X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2Fconfig_files%2Fkspp-recommendations%2Fkspp-recommendations-arm.config;h=621095fe5b20dab7bf4605497a1fd7fb2007bbe5;hb=e8a2c606adbd3400dd9e38be2edd5c908eeabbd2;hp=57ff9d7cc941137f858367f36bc22bbc32361627;hpb=ea880f61ef5e65dae9beb09beb6cdfca669af9cc;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config index 57ff9d7..621095f 100644 --- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config +++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config @@ -1,5 +1,5 @@ # CONFIGs -# Linux/arm 5.14.0 Kernel Configuration +# Linux/arm 5.17.0 Kernel Configuration # Report BUG() conditions and kill the offending process. CONFIG_BUG=y @@ -30,6 +30,7 @@ CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y +CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y @@ -37,10 +38,28 @@ CONFIG_SCHED_STACK_END_CHECK=y CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y +# Make sure line disciplines can't be autoloaded (since v5.1). +# CONFIG_LDISC_AUTOLOAD is not set + # Provide userspace with ptrace ancestry protections. +# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y +# Provide userspace with Landlock MAC interface. +# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. +CONFIG_SECURITY_LANDLOCK=y + +# Make sure SELinux cannot be disabled trivially. +# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set +# CONFIG_SECURITY_SELINUX_DEVELOP is not set +# CONFIG_SECURITY_WRITABLE_HOOKS is not set + +# Enable "lockdown" LSM for bright line between the root user and kernel memory. +CONFIG_SECURITY_LOCKDOWN_LSM=y +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y + # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set @@ -83,24 +102,60 @@ CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y +# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. +CONFIG_UBSAN=y +CONFIG_UBSAN_TRAP=y +CONFIG_UBSAN_BOUNDS=y +CONFIG_UBSAN_SANITIZE_ALL=y +# CONFIG_UBSAN_SHIFT is not set +# CONFIG_UBSAN_DIV_ZERO is not set +# CONFIG_UBSAN_UNREACHABLE is not set +# CONFIG_UBSAN_BOOL is not set +# CONFIG_UBSAN_ENUM is not set +# CONFIG_UBSAN_ALIGNMENT is not set +# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: +CONFIG_UBSAN_LOCAL_BOUNDS=y + +# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. +CONFIG_KFENCE=y + # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y -# Enable sampling-based overflow detection. This is similar to KASAN coverage, but with almost zero runtime overhead. -CONFIG_KFENCE=y - # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y +# Disable DMA between EFI hand-off and the kernel's IOMMU setup. +CONFIG_EFI_DISABLE_PCI_DMA=y + # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) +CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y +# Enable feeding RNG entropy from TPM, if available. +CONFIG_HW_RANDOM_TPM=y + +# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even +# malicious sources should not cause problems. +CONFIG_RANDOM_TRUST_BOOTLOADER=y +CONFIG_RANDOM_TRUST_CPU=y + # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y -# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers) +# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and +# minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y +# Wipe RAM at reboot via EFI. +# For more details, see: +# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ +# https://bugzilla.redhat.com/show_bug.cgi?id=1532058 +CONFIG_RESET_ATTACK_MITIGATION=y + +# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk +CONFIG_STATIC_USERMODEHELPER=y + # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set @@ -165,10 +220,13 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y +# CONFIG_STACKLEAK_METRICS is not set +# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y +# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set # arm @@ -185,5 +243,3 @@ CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set - -