projects / kconfig-hardened-check.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4852f76)
Update the KSPP recommendations
authorAlexander Popov <alex.popov@linux.com>
Thu, 16 Sep 2021 18:01:57 +0000 (21:01 +0300)
committerAlexander Popov <alex.popov@linux.com>
Thu, 16 Sep 2021 18:01:57 +0000 (21:01 +0300)
kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config patch | blob | history
kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config patch | blob | history
kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config patch | blob | history
kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config patch | blob | history

diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config
index 4271f7db57768d9335204531c8e26ce2a2c53612..3bba331d2d43146a766561d3e9ed1a2a083baa8e 100644 (file)
--- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config
+++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config
@@ -1,5 +1,5 @@
 # CONFIGs
-# Linux/arm 5.4.0 Kernel Configuration
+# Linux/arm 5.14.0 Kernel Configuration
 
 # Report BUG() conditions and kill the offending process.
 CONFIG_BUG=y
@@ -152,7 +152,6 @@ CONFIG_GCC_PLUGIN_STACKLEAK=y
 # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
 CONFIG_GCC_PLUGIN_RANDSTRUCT=y
 
-
 # arm
 
 CONFIG_ARM=y
@@ -168,3 +167,5 @@ CONFIG_CPU_SW_DOMAIN_PAN=y
 
 # Dangerous; old interfaces and needless additional attack surface.
 # CONFIG_OABI_COMPAT is not set
+
+
diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config
index 50434940534812ec3b65de78754b5c69c4b154be..6a24c42b6b749b93d2eb04cf36e75713a7dca7a0 100644 (file)
--- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config
+++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config
@@ -1,5 +1,5 @@
 # CONFIGs
-# Linux/arm64 5.4.0 Kernel Configuration
+# Linux/arm64 5.14.0 Kernel Configuration
 
 # Report BUG() conditions and kill the offending process.
 CONFIG_BUG=y
@@ -152,7 +152,6 @@ CONFIG_GCC_PLUGIN_STACKLEAK=y
 # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
 CONFIG_GCC_PLUGIN_RANDSTRUCT=y
 
-
 # arm64
 
 CONFIG_ARM64=y
@@ -163,8 +162,13 @@ CONFIG_DEFAULT_MMAP_MIN_ADDR=32768
 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).
 CONFIG_RANDOMIZE_BASE=y
 
+# Randomize kernel stack offset on syscall entry (since v5.13).
+CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
+
 # Make sure PAN emulation is enabled.
 CONFIG_ARM64_SW_TTBR0_PAN=y
 
 # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
 CONFIG_UNMAP_KERNEL_AT_EL0=y
+
+
diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config
index edca82b7414ee94eaa7b3b4d73896d6c70343482..a382f411912194929c2d93cd524cba4b753d6534 100644 (file)
--- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config
+++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config
@@ -1,5 +1,5 @@
 # CONFIGs
-# Linux/i386 5.4.0 Kernel Configuration
+# Linux/i386 5.14.0 Kernel Configuration
 
 # Report BUG() conditions and kill the offending process.
 CONFIG_BUG=y
@@ -171,6 +171,9 @@ CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
 # Randomize position of kernel.
 CONFIG_RANDOMIZE_BASE=y
 
+# Randomize kernel stack offset on syscall entry (since v5.13).
+CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
+
 # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
 CONFIG_PAGE_TABLE_ISOLATION=y
 
diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config
index 799a37db5555b9706f8f487940e991e005088af6..c6b08206d53c308f749bb4dcb8f2982039b1f2c4 100644 (file)
--- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config
+++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config
@@ -1,5 +1,5 @@
 # CONFIGs
-# Linux/x86_64 5.4.0 Kernel Configuration
+# Linux/x86_64 5.14.0 Kernel Configuration
 
 # Report BUG() conditions and kill the offending process.
 CONFIG_BUG=y
@@ -167,6 +167,9 @@ CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
 CONFIG_RANDOMIZE_BASE=y
 CONFIG_RANDOMIZE_MEMORY=y
 
+# Randomize kernel stack offset on syscall entry (since v5.13).
+CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
+
 # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
 CONFIG_LEGACY_VSYSCALL_NONE=y
 
kconfig-hardened-check