Hardening Security
The KCAL operators are deployed in the cVM environment. cVMs provide protection for workloads through hardware isolation. However, the guest kernel running in a cVM or insecure use may still pose security vulnerabilities. The overall architecture security depends on the strict control of kernel configuration and deployment environment. Therefore, you are advised to take the following enhancement measures to improve the overall security.
Guest Kernel Compiler Security Options
Compiler Security Option |
Description |
|---|---|
CONFIG_KALLSYMS_ALL = n |
Prevents the kernel from exporting symbol addresses via kallsyms. This mitigates the risks of attackers (or escaped guest processes) leveraging these addresses to leak and exploit kernel information. |
CONFIG_MODULES = n |
Prevents malicious or unsigned modules from being loaded at runtime, reducing the attack surface. |
CONFIG_MODULE_SIG = y && CONFIG_MODULE_SIG_ALL = y |
Improves security when the kernel module must be loaded. |
CONFIG_PROC_KCORE = n |
Blocks access to /proc/kcore to prevent kernel memory image exposure, reducing the risks of leaking sensitive information. |
CONFIG_FUNCTION_TRACER / CONFIG_FTRACE / CONFIG_KPROBES / CONFIG_PERF_EVENTS / CONFIG_BPF / CONFIG_BPF_SYSCALL = n |
Prevents user-level or kernel-level dynamic monitoring, instrumentation, and JIT compilation (BPF JIT) from being leveraged by attackers (for reconnaissance, side-channel attacks, or persistence). |
CONFIG_SYSCTL = n |
Prevents the runtime tuning entry provided by sysctl from being abused, reducing the risks of security-related behavior changes. |
CONFIG_KEXEC / CONFIG_KEXEC_CORE / CONFIG_CRASH_DUMP = n |
Prevents runtime kernel loading via kexec or memory dumping via crashdump, reducing risks and leakage channels. |