From 2b7f102b35b98b37d79bd8b322eb3232b800ccaf Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <demi@invisiblethingslab.com>
Date: Wed, 6 Apr 2022 23:25:52 -0400
Subject: [PATCH] Add a couple simple hardening options

This assumes that nobody needs to run software that really needs
CONFIG_MODIFY_LDT_SYSCALL.  Not tested, but should be rather
straightforward.
---
 config-qubes | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/config-qubes b/config-qubes
index 886ba782..b464113d 100644
--- a/config-qubes
+++ b/config-qubes
@@ -31,7 +31,10 @@ CONFIG_GCC_PLUGINS=y
 CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y
 CONFIG_GCC_PLUGIN_STRUCTLEAK=y
 CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
-## XXX: What's about RANDSTRUCT?
+## CONFIG_ZERO_CALL_USED_REGS=y requires too new a toolchain
+# CONFIG_SLUB_DEBUG_ON is not set
+## XXX: What's about RANDSTRUCT?  Answer: not useful against attacks targeting
+## Qubes, useful against generic attacks
 
 ## Those depend on CONFIG_EXPERT
 CONFIG_ARCH_MMAP_RND_BITS=32
@@ -40,6 +43,7 @@ CONFIG_ARCH_MMAP_RND_COMPAT_BITS=16
 # CONFIG_KEXEC is not set
 
 CONFIG_LEGACY_VSYSCALL_NONE=y
+# CONFIG_MODIFY_LDT_SYSCALL is not set
 
 # CONFIG_ACPI_CUSTOM_METHOD is not set