X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2Fconfig_files%2Fkspp-recommendations%2Fkspp-recommendations-x86-64.config;h=f179b4ead38def7c6cea7ce3ed5aa512f2c1d4fb;hb=4225858a8fc7c8848d5469baff8efd9080f4a718;hp=560f6821a1362e9e83d4b6f145a8589f8316c2ea;hpb=86ca20532410ee24ff332b158a50aea99ee007d3;p=kconfig-hardened-check.git

diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config
index 560f682..f179b4e 100644
--- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config
+++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config
@@ -1,5 +1,4 @@
-# CONFIGs
-# Linux/x86_64 5.17.0 Kernel Configuration
+# Linux/x86_64 6.1.5 Kernel Configuration
 
 # Report BUG() conditions and kill the offending process.
 CONFIG_BUG=y
@@ -30,6 +29,7 @@ CONFIG_DEBUG_CREDENTIALS=y
 CONFIG_DEBUG_NOTIFIERS=y
 CONFIG_DEBUG_LIST=y
 CONFIG_DEBUG_SG=y
+CONFIG_DEBUG_VIRTUAL=y
 CONFIG_BUG_ON_DATA_CORRUPTION=y
 CONFIG_SCHED_STACK_END_CHECK=y
 
@@ -37,6 +37,9 @@ CONFIG_SCHED_STACK_END_CHECK=y
 CONFIG_SECCOMP=y
 CONFIG_SECCOMP_FILTER=y
 
+# Make sure line disciplines can't be autoloaded (since v5.1).
+# CONFIG_LDISC_AUTOLOAD is not set
+
 # Provide userspace with ptrace ancestry protections.
 # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.
 CONFIG_SECURITY=y
@@ -47,8 +50,8 @@ CONFIG_SECURITY_YAMA=y
 CONFIG_SECURITY_LANDLOCK=y
 
 # Make sure SELinux cannot be disabled trivially.
-# SECURITY_SELINUX_BOOTPARAM is not set
-# SECURITY_SELINUX_DEVELOP is not set
+# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
+# CONFIG_SECURITY_SELINUX_DEVELOP is not set
 # CONFIG_SECURITY_WRITABLE_HOOKS is not set
 
 # Enable "lockdown" LSM for bright line between the root user and kernel memory.
@@ -144,8 +147,14 @@ CONFIG_SCHED_CORE=y
 CONFIG_ZERO_CALL_USED_REGS=y
 
 # Wipe RAM at reboot via EFI.
+# For more details, see:
+# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
+# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
 CONFIG_RESET_ATTACK_MITIGATION=y
 
+# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk
+CONFIG_STATIC_USERMODEHELPER=y
+
 # Dangerous; enabling this allows direct physical memory writing.
 # CONFIG_ACPI_CUSTOM_METHOD is not set
 
@@ -239,9 +248,11 @@ CONFIG_LEGACY_VSYSCALL_NONE=y
 # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
 CONFIG_PAGE_TABLE_ISOLATION=y
 
-# Remove additional attack surface, unless you really need them.
+# Remove additional (32-bit) attack surface, unless you really need them.
+# CONFIG_COMPAT is not set
 # CONFIG_IA32_EMULATION is not set
 # CONFIG_X86_X32 is not set
+# CONFIG_X86_X32_ABI is not set
 # CONFIG_MODIFY_LDT_SYSCALL is not set
 
 # Enable chip-specific IOMMU support. 
@@ -253,3 +264,7 @@ CONFIG_AMD_IOMMU_V2=y
 
 # Straight-Line-Speculation
 CONFIG_SLS=y
+
+# Enable Control Flow Integrity (since v6.1)
+CONFIG_CFI_CLANG=y
+# CONFIG_CFI_PERMISSIVE is not set