X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;ds=inline;f=kernel_hardening_checker%2Fconfig_files%2Fkspp-recommendations%2Fkspp-kconfig-arm64-clang.config;h=0acc81eab8ec13ef262978989101fefd4d624feb;hb=HEAD;hp=d2af013736858e89c9190e336caba2cf200117c6;hpb=38795d922a53915af937a89cf2d178613756d9a8;p=kconfig-hardened-check.git diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-clang.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-clang.config index d2af013..6b93f63 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-clang.config +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-clang.config @@ -86,9 +86,8 @@ CONFIG_PAGE_TABLE_CHECK_ENFORCED=y CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). -# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) -CONFIG_PAGE_POISONING=y -CONFIG_PAGE_POISONING_NO_SANITY=y +# This kernel feature was removed in v5.11. +# Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks the 0xAA poison pattern on allocation. CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) @@ -142,6 +141,7 @@ CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y +# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y @@ -151,6 +151,10 @@ CONFIG_HW_RANDOM_TPM=y CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y +# Randomize the layout of system structures. This may have dramatic performance impact, so +# use with caution. If using GCC, you can check if using CONFIG_RANDSTRUCT_PERFORMANCE=y is better. +CONFIG_RANDSTRUCT_FULL=y + # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y @@ -179,9 +183,6 @@ CONFIG_STATIC_USERMODEHELPER=y # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set -# Dangerous; enabling this disables VDSO ASLR. -# CONFIG_COMPAT_VDSO is not set - # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set @@ -207,7 +208,8 @@ CONFIG_STATIC_USERMODEHELPER=y CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 -# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table. +# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table: +# https://docs.kernel.org/admin-guide/sysrq.html CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. @@ -242,11 +244,6 @@ CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set -# Randomize the layout of system structures. This may have dramatic performance impact, so -# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y -CONFIG_GCC_PLUGIN_RANDSTRUCT=y -# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set - # arm64 CONFIG_ARM64=y