Few config options missing.

[kaskasbarakas]

Hi,

I saw in the recent kernel config that there are a few Grsecurity/PaX options not set. Those might be handy to enable since not everyone has smap on their CPU yet I run older hardware and even some newer one doesn't have smap. These percentages are from the grsecurity wikibook https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options

CONFIG	Performance hit
CONFIG_PAX_MEMORY_STRUCTLEAK	Even less than STACKLEAK.
CONFIG_PAX_MEMORY_STACKLEAK	1% on single CPU system.
CONFIG_PAX_MEMORY_SANITIZE	3% performance hit on single CPU system.
CONFIG_PAX_MEMORY_UDEREF	Some virtualisations solutions can take a huge hit with security set.
CONFIG_GRKERNSEC_IO	No performance hit.
CONFIG_GRKERNSEC_NO_RBAC	If RBAC isn't going to be used it's better to turn this on to prevent any abuse, no performance hit.
CONFIG_GRKERNSEC_SYSFS_RESTRICT	Might not work with Wayland and/or systemd ?
CONFIG_GRKERNSEC_TPE	Cool feature that can prevent things from executing everywhere, no performance hit.
CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE	Not sure what the performance hit is, but increased security if turned off.

There is of course an trade off for performance but this could be solved with 2 kernels for people to choose from, for example in the installer or with a general apt install kernel-grsec-performance or kernel-grsec-security.

[dma]

Offering more than one kernel is a great idea that we're already considering for other reasons (e.g. providing an 'airgap' kernel, etc). Thanks for the suggestion here, we'll take it seriously.