X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2Fconfig_files%2Fkspp-recommendations%2Fkspp-recommendations-arm.config;fp=kconfig_hardened_check%2Fconfig_files%2Fkspp-recommendations%2Fkspp-recommendations-arm.config;h=621095fe5b20dab7bf4605497a1fd7fb2007bbe5;hb=e8a2c606adbd3400dd9e38be2edd5c908eeabbd2;hp=349cf61bce3b5f99c39e94fc630124fdb9cdfaff;hpb=ef4a19b8a0ce5a6518e723764690d9fe7f853d90;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config index 349cf61..621095f 100644 --- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config +++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config @@ -30,6 +30,7 @@ CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y +CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y @@ -37,6 +38,9 @@ CONFIG_SCHED_STACK_END_CHECK=y CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y +# Make sure line disciplines can't be autoloaded (since v5.1). +# CONFIG_LDISC_AUTOLOAD is not set + # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y @@ -47,8 +51,8 @@ CONFIG_SECURITY_YAMA=y CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. -# SECURITY_SELINUX_BOOTPARAM is not set -# SECURITY_SELINUX_DEVELOP is not set +# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set +# CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. @@ -144,8 +148,14 @@ CONFIG_SCHED_CORE=y CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. +# For more details, see: +# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ +# https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y +# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk +CONFIG_STATIC_USERMODEHELPER=y + # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set @@ -233,5 +243,3 @@ CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set - -