#
#
# N.B Hardening command line parameters:
-# slub_debug=FZP
# slab_nomerge
# page_alloc.shuffle=1
# iommu=force (does it help against DMA attacks?)
-# page_poison=1 (if enabled)
-# init_on_alloc=1
-# init_on_free=1
+# slub_debug=FZ (slow)
+# init_on_alloc=1 (since v5.3)
+# init_on_free=1 (since v5.3, otherwise slub_debug=P and page_poison=1)
# loadpin.enforce=1
# debugfs=no-mount (or off if possible)
#
# Mitigations of CPU vulnerabilities:
# Аrch-independent:
-# mitigations=auto,nosmt
+# mitigations=auto,nosmt (nosmt is slow)
# X86:
# spectre_v2=on
# pti=on
# ssbd=force-on
#
# N.B. Hardening sysctls:
-# kernel.kptr_restrict=2
+# kernel.kptr_restrict=2 (or 1?)
# kernel.dmesg_restrict=1
# kernel.perf_event_paranoid=3
# kernel.kexec_load_disabled=1
l += [AND(OptCheck('self_protection', 'my', 'UBSAN_BOUNDS', 'y'),
OptCheck('self_protection', 'my', 'UBSAN_MISC', 'is not set'),
OptCheck('self_protection', 'my', 'UBSAN_TRAP', 'y'))]
- l += [OptCheck('self_protection', 'my', 'SLUB_DEBUG_ON', 'y')] # TODO: is it better to set that via kernel cmd?
l += [OptCheck('self_protection', 'my', 'RESET_ATTACK_MITIGATION', 'y')] # needs userspace support (systemd)
if arch == 'X86_64':
l += [AND(OptCheck('self_protection', 'my', 'AMD_IOMMU_V2', 'y'),