Update the KSPP recommendations

diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config
index 621095fe5b20dab7bf4605497a1fd7fb2007bbe5..d4493e7eaa3bf932d40904d91f0777afc7366d8e 100644 (file)
--- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config
+++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config
@@ -1,5 +1,4 @@
-# CONFIGs
-# Linux/arm 5.17.0 Kernel Configuration
+# Linux/arm 6.1.5 Kernel Configuration
 
 # Report BUG() conditions and kill the offending process.
 CONFIG_BUG=y

diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config
index 76c212f3b592bc690634690be1d275a13bfaf6dd..50907ab4e9795e3ab86628efc3029647b90f1e74 100644 (file)
--- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config
+++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config
@@ -1,5 +1,4 @@
-# CONFIGs
-# Linux/arm64 5.17.0 Kernel Configuration
+# Linux/arm64 6.1.5 Kernel Configuration
 
 # Report BUG() conditions and kill the offending process.
 CONFIG_BUG=y
@@ -238,6 +237,9 @@ CONFIG_DEFAULT_MMAP_MIN_ADDR=32768
 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).
 CONFIG_RANDOMIZE_BASE=y
 
+# Remove arm32 support to reduce syscall attack surface.
+# CONFIG_COMPAT is not set
+
 # Make sure PAN emulation is enabled.
 CONFIG_ARM64_SW_TTBR0_PAN=y
 

diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config
index 7695976329cf8b0b0a3055ef720b96d0e03ef4b2..4667aa287e5ccfae7c8f49049978d728fcd92543 100644 (file)
--- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config
+++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config
@@ -1,5 +1,4 @@
-# CONFIGs
-# Linux/i386 5.17.0 Kernel Configuration
+# Linux/i386 6.1.5 Kernel Configuration
 
 # Report BUG() conditions and kill the offending process.
 CONFIG_BUG=y

diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config
index 8f67300cb3fc78455b159c0a831de4ccf50f625f..f179b4ead38def7c6cea7ce3ed5aa512f2c1d4fb 100644 (file)
--- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config
+++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config
@@ -1,5 +1,4 @@
-# CONFIGs
-# Linux/x86_64 5.17.0 Kernel Configuration
+# Linux/x86_64 6.1.5 Kernel Configuration
 
 # Report BUG() conditions and kill the offending process.
 CONFIG_BUG=y
@@ -249,9 +248,11 @@ CONFIG_LEGACY_VSYSCALL_NONE=y
 # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
 CONFIG_PAGE_TABLE_ISOLATION=y
 
-# Remove additional attack surface, unless you really need them.
+# Remove additional (32-bit) attack surface, unless you really need them.
+# CONFIG_COMPAT is not set
 # CONFIG_IA32_EMULATION is not set
 # CONFIG_X86_X32 is not set
+# CONFIG_X86_X32_ABI is not set
 # CONFIG_MODIFY_LDT_SYSCALL is not set
 
 # Enable chip-specific IOMMU support.