X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;ds=inline;f=kernel_hardening_checker%2Fconfig_files%2Fkspp-recommendations%2Fkspp-kconfig-x86-64-gcc.config;h=02a3c6fae3ba1d7181c3d07e699920f8096f44b2;hb=HEAD;hp=caa10c8f22188b8820c5cc58f37222c04519d4a8;hpb=38795d922a53915af937a89cf2d178613756d9a8;p=kconfig-hardened-check.git diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-gcc.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-gcc.config index caa10c8..8d36085 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-gcc.config +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-gcc.config @@ -86,9 +86,8 @@ CONFIG_PAGE_TABLE_CHECK_ENFORCED=y CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). -# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) -CONFIG_PAGE_POISONING=y -CONFIG_PAGE_POISONING_NO_SANITY=y +# This kernel feature was removed in v5.11. +# Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks the 0xAA poison pattern on allocation. CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) @@ -142,6 +141,7 @@ CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y +# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y @@ -151,6 +151,10 @@ CONFIG_HW_RANDOM_TPM=y CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y +# Randomize the layout of system structures. This may have dramatic performance impact, so +# use with caution. If using GCC, you can check if using CONFIG_RANDSTRUCT_PERFORMANCE=y is better. +CONFIG_RANDSTRUCT_FULL=y + # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y @@ -179,9 +183,6 @@ CONFIG_STATIC_USERMODEHELPER=y # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set -# Dangerous; enabling this disables VDSO ASLR. -# CONFIG_COMPAT_VDSO is not set - # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set @@ -207,7 +208,8 @@ CONFIG_STATIC_USERMODEHELPER=y CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 -# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table. +# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table: +# https://docs.kernel.org/admin-guide/sysrq.html CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. @@ -242,11 +244,6 @@ CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set -# Randomize the layout of system structures. This may have dramatic performance impact, so -# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y -CONFIG_GCC_PLUGIN_RANDSTRUCT=y -# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set - # x86_64 # Full 64-bit means PAE and NX bit. @@ -268,7 +265,7 @@ CONFIG_RANDOMIZE_MEMORY=y CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. -CONFIG_PAGE_TABLE_ISOLATION=y +CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y # Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18) CONFIG_X86_KERNEL_IBT=y @@ -291,8 +288,12 @@ CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation -CONFIG_SLS=y +CONFIG_MITIGATION_SLS=y # Enable Control Flow Integrity (since v6.1). CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set + +# Dangerous; enabling this disables vDSO ASLR on X86_64 and X86_32. +# On ARM64 this option has different meaning. +# CONFIG_COMPAT_VDSO is not set