projects
/
kconfig-hardened-check.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Save the list of disabled mitigations of CPU vulnerabilities (for history)
[kconfig-hardened-check.git]
/
kconfig_hardened_check
/
config_files
/
kspp-recommendations
/
kspp-recommendations-arm64.config
diff --git
a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config
b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config
index 91e61892f2244914d31b72d162d9d6483ac43f76..76c212f3b592bc690634690be1d275a13bfaf6dd 100644
(file)
--- a/
kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config
+++ b/
kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config
@@
-30,6
+30,7
@@
CONFIG_DEBUG_CREDENTIALS=y
CONFIG_DEBUG_NOTIFIERS=y
CONFIG_DEBUG_LIST=y
CONFIG_DEBUG_SG=y
CONFIG_DEBUG_NOTIFIERS=y
CONFIG_DEBUG_LIST=y
CONFIG_DEBUG_SG=y
+CONFIG_DEBUG_VIRTUAL=y
CONFIG_BUG_ON_DATA_CORRUPTION=y
CONFIG_SCHED_STACK_END_CHECK=y
CONFIG_BUG_ON_DATA_CORRUPTION=y
CONFIG_SCHED_STACK_END_CHECK=y
@@
-37,6
+38,9
@@
CONFIG_SCHED_STACK_END_CHECK=y
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y
+# Make sure line disciplines can't be autoloaded (since v5.1).
+# CONFIG_LDISC_AUTOLOAD is not set
+
# Provide userspace with ptrace ancestry protections.
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.
CONFIG_SECURITY=y
# Provide userspace with ptrace ancestry protections.
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.
CONFIG_SECURITY=y
@@
-47,8
+51,8
@@
CONFIG_SECURITY_YAMA=y
CONFIG_SECURITY_LANDLOCK=y
# Make sure SELinux cannot be disabled trivially.
CONFIG_SECURITY_LANDLOCK=y
# Make sure SELinux cannot be disabled trivially.
-# SECURITY_SELINUX_BOOTPARAM is not set
-# SECURITY_SELINUX_DEVELOP is not set
+#
CONFIG_
SECURITY_SELINUX_BOOTPARAM is not set
+#
CONFIG_
SECURITY_SELINUX_DEVELOP is not set
# CONFIG_SECURITY_WRITABLE_HOOKS is not set
# Enable "lockdown" LSM for bright line between the root user and kernel memory.
# CONFIG_SECURITY_WRITABLE_HOOKS is not set
# Enable "lockdown" LSM for bright line between the root user and kernel memory.
@@
-144,8
+148,14
@@
CONFIG_SCHED_CORE=y
CONFIG_ZERO_CALL_USED_REGS=y
# Wipe RAM at reboot via EFI.
CONFIG_ZERO_CALL_USED_REGS=y
# Wipe RAM at reboot via EFI.
+# For more details, see:
+# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
+# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
CONFIG_RESET_ATTACK_MITIGATION=y
CONFIG_RESET_ATTACK_MITIGATION=y
+# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk
+CONFIG_STATIC_USERMODEHELPER=y
+
# Dangerous; enabling this allows direct physical memory writing.
# CONFIG_ACPI_CUSTOM_METHOD is not set
# Dangerous; enabling this allows direct physical memory writing.
# CONFIG_ACPI_CUSTOM_METHOD is not set