X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=config_files%2Fkspp-recommendations%2Fkspp-recommendations-arm64.config;fp=config_files%2Fkspp-recommendations%2Fkspp-recommendations-arm64.config;h=b3976733bb94c8df1c2fd831591f167d0f1ed80f;hb=1d13eaad7cafd60abae7cbd47de9f18ebae86520;hp=ac4c8652b833745665ffcd2b3ec38d2eecad378b;hpb=67d6d66d3f64112ead2815068b645de49f8b6541;p=kconfig-hardened-check.git diff --git a/config_files/kspp-recommendations/kspp-recommendations-arm64.config b/config_files/kspp-recommendations/kspp-recommendations-arm64.config index ac4c865..b397673 100644 --- a/config_files/kspp-recommendations/kspp-recommendations-arm64.config +++ b/config_files/kspp-recommendations/kspp-recommendations-arm64.config @@ -11,6 +11,9 @@ CONFIG_STRICT_KERNEL_RWX=y CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. +# Prior to v4.18, these are: +# CONFIG_CC_STACKPROTECTOR=y +# CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y @@ -41,11 +44,15 @@ CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set +# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y +# Randomize high-order page allocation freelist. +CONFIG_SHUFFLE_PAGE_ALLOCATOR=y + # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y @@ -55,6 +62,15 @@ CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y +# Wipe slab and page allocations (since v5.3) +# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. +# The init_on_free is only needed if there is concern about minimizing stale data lifetime. +CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y +CONFIG_INIT_ON_FREE_DEFAULT_ON=y + +# Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) +CONFIG_INIT_STACK_ALL=y + # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y @@ -113,7 +129,6 @@ CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" - # GCC plugins # Enable GCC Plugins @@ -123,15 +138,19 @@ CONFIG_GCC_PLUGINS=y CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. +# When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y +# Wipe stack contents on syscall exit (reduces stale data lifetime in stack) +CONFIG_GCC_PLUGIN_STACKLEAK=y + # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y -#arm64 +# arm64 CONFIG_ARM64=y