X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2Fconfig_files%2Fkspp-recommendations%2Fkspp-recommendations-x86-32.config;h=4667aa287e5ccfae7c8f49049978d728fcd92543;hb=1bfbcfbda62098a34206889e52ace909eb6d975b;hp=32c1dadd53e9d4c787cdfde9f94d8463cc3148cd;hpb=86ca20532410ee24ff332b158a50aea99ee007d3;p=kconfig-hardened-check.git

diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config
index 32c1dad..4667aa2 100644
--- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config
+++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config
@@ -1,5 +1,4 @@
-# CONFIGs
-# Linux/i386 5.17.0 Kernel Configuration
+# Linux/i386 6.1.5 Kernel Configuration
 
 # Report BUG() conditions and kill the offending process.
 CONFIG_BUG=y
@@ -30,6 +29,7 @@ CONFIG_DEBUG_CREDENTIALS=y
 CONFIG_DEBUG_NOTIFIERS=y
 CONFIG_DEBUG_LIST=y
 CONFIG_DEBUG_SG=y
+CONFIG_DEBUG_VIRTUAL=y
 CONFIG_BUG_ON_DATA_CORRUPTION=y
 CONFIG_SCHED_STACK_END_CHECK=y
 
@@ -37,6 +37,9 @@ CONFIG_SCHED_STACK_END_CHECK=y
 CONFIG_SECCOMP=y
 CONFIG_SECCOMP_FILTER=y
 
+# Make sure line disciplines can't be autoloaded (since v5.1).
+# CONFIG_LDISC_AUTOLOAD is not set
+
 # Provide userspace with ptrace ancestry protections.
 # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.
 CONFIG_SECURITY=y
@@ -47,8 +50,8 @@ CONFIG_SECURITY_YAMA=y
 CONFIG_SECURITY_LANDLOCK=y
 
 # Make sure SELinux cannot be disabled trivially.
-# SECURITY_SELINUX_BOOTPARAM is not set
-# SECURITY_SELINUX_DEVELOP is not set
+# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
+# CONFIG_SECURITY_SELINUX_DEVELOP is not set
 # CONFIG_SECURITY_WRITABLE_HOOKS is not set
 
 # Enable "lockdown" LSM for bright line between the root user and kernel memory.
@@ -144,8 +147,14 @@ CONFIG_SCHED_CORE=y
 CONFIG_ZERO_CALL_USED_REGS=y
 
 # Wipe RAM at reboot via EFI.
+# For more details, see:
+# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
+# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
 CONFIG_RESET_ATTACK_MITIGATION=y
 
+# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk
+CONFIG_STATIC_USERMODEHELPER=y
+
 # Dangerous; enabling this allows direct physical memory writing.
 # CONFIG_ACPI_CUSTOM_METHOD is not set
 
@@ -240,7 +249,9 @@ CONFIG_RANDOMIZE_BASE=y
 # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
 CONFIG_PAGE_TABLE_ISOLATION=y
 
+# Enable chip-specific IOMMU support. 
+CONFIG_INTEL_IOMMU=y
+CONFIG_INTEL_IOMMU_DEFAULT_ON=y
+
 # Don't allow for 16-bit program emulation and associated LDT tricks.
 # CONFIG_MODIFY_LDT_SYSCALL is not set
-
-