From Gentoo Wiki
Jump to:navigation Jump to:search
Warning, this page is a work in progress by JM01085758 (talk | contribs). Treat its contents with caution.

The Kernel Self-Protection Project is an ongoing effort to proactively improve kernel security and robustness by eliminating bug classes and exploitation methods. Its focus is less on using the kernel to protect userspace and more on designing the kernel to be able to defend the kernel itself from attack.[1] Much of the work to-date has focused on getting previous efforts from Grsecurity and PaX accepted upstream.[2]


The project was announced by Kees Cook[3] in 2015 with funding from the Linux Foundation's Core Infrastructure Initiative (CII).[4][5] The CII was succeeded by the Open Source Security Foundation (OpenSSF) in 2020[6] and the project has been funded by The Linux Foundation and Google together since 2021.[7][8]

Slides from the presentations given by Kees Cook during the past few years are available on his website:

and slides from Gustavo A. R. Silva's talk in 2022 are also available.[9]

Scope and goals

At the outset, it was observed[10] that the average lifetime of kernel security bugs with CVEs assigned in the "critical" and "high" priority categories was around 5.5 years on average.[11] Rather than continuing to play a game of whack-a-mole, it makes sense to, whenever possible and reasonable:

  • Eliminate bug classes
  • Eliminate exploit targets and methods
  • Design the kernel to fail safely[12]



The following settings are for a 64-bit kernel on the AMD64 architecture. Disabling X86_32 is also required, but that option is not even visible if 64BIT is enabled. It is possible to enable the KSPP recommendations on 32-bit kernels and other architectures, but the settings will not be identical.

KERNEL make menuconfig
[*] 64-bit kernel
    General setup  --->
        [*] Configure standard kernel features (expert users)  --->
    Processor type and features  --->
        < > /dev/cpu/*/msr - Model-specific register support
        [ ] kexec system call
        [ ] Disable the 32-bit vDSO (needed for glibc 2.3.3)       
        [ ] Enable the LDT (local descriptor table)
    Power management and ACPI options  --->
        [ ] Hibernation (aka 'suspend to disk')
        [*] ACPI (Advanced Configuration and Power Interface) Support  --->                                    
                < > Allow ACPI methods to be inserted/replaced at run time
    Binary Emulations  --->
        [ ] x32 ABI for 64-bit mode
    General architecture-dependent options  --->
        [*] GCC plugins  ---> 
    Memory Management options  --->
        [ ] Disable heap randomization
    Device Drivers 
            Character devices  --->
                [*] Enable TTY
                [ ]   Legacy (BSD) PTY support
        [*] IOMMU Hardware Support  --->
                IOMMU default domain type (Translated - Strict)  --->
    File systems  --->
        Pseudo filesystems  --->
            -*- /proc file system support
            [ ]   /proc/kcore support
    Security options  --->
        [*] Enable different security models
            Kernel hardening options  --->
                Randomize layout of sensitive kernel structures (Limit randomization of structure layout to cache-lines)  --->
    Gentoo Linux  --->
        [*] Gentoo Linux support


Once the previous options are finalized, the KSPP kernel options will become visible. They can then be applied via:

KERNEL make menuconfig
Gentoo Linux  --->
    [*] Kernel Self Protection Project  --->
            --- Kernel Self Protection Project
            [*]   Enable Kernel Self Protection Project Recommendations
            [*]     X86_64 KSPP Settings


Enabling GENTOO_KERNEL_SELF_PROTECTION_COMMON is equivalent to enabling the following options individually:

KERNEL make menuconfig
[*] 64-bit kernel
    General setup  --->
        -*- Core Scheduling for SMT
        [*] Configure standard kernel features (expert users)  --->
                -*-   BUG() support
    General architecture-dependent options  --->
        -*- Make kernel text and rodata read-only
        -*- Enable seccomp to safely execute untrusted bytecode
        -*- Stack Protector buffer overflow detection
        -*-   Strong Stack Protector
        [*] Support for randomizing kernel stack offset on syscall entry
        -*-   Default state of kernel stack offset randomization 
        [*] GCC plugins  ---> 
                -*-   Generate some entropy during boot and runtime 
    Memory Management options  --->
            SLAB allocator options  --->
                -*- Randomize slab freelist
                -*- Harden slab freelist metadata
        -*- Page allocator randomization
-*- Networking support  --->
            Networking options  --->
                -*- TCP/IP networking
                -*-   IP: TCP syncookie support
    Security options  --->
        -*- Restrict unprivileged access to the kernel syslog
        -*- Harden memory copies between kernel and userspace
        -*- Harden common str/mem functions against buffer overflows
        -*- Yama support
        -*- Landlock support
            Kernel hardening options  --->
                    Memory initialization  --->
                        -*- Enable heap memory zeroing on allocation by default
                        -*- Enable heap memory zeroing on free by default
                        -*- Enable register zeroing on function exit
                    Randomize layout of sensitive kernel structures (Limit randomization of structure layout to cache-lines)  --->
    Kernel hacking  --->
            Memory Debugging  --->
                -*- Enable SLUB debugging support
                -*- Poison pages after freeing
                -*- Warn on W+X mappings at boot
                -*- Detect stack corruption on calls to schedule()
                -*- KFENCE: low-overhead sampling-based memory safety error detector  ---> 
            Debug kernel data structures  --->
                -*- Debug linked list manipulation
                -*- Debug SG table operations
                -*- Debug notifier call chains
                -*- Trigger a BUG when data corruption is detected
            Debug Oops, Lockups and Hangs  --->
                -*- Panic on Oops
        -*- Debug credential management
        -*- Filter access to /dev/mem
        -*-   Filter I/O access to /dev/mem

These options —

  • REFCOUNT_FULL[13][14][15]

— may not be visible in the menus, but should show as enabled as well when searched for.

Project recommendations

A list of recommended settings for various architectures is maintained by the project here.

Mailing lists

The project's newer mailing list is at, but the older one at is still active. The new one was created in 2020 to keep "maintenance" topics off of the openwall list.[16] The latter is also mirrored at

See also

  • Signed kernel module support — allows further hardening of the system by disallowing unsigned kernel modules, or kernel modules signed with the wrong key, to be loaded.

External resources