Comment 0 for bug 1683505

Kees Cook is requesting the following be enabled for our Raspi2/3 enabled kernel:

config CPU_SW_DOMAIN_PAN
        bool "Enable use of CPU domains to implement privileged no-access"
        depends on MMU && !ARM_LPAE
        default y
        help
          Increase kernel security by ensuring that normal kernel accesses
          are unable to access userspace addresses. This can help prevent
          use-after-free bugs becoming an exploitable privilege escalation
          by ensuring that magic values (such as LIST_POISON) will always
          fault when dereferenced.

          CPUs with low-vector mappings use a best-efforts implementation.
          Their lower 1MB needs to remain accessible for the vectors, but
          the remainder of userspace will become appropriately inaccessible.