Update the KSPP recommendations (https://github.com/KSPP/linux/issues/362)

Thanks to @kees!

diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config
index 1b4caacfa86b62257a5628d5f98db143acb656f3..3a1f67b307be8fc09f36391637de42ad90f2c04b 100644 (file)
--- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config
+++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config
@@ -142,6 +142,7 @@ CONFIG_EFI_DISABLE_PCI_DMA=y
 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
 CONFIG_IOMMU_SUPPORT=y
 CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
 CONFIG_IOMMU_SUPPORT=y
 CONFIG_IOMMU_DEFAULT_DMA_STRICT=y

+# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set

 
 # Enable feeding RNG entropy from TPM, if available.
 CONFIG_HW_RANDOM_TPM=y
 
 # Enable feeding RNG entropy from TPM, if available.
 CONFIG_HW_RANDOM_TPM=y


@@ -151,6 +152,10 @@ CONFIG_HW_RANDOM_TPM=y
 CONFIG_RANDOM_TRUST_BOOTLOADER=y
 CONFIG_RANDOM_TRUST_CPU=y
 
 CONFIG_RANDOM_TRUST_BOOTLOADER=y
 CONFIG_RANDOM_TRUST_CPU=y
 

+# Randomize the layout of system structures. This may have dramatic performance impact, so
+# use with caution. If using GCC, you can check if using CONFIG_RANDSTRUCT_PERFORMANCE=y is better.
+CONFIG_RANDSTRUCT_FULL=y
+

 # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
 CONFIG_SCHED_CORE=y
 
 # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
 CONFIG_SCHED_CORE=y
 


@@ -242,11 +247,6 @@ CONFIG_GCC_PLUGIN_STACKLEAK=y
 # CONFIG_STACKLEAK_METRICS is not set
 # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
 
 # CONFIG_STACKLEAK_METRICS is not set
 # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
 

-# Randomize the layout of system structures. This may have dramatic performance impact, so
-# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
-CONFIG_GCC_PLUGIN_RANDSTRUCT=y
-# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set
-

 # arm
 
 CONFIG_ARM=y
 # arm
 
 CONFIG_ARM=y

diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-clang.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-clang.config
index d2af013736858e89c9190e336caba2cf200117c6..0acc81eab8ec13ef262978989101fefd4d624feb 100644 (file)
--- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-clang.config
+++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-clang.config
@@ -142,6 +142,7 @@ CONFIG_EFI_DISABLE_PCI_DMA=y
 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
 CONFIG_IOMMU_SUPPORT=y
 CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
 CONFIG_IOMMU_SUPPORT=y
 CONFIG_IOMMU_DEFAULT_DMA_STRICT=y

+# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set

 
 # Enable feeding RNG entropy from TPM, if available.
 CONFIG_HW_RANDOM_TPM=y
 
 # Enable feeding RNG entropy from TPM, if available.
 CONFIG_HW_RANDOM_TPM=y


@@ -151,6 +152,10 @@ CONFIG_HW_RANDOM_TPM=y
 CONFIG_RANDOM_TRUST_BOOTLOADER=y
 CONFIG_RANDOM_TRUST_CPU=y
 
 CONFIG_RANDOM_TRUST_BOOTLOADER=y
 CONFIG_RANDOM_TRUST_CPU=y
 

+# Randomize the layout of system structures. This may have dramatic performance impact, so
+# use with caution. If using GCC, you can check if using CONFIG_RANDSTRUCT_PERFORMANCE=y is better.
+CONFIG_RANDSTRUCT_FULL=y
+

 # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
 CONFIG_SCHED_CORE=y
 
 # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
 CONFIG_SCHED_CORE=y
 


@@ -242,11 +247,6 @@ CONFIG_GCC_PLUGIN_STACKLEAK=y
 # CONFIG_STACKLEAK_METRICS is not set
 # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
 
 # CONFIG_STACKLEAK_METRICS is not set
 # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
 

-# Randomize the layout of system structures. This may have dramatic performance impact, so
-# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
-CONFIG_GCC_PLUGIN_RANDSTRUCT=y
-# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set
-

 # arm64
 
 CONFIG_ARM64=y
 # arm64
 
 CONFIG_ARM64=y

diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-gcc.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-gcc.config
index 350d8e1d0507e6a50fb897b2983baf4b6bbf0d8d..f40be7fc015cdd864a149d2d3c31dd8133c765c5 100644 (file)
--- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-gcc.config
+++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-gcc.config
@@ -142,6 +142,7 @@ CONFIG_EFI_DISABLE_PCI_DMA=y
 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
 CONFIG_IOMMU_SUPPORT=y
 CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
 CONFIG_IOMMU_SUPPORT=y
 CONFIG_IOMMU_DEFAULT_DMA_STRICT=y

+# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set

 
 # Enable feeding RNG entropy from TPM, if available.
 CONFIG_HW_RANDOM_TPM=y
 
 # Enable feeding RNG entropy from TPM, if available.
 CONFIG_HW_RANDOM_TPM=y


@@ -151,6 +152,10 @@ CONFIG_HW_RANDOM_TPM=y
 CONFIG_RANDOM_TRUST_BOOTLOADER=y
 CONFIG_RANDOM_TRUST_CPU=y
 
 CONFIG_RANDOM_TRUST_BOOTLOADER=y
 CONFIG_RANDOM_TRUST_CPU=y
 

+# Randomize the layout of system structures. This may have dramatic performance impact, so
+# use with caution. If using GCC, you can check if using CONFIG_RANDSTRUCT_PERFORMANCE=y is better.
+CONFIG_RANDSTRUCT_FULL=y
+

 # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
 CONFIG_SCHED_CORE=y
 
 # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
 CONFIG_SCHED_CORE=y
 


@@ -242,11 +247,6 @@ CONFIG_GCC_PLUGIN_STACKLEAK=y
 # CONFIG_STACKLEAK_METRICS is not set
 # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
 
 # CONFIG_STACKLEAK_METRICS is not set
 # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
 

-# Randomize the layout of system structures. This may have dramatic performance impact, so
-# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
-CONFIG_GCC_PLUGIN_RANDSTRUCT=y
-# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set
-

 # arm64
 
 CONFIG_ARM64=y
 # arm64
 
 CONFIG_ARM64=y

diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config
index 3e029722dcc08f7bc138aef2f177b208984fd7f8..4d1d1d38de43855b4c8823aab5d4bf97e980b750 100644 (file)
--- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config
+++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config
@@ -142,6 +142,7 @@ CONFIG_EFI_DISABLE_PCI_DMA=y
 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
 CONFIG_IOMMU_SUPPORT=y
 CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
 CONFIG_IOMMU_SUPPORT=y
 CONFIG_IOMMU_DEFAULT_DMA_STRICT=y

+# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set

 
 # Enable feeding RNG entropy from TPM, if available.
 CONFIG_HW_RANDOM_TPM=y
 
 # Enable feeding RNG entropy from TPM, if available.
 CONFIG_HW_RANDOM_TPM=y


@@ -151,6 +152,10 @@ CONFIG_HW_RANDOM_TPM=y
 CONFIG_RANDOM_TRUST_BOOTLOADER=y
 CONFIG_RANDOM_TRUST_CPU=y
 
 CONFIG_RANDOM_TRUST_BOOTLOADER=y
 CONFIG_RANDOM_TRUST_CPU=y
 

+# Randomize the layout of system structures. This may have dramatic performance impact, so
+# use with caution. If using GCC, you can check if using CONFIG_RANDSTRUCT_PERFORMANCE=y is better.
+CONFIG_RANDSTRUCT_FULL=y
+

 # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
 CONFIG_SCHED_CORE=y
 
 # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
 CONFIG_SCHED_CORE=y
 


@@ -242,11 +247,6 @@ CONFIG_GCC_PLUGIN_STACKLEAK=y
 # CONFIG_STACKLEAK_METRICS is not set
 # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
 
 # CONFIG_STACKLEAK_METRICS is not set
 # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
 

-# Randomize the layout of system structures. This may have dramatic performance impact, so
-# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
-CONFIG_GCC_PLUGIN_RANDSTRUCT=y
-# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set
-

 # x86_32
 
 CONFIG_X86_32=y
 # x86_32
 
 CONFIG_X86_32=y

diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-clang.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-clang.config
index b6e4b6fe4beb1baf6764b1ad7ccf605801048852..a65abeb61bc938a9d6df9b5e5c1e35f9e4804a27 100644 (file)
--- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-clang.config
+++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-clang.config
@@ -142,6 +142,7 @@ CONFIG_EFI_DISABLE_PCI_DMA=y
 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
 CONFIG_IOMMU_SUPPORT=y
 CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
 CONFIG_IOMMU_SUPPORT=y
 CONFIG_IOMMU_DEFAULT_DMA_STRICT=y

+# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set

 
 # Enable feeding RNG entropy from TPM, if available.
 CONFIG_HW_RANDOM_TPM=y
 
 # Enable feeding RNG entropy from TPM, if available.
 CONFIG_HW_RANDOM_TPM=y


@@ -151,6 +152,10 @@ CONFIG_HW_RANDOM_TPM=y
 CONFIG_RANDOM_TRUST_BOOTLOADER=y
 CONFIG_RANDOM_TRUST_CPU=y
 
 CONFIG_RANDOM_TRUST_BOOTLOADER=y
 CONFIG_RANDOM_TRUST_CPU=y
 

+# Randomize the layout of system structures. This may have dramatic performance impact, so
+# use with caution. If using GCC, you can check if using CONFIG_RANDSTRUCT_PERFORMANCE=y is better.
+CONFIG_RANDSTRUCT_FULL=y
+

 # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
 CONFIG_SCHED_CORE=y
 
 # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
 CONFIG_SCHED_CORE=y
 


@@ -242,11 +247,6 @@ CONFIG_GCC_PLUGIN_STACKLEAK=y
 # CONFIG_STACKLEAK_METRICS is not set
 # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
 
 # CONFIG_STACKLEAK_METRICS is not set
 # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
 

-# Randomize the layout of system structures. This may have dramatic performance impact, so
-# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
-CONFIG_GCC_PLUGIN_RANDSTRUCT=y
-# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set
-

 # x86_64
 
 # Full 64-bit means PAE and NX bit.
 # x86_64
 
 # Full 64-bit means PAE and NX bit.


@@ -268,7 +268,7 @@ CONFIG_RANDOMIZE_MEMORY=y
 CONFIG_LEGACY_VSYSCALL_NONE=y
 
 # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
 CONFIG_LEGACY_VSYSCALL_NONE=y
 
 # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.

-CONFIG_PAGE_TABLE_ISOLATION=y
+CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y

 
 # Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18)
 CONFIG_X86_KERNEL_IBT=y
 
 # Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18)
 CONFIG_X86_KERNEL_IBT=y


@@ -291,7 +291,7 @@ CONFIG_AMD_IOMMU=y
 CONFIG_AMD_IOMMU_V2=y
 
 # Straight-Line-Speculation
 CONFIG_AMD_IOMMU_V2=y
 
 # Straight-Line-Speculation

-CONFIG_SLS=y
+CONFIG_MITIGATION_SLS=y

 
 # Enable Control Flow Integrity (since v6.1).
 CONFIG_CFI_CLANG=y
 
 # Enable Control Flow Integrity (since v6.1).
 CONFIG_CFI_CLANG=y

diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-gcc.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-gcc.config
index caa10c8f22188b8820c5cc58f37222c04519d4a8..02a3c6fae3ba1d7181c3d07e699920f8096f44b2 100644 (file)
--- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-gcc.config
+++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-gcc.config
@@ -142,6 +142,7 @@ CONFIG_EFI_DISABLE_PCI_DMA=y
 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
 CONFIG_IOMMU_SUPPORT=y
 CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
 CONFIG_IOMMU_SUPPORT=y
 CONFIG_IOMMU_DEFAULT_DMA_STRICT=y

+# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set

 
 # Enable feeding RNG entropy from TPM, if available.
 CONFIG_HW_RANDOM_TPM=y
 
 # Enable feeding RNG entropy from TPM, if available.
 CONFIG_HW_RANDOM_TPM=y


@@ -151,6 +152,10 @@ CONFIG_HW_RANDOM_TPM=y
 CONFIG_RANDOM_TRUST_BOOTLOADER=y
 CONFIG_RANDOM_TRUST_CPU=y
 
 CONFIG_RANDOM_TRUST_BOOTLOADER=y
 CONFIG_RANDOM_TRUST_CPU=y
 

+# Randomize the layout of system structures. This may have dramatic performance impact, so
+# use with caution. If using GCC, you can check if using CONFIG_RANDSTRUCT_PERFORMANCE=y is better.
+CONFIG_RANDSTRUCT_FULL=y
+

 # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
 CONFIG_SCHED_CORE=y
 
 # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
 CONFIG_SCHED_CORE=y
 


@@ -242,11 +247,6 @@ CONFIG_GCC_PLUGIN_STACKLEAK=y
 # CONFIG_STACKLEAK_METRICS is not set
 # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
 
 # CONFIG_STACKLEAK_METRICS is not set
 # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
 

-# Randomize the layout of system structures. This may have dramatic performance impact, so
-# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
-CONFIG_GCC_PLUGIN_RANDSTRUCT=y
-# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set
-

 # x86_64
 
 # Full 64-bit means PAE and NX bit.
 # x86_64
 
 # Full 64-bit means PAE and NX bit.


@@ -268,7 +268,7 @@ CONFIG_RANDOMIZE_MEMORY=y
 CONFIG_LEGACY_VSYSCALL_NONE=y
 
 # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
 CONFIG_LEGACY_VSYSCALL_NONE=y
 
 # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.

-CONFIG_PAGE_TABLE_ISOLATION=y
+CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y

 
 # Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18)
 CONFIG_X86_KERNEL_IBT=y
 
 # Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18)
 CONFIG_X86_KERNEL_IBT=y


@@ -291,7 +291,7 @@ CONFIG_AMD_IOMMU=y
 CONFIG_AMD_IOMMU_V2=y
 
 # Straight-Line-Speculation
 CONFIG_AMD_IOMMU_V2=y
 
 # Straight-Line-Speculation

-CONFIG_SLS=y
+CONFIG_MITIGATION_SLS=y

 
 # Enable Control Flow Integrity (since v6.1).
 CONFIG_CFI_CLANG=y
 
 # Enable Control Flow Integrity (since v6.1).
 CONFIG_CFI_CLANG=y

diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-sysctl.txt b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-sysctl.txt
index c45c201914625f098c2dcd09606b83bb7dabceea..4c0c6eb09483ba0aa79929f2c759733d3863ad73 100644 (file)
--- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-sysctl.txt
+++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-sysctl.txt
@@ -1,7 +1,7 @@
 kernel.printk = 3      4       1       7
 kernel.kptr_restrict = 2
 kernel.dmesg_restrict = 1
 kernel.printk = 3      4       1       7
 kernel.kptr_restrict = 2
 kernel.dmesg_restrict = 1

-kernel.disable_modules = 1
+kernel.modules_disabled = 1

 kernel.perf_event_paranoid = 3
 kernel.kexec_load_disabled = 1
 kernel.randomize_va_space = 2
 kernel.perf_event_paranoid = 3
 kernel.kexec_load_disabled = 1
 kernel.randomize_va_space = 2