Think about kptr_restrict later (KSPP recommends to set it to 1)

[kconfig-hardened-check.git] / kconfig_hardened_check / __init__.py

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index b8bfa1568b8f625d7a94e90e765556e996a0cb02..42d3eebdab15c2dd35b865832be708cb88251048 100644 (file)
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -11,19 +11,18 @@
 #
 #
 # N.B Hardening command line parameters:
-#    slub_debug=FZP
 #    slab_nomerge
 #    page_alloc.shuffle=1
 #    iommu=force (does it help against DMA attacks?)
-#    page_poison=1 (if enabled)
-#    init_on_alloc=1
-#    init_on_free=1
+#    slub_debug=FZ (slow)
+#    init_on_alloc=1 (since v5.3)
+#    init_on_free=1 (since v5.3, otherwise slub_debug=P and page_poison=1)
 #    loadpin.enforce=1
 #    debugfs=no-mount (or off if possible)
 #
 #    Mitigations of CPU vulnerabilities:
 #       Аrch-independent:
-#           mitigations=auto,nosmt
+#           mitigations=auto,nosmt (nosmt is slow)
 #       X86:
 #           spectre_v2=on
 #           pti=on
@@ -36,7 +35,7 @@
 #           ssbd=force-on
 #
 # N.B. Hardening sysctls:
-#    kernel.kptr_restrict=2
+#    kernel.kptr_restrict=2 (or 1?)
 #    kernel.dmesg_restrict=1
 #    kernel.perf_event_paranoid=3
 #    kernel.kexec_load_disabled=1
@@ -403,7 +402,6 @@ def construct_checklist(l, arch):
     l += [AND(OptCheck('self_protection', 'my', 'UBSAN_BOUNDS', 'y'),
               OptCheck('self_protection', 'my', 'UBSAN_MISC', 'is not set'),
               OptCheck('self_protection', 'my', 'UBSAN_TRAP', 'y'))]
-    l += [OptCheck('self_protection', 'my', 'SLUB_DEBUG_ON', 'y')] # TODO: is it better to set that via kernel cmd?
     l += [OptCheck('self_protection', 'my', 'RESET_ATTACK_MITIGATION', 'y')] # needs userspace support (systemd)
     if arch == 'X86_64':
         l += [AND(OptCheck('self_protection', 'my', 'AMD_IOMMU_V2', 'y'),