These are some general, reasonably inexpensive hardening options | |
| CONFIG_HARDENED_USERCOPY=y | |
| CONFIG_FORTIFY_SOURCE=y | |
| CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y | |
| # UBSAN bounds checking is very cheap and good for hardening | |
| CONFIG_UBSAN=y | |
| # CONFIG_UBSAN_MISC is not set |