From 3eca49b16ae8f1ce104aa4148fd8a4c15e0aa7d6 Mon Sep 17 00:00:00 2001
From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
Date: Thu, 14 Nov 2019 01:08:33 +0300
Subject: [PATCH] Enable wiping objects in RAM with enhanced_security

---
 kernel.spec | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/kernel.spec b/kernel.spec
index 58c5709..4d76ae6 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -11,7 +11,7 @@
 %define sublevel	10
 
 # Release number. Increase this before a rebuild.
-%define rpmrel		3
+%define rpmrel		4
 %define fullrpmrel	%{rpmrel}
 
 %define rpmtag		%{disttag}
@@ -765,6 +765,20 @@ echo CONFIG_MODULE_SIG_ALL=n >> .config
 echo CONFIG_MODULE_SIG_SHA512=y >> .config
 # Set path to the key that will be generated later by openssl
 echo CONFIG_MODULE_SIG_KEY="%{certs_signing_key_rnd}" >> .config
+
+# Memory wiping
+# Introduced in kernel 5.3 by commit 6471384af2a6530696fc0203bafe4de41a23c9ef
+# Estimated performance impact is described in the commit
+# "Fill newly allocated pages and heap objects with zeroes."
+# To enable, add to cmdline: init_on_alloc=1
+#sed -i '/CONFIG_INIT_ON_ALLOC_DEFAULT_ON/d' .config
+#echo CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y >> .config
+# "Fill freed pages and heap objects with zeroes"
+# To disable, add to cmdline: init_on_free=0
+sed -i '/CONFIG_INIT_ON_FREE_DEFAULT_O/d' .config
+echo CONFIG_INIT_ON_FREE_DEFAULT_ON=y >> .config
+# Here enabling only either only init_on_free or only init_on_alloc
+# makes sense; init_on_alloc is not about protecting information.
 %endif
 
 # Store the config file in the appropriate directory.