projects
/
kconfig-hardened-check.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Add defconfigs for Linux v6.1
[kconfig-hardened-check.git]
/
kconfig_hardened_check
/
config_files
/
kspp-recommendations
/
kspp-recommendations-x86-32.config
diff --git
a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config
b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config
index 32c1dadd53e9d4c787cdfde9f94d8463cc3148cd..7695976329cf8b0b0a3055ef720b96d0e03ef4b2 100644
(file)
--- a/
kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config
+++ b/
kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config
@@
-30,6
+30,7
@@
CONFIG_DEBUG_CREDENTIALS=y
CONFIG_DEBUG_NOTIFIERS=y
CONFIG_DEBUG_LIST=y
CONFIG_DEBUG_SG=y
CONFIG_DEBUG_NOTIFIERS=y
CONFIG_DEBUG_LIST=y
CONFIG_DEBUG_SG=y
+CONFIG_DEBUG_VIRTUAL=y
CONFIG_BUG_ON_DATA_CORRUPTION=y
CONFIG_SCHED_STACK_END_CHECK=y
CONFIG_BUG_ON_DATA_CORRUPTION=y
CONFIG_SCHED_STACK_END_CHECK=y
@@
-37,6
+38,9
@@
CONFIG_SCHED_STACK_END_CHECK=y
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y
+# Make sure line disciplines can't be autoloaded (since v5.1).
+# CONFIG_LDISC_AUTOLOAD is not set
+
# Provide userspace with ptrace ancestry protections.
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.
CONFIG_SECURITY=y
# Provide userspace with ptrace ancestry protections.
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.
CONFIG_SECURITY=y
@@
-47,8
+51,8
@@
CONFIG_SECURITY_YAMA=y
CONFIG_SECURITY_LANDLOCK=y
# Make sure SELinux cannot be disabled trivially.
CONFIG_SECURITY_LANDLOCK=y
# Make sure SELinux cannot be disabled trivially.
-# SECURITY_SELINUX_BOOTPARAM is not set
-# SECURITY_SELINUX_DEVELOP is not set
+#
CONFIG_
SECURITY_SELINUX_BOOTPARAM is not set
+#
CONFIG_
SECURITY_SELINUX_DEVELOP is not set
# CONFIG_SECURITY_WRITABLE_HOOKS is not set
# Enable "lockdown" LSM for bright line between the root user and kernel memory.
# CONFIG_SECURITY_WRITABLE_HOOKS is not set
# Enable "lockdown" LSM for bright line between the root user and kernel memory.
@@
-144,8
+148,14
@@
CONFIG_SCHED_CORE=y
CONFIG_ZERO_CALL_USED_REGS=y
# Wipe RAM at reboot via EFI.
CONFIG_ZERO_CALL_USED_REGS=y
# Wipe RAM at reboot via EFI.
+# For more details, see:
+# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
+# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
CONFIG_RESET_ATTACK_MITIGATION=y
CONFIG_RESET_ATTACK_MITIGATION=y
+# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk
+CONFIG_STATIC_USERMODEHELPER=y
+
# Dangerous; enabling this allows direct physical memory writing.
# CONFIG_ACPI_CUSTOM_METHOD is not set
# Dangerous; enabling this allows direct physical memory writing.
# CONFIG_ACPI_CUSTOM_METHOD is not set
@@
-240,7
+250,9
@@
CONFIG_RANDOMIZE_BASE=y
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
CONFIG_PAGE_TABLE_ISOLATION=y
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
CONFIG_PAGE_TABLE_ISOLATION=y
+# Enable chip-specific IOMMU support.
+CONFIG_INTEL_IOMMU=y
+CONFIG_INTEL_IOMMU_DEFAULT_ON=y
+
# Don't allow for 16-bit program emulation and associated LDT tricks.
# CONFIG_MODIFY_LDT_SYSCALL is not set
# Don't allow for 16-bit program emulation and associated LDT tricks.
# CONFIG_MODIFY_LDT_SYSCALL is not set
-
-