Update the KSPP recommendations (https://github.com/KSPP/linux/issues/362)

[kconfig-hardened-check.git] / kernel_hardening_checker / config_files / kspp-recommendations / kspp-kconfig-x86-32.config

diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config
index 3e029722dcc08f7bc138aef2f177b208984fd7f8..4d1d1d38de43855b4c8823aab5d4bf97e980b750 100644 (file)
--- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config
+++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config
@@ -142,6 +142,7 @@ CONFIG_EFI_DISABLE_PCI_DMA=y
 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
 CONFIG_IOMMU_SUPPORT=y
 CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
+# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set
 
 # Enable feeding RNG entropy from TPM, if available.
 CONFIG_HW_RANDOM_TPM=y
@@ -151,6 +152,10 @@ CONFIG_HW_RANDOM_TPM=y
 CONFIG_RANDOM_TRUST_BOOTLOADER=y
 CONFIG_RANDOM_TRUST_CPU=y
 
+# Randomize the layout of system structures. This may have dramatic performance impact, so
+# use with caution. If using GCC, you can check if using CONFIG_RANDSTRUCT_PERFORMANCE=y is better.
+CONFIG_RANDSTRUCT_FULL=y
+
 # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
 CONFIG_SCHED_CORE=y
 
@@ -242,11 +247,6 @@ CONFIG_GCC_PLUGIN_STACKLEAK=y
 # CONFIG_STACKLEAK_METRICS is not set
 # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
 
-# Randomize the layout of system structures. This may have dramatic performance impact, so
-# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
-CONFIG_GCC_PLUGIN_RANDSTRUCT=y
-# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set
-
 # x86_32
 
 CONFIG_X86_32=y