X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kernel_hardening_checker%2Fconfig_files%2Fkspp-recommendations%2Fkspp-kconfig-x86-64-gcc.config;h=02a3c6fae3ba1d7181c3d07e699920f8096f44b2;hb=b0a5937d6c0102adc9b24e89899681059c3af3a4;hp=caa10c8f22188b8820c5cc58f37222c04519d4a8;hpb=22314345541d97b8f095aec733ef44620ba54801;p=kconfig-hardened-check.git

diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-gcc.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-gcc.config
index caa10c8..02a3c6f 100644
--- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-gcc.config
+++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-gcc.config
@@ -142,6 +142,7 @@ CONFIG_EFI_DISABLE_PCI_DMA=y
 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
 CONFIG_IOMMU_SUPPORT=y
 CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
+# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set
 
 # Enable feeding RNG entropy from TPM, if available.
 CONFIG_HW_RANDOM_TPM=y
@@ -151,6 +152,10 @@ CONFIG_HW_RANDOM_TPM=y
 CONFIG_RANDOM_TRUST_BOOTLOADER=y
 CONFIG_RANDOM_TRUST_CPU=y
 
+# Randomize the layout of system structures. This may have dramatic performance impact, so
+# use with caution. If using GCC, you can check if using CONFIG_RANDSTRUCT_PERFORMANCE=y is better.
+CONFIG_RANDSTRUCT_FULL=y
+
 # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
 CONFIG_SCHED_CORE=y
 
@@ -242,11 +247,6 @@ CONFIG_GCC_PLUGIN_STACKLEAK=y
 # CONFIG_STACKLEAK_METRICS is not set
 # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
 
-# Randomize the layout of system structures. This may have dramatic performance impact, so
-# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
-CONFIG_GCC_PLUGIN_RANDSTRUCT=y
-# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set
-
 # x86_64
 
 # Full 64-bit means PAE and NX bit.
@@ -268,7 +268,7 @@ CONFIG_RANDOMIZE_MEMORY=y
 CONFIG_LEGACY_VSYSCALL_NONE=y
 
 # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
-CONFIG_PAGE_TABLE_ISOLATION=y
+CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y
 
 # Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18)
 CONFIG_X86_KERNEL_IBT=y
@@ -291,7 +291,7 @@ CONFIG_AMD_IOMMU=y
 CONFIG_AMD_IOMMU_V2=y
 
 # Straight-Line-Speculation
-CONFIG_SLS=y
+CONFIG_MITIGATION_SLS=y
 
 # Enable Control Flow Integrity (since v6.1).
 CONFIG_CFI_CLANG=y