X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2Fconfig_files%2Fkspp-recommendations%2Fkspp-recommendations-arm.config;fp=kconfig_hardened_check%2Fconfig_files%2Fkspp-recommendations%2Fkspp-recommendations-arm.config;h=349cf61bce3b5f99c39e94fc630124fdb9cdfaff;hb=86ca20532410ee24ff332b158a50aea99ee007d3;hp=57ff9d7cc941137f858367f36bc22bbc32361627;hpb=20e1c9771c22a04b3a41c8dac7e0c952d151bb8e;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config index 57ff9d7..349cf61 100644 --- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config +++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config @@ -1,5 +1,5 @@ # CONFIGs -# Linux/arm 5.14.0 Kernel Configuration +# Linux/arm 5.17.0 Kernel Configuration # Report BUG() conditions and kill the offending process. CONFIG_BUG=y @@ -38,9 +38,24 @@ CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. +# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y +# Provide userspace with Landlock MAC interface. +# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. +CONFIG_SECURITY_LANDLOCK=y + +# Make sure SELinux cannot be disabled trivially. +# SECURITY_SELINUX_BOOTPARAM is not set +# SECURITY_SELINUX_DEVELOP is not set +# CONFIG_SECURITY_WRITABLE_HOOKS is not set + +# Enable "lockdown" LSM for bright line between the root user and kernel memory. +CONFIG_SECURITY_LOCKDOWN_LSM=y +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y + # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set @@ -83,24 +98,54 @@ CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y +# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. +CONFIG_UBSAN=y +CONFIG_UBSAN_TRAP=y +CONFIG_UBSAN_BOUNDS=y +CONFIG_UBSAN_SANITIZE_ALL=y +# CONFIG_UBSAN_SHIFT is not set +# CONFIG_UBSAN_DIV_ZERO is not set +# CONFIG_UBSAN_UNREACHABLE is not set +# CONFIG_UBSAN_BOOL is not set +# CONFIG_UBSAN_ENUM is not set +# CONFIG_UBSAN_ALIGNMENT is not set +# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: +CONFIG_UBSAN_LOCAL_BOUNDS=y + +# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. +CONFIG_KFENCE=y + # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y -# Enable sampling-based overflow detection. This is similar to KASAN coverage, but with almost zero runtime overhead. -CONFIG_KFENCE=y - # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y +# Disable DMA between EFI hand-off and the kernel's IOMMU setup. +CONFIG_EFI_DISABLE_PCI_DMA=y + # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) +CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y +# Enable feeding RNG entropy from TPM, if available. +CONFIG_HW_RANDOM_TPM=y + +# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even +# malicious sources should not cause problems. +CONFIG_RANDOM_TRUST_BOOTLOADER=y +CONFIG_RANDOM_TRUST_CPU=y + # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y -# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers) +# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and +# minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y +# Wipe RAM at reboot via EFI. +CONFIG_RESET_ATTACK_MITIGATION=y + # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set @@ -165,10 +210,13 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y +# CONFIG_STACKLEAK_METRICS is not set +# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y +# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set # arm