# kernel.perf_event_paranoid=2 (or 3 with a custom patch, see https://lwn.net/Articles/696216/)
# kernel.kexec_load_disabled=1
# kernel.yama.ptrace_scope=3
-# user.max_user_namespaces=0
+# user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone)
# what about bpf_jit_enable?
# kernel.unprivileged_bpf_disabled=1
# net.core.bpf_jit_harden=2
# vm.mmap_rnd_bits=max (?)
# kernel.sysrq=0
# abi.vsyscall32 (any value except 2)
+# kernel.oops_limit (think about a proper value)
+# kernel.warn_limit (think about a proper value)
#
# Think of these boot params:
# module.sig_enforce=1
# intel_iommu=on
# amd_iommu=on
# efi=disable_early_pci_dma
+# cfi=
# pylint: disable=missing-function-docstring,line-too-long,invalid-name
# pylint: disable=too-many-branches,too-many-statements
if arch == 'X86_64':
l += [KconfigCheck('self_protection', 'defconfig', 'PAGE_TABLE_ISOLATION', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'RANDOMIZE_MEMORY', 'y')]
+ l += [KconfigCheck('self_protection', 'defconfig', 'X86_KERNEL_IBT', 'y')]
l += [AND(KconfigCheck('self_protection', 'defconfig', 'INTEL_IOMMU', 'y'),
iommu_support_is_set)]
l += [AND(KconfigCheck('self_protection', 'defconfig', 'AMD_IOMMU', 'y'),
'srbds', # See srbds_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
'mmio_stale_data', # See mmio_stale_data_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
'retbleed', # See retbleed_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
+ 'ssbd', # See parse_spectre_v4_param() in arch/arm64/kernel/proton-pack.c
'tsx' # See tsx_init() in arch/x86/kernel/cpu/tsx.c
]
projects / kconfig-hardened-check.git / blobdiff