# Basic kernel hardening options (specific to x86)

# Modern libc no longer needs a fixed-position mapping in userspace, remove
# it as a possible target.
CONFIG_LEGACY_VSYSCALL_NONE=y

# Enable chip-specific IOMMU support.
CONFIG_INTEL_IOMMU=y
CONFIG_INTEL_IOMMU_DEFAULT_ON=y
CONFIG_INTEL_IOMMU_SVM=y
CONFIG_AMD_IOMMU=y

# Enforce CET Indirect Branch Tracking in the kernel.
CONFIG_X86_KERNEL_IBT=y

# Enable CET Shadow Stack for userspace.
CONFIG_X86_USER_SHADOW_STACK=y