Update the KSPP recommendations

diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config
index 3a1f67b307be8fc09f36391637de42ad90f2c04b..cc94116deeeadbf65335d8cc8886edf9029f9190 100644 (file)
--- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config
+++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config
@@ -86,9 +86,8 @@ CONFIG_PAGE_TABLE_CHECK_ENFORCED=y
 CONFIG_SLUB_DEBUG=y
 
 # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).
-# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)
-CONFIG_PAGE_POISONING=y
-CONFIG_PAGE_POISONING_NO_SANITY=y
+# This kernel feature was removed in v5.11.
+# Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks the 0xAA poison pattern on allocation.
 CONFIG_PAGE_POISONING_ZERO=y
 
 # Wipe slab and page allocations (since v5.3)
@@ -184,9 +183,6 @@ CONFIG_STATIC_USERMODEHELPER=y
 # Dangerous; exposes kernel text image layout.
 # CONFIG_PROC_KCORE is not set
 
-# Dangerous; enabling this disables VDSO ASLR.
-# CONFIG_COMPAT_VDSO is not set
-
 # Dangerous; enabling this allows replacement of running kernel.
 # CONFIG_KEXEC is not set
 
@@ -212,7 +208,8 @@ CONFIG_STATIC_USERMODEHELPER=y
 CONFIG_PANIC_ON_OOPS=y
 CONFIG_PANIC_TIMEOUT=-1
 
-# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table.
+# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table:
+# https://docs.kernel.org/admin-guide/sysrq.html
 CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176
 
 # Keep root from altering kernel memory via loadable modules.

diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-clang.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-clang.config
index 0acc81eab8ec13ef262978989101fefd4d624feb..6b93f63d74d999c8e8635c45de0b4fcf8125c7e6 100644 (file)
--- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-clang.config
+++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-clang.config
@@ -86,9 +86,8 @@ CONFIG_PAGE_TABLE_CHECK_ENFORCED=y
 CONFIG_SLUB_DEBUG=y
 
 # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).
-# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)
-CONFIG_PAGE_POISONING=y
-CONFIG_PAGE_POISONING_NO_SANITY=y
+# This kernel feature was removed in v5.11.
+# Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks the 0xAA poison pattern on allocation.
 CONFIG_PAGE_POISONING_ZERO=y
 
 # Wipe slab and page allocations (since v5.3)
@@ -184,9 +183,6 @@ CONFIG_STATIC_USERMODEHELPER=y
 # Dangerous; exposes kernel text image layout.
 # CONFIG_PROC_KCORE is not set
 
-# Dangerous; enabling this disables VDSO ASLR.
-# CONFIG_COMPAT_VDSO is not set
-
 # Dangerous; enabling this allows replacement of running kernel.
 # CONFIG_KEXEC is not set
 
@@ -212,7 +208,8 @@ CONFIG_STATIC_USERMODEHELPER=y
 CONFIG_PANIC_ON_OOPS=y
 CONFIG_PANIC_TIMEOUT=-1
 
-# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table.
+# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table:
+# https://docs.kernel.org/admin-guide/sysrq.html
 CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176
 
 # Keep root from altering kernel memory via loadable modules.

diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-gcc.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-gcc.config
index f40be7fc015cdd864a149d2d3c31dd8133c765c5..fbbf1aa198621f86a1e0e626540e0ca455344167 100644 (file)
--- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-gcc.config
+++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-gcc.config
@@ -86,9 +86,8 @@ CONFIG_PAGE_TABLE_CHECK_ENFORCED=y
 CONFIG_SLUB_DEBUG=y
 
 # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).
-# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)
-CONFIG_PAGE_POISONING=y
-CONFIG_PAGE_POISONING_NO_SANITY=y
+# This kernel feature was removed in v5.11.
+# Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks the 0xAA poison pattern on allocation.
 CONFIG_PAGE_POISONING_ZERO=y
 
 # Wipe slab and page allocations (since v5.3)
@@ -184,9 +183,6 @@ CONFIG_STATIC_USERMODEHELPER=y
 # Dangerous; exposes kernel text image layout.
 # CONFIG_PROC_KCORE is not set
 
-# Dangerous; enabling this disables VDSO ASLR.
-# CONFIG_COMPAT_VDSO is not set
-
 # Dangerous; enabling this allows replacement of running kernel.
 # CONFIG_KEXEC is not set
 
@@ -212,7 +208,8 @@ CONFIG_STATIC_USERMODEHELPER=y
 CONFIG_PANIC_ON_OOPS=y
 CONFIG_PANIC_TIMEOUT=-1
 
-# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table.
+# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table:
+# https://docs.kernel.org/admin-guide/sysrq.html
 CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176
 
 # Keep root from altering kernel memory via loadable modules.

diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config
index 4d1d1d38de43855b4c8823aab5d4bf97e980b750..2617fc32a0780f8aff35acd2fd30087dcfc46172 100644 (file)
--- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config
+++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config
@@ -86,9 +86,8 @@ CONFIG_PAGE_TABLE_CHECK_ENFORCED=y
 CONFIG_SLUB_DEBUG=y
 
 # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).
-# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)
-CONFIG_PAGE_POISONING=y
-CONFIG_PAGE_POISONING_NO_SANITY=y
+# This kernel feature was removed in v5.11.
+# Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks the 0xAA poison pattern on allocation.
 CONFIG_PAGE_POISONING_ZERO=y
 
 # Wipe slab and page allocations (since v5.3)
@@ -184,9 +183,6 @@ CONFIG_STATIC_USERMODEHELPER=y
 # Dangerous; exposes kernel text image layout.
 # CONFIG_PROC_KCORE is not set
 
-# Dangerous; enabling this disables VDSO ASLR.
-# CONFIG_COMPAT_VDSO is not set
-
 # Dangerous; enabling this allows replacement of running kernel.
 # CONFIG_KEXEC is not set
 
@@ -212,7 +208,8 @@ CONFIG_STATIC_USERMODEHELPER=y
 CONFIG_PANIC_ON_OOPS=y
 CONFIG_PANIC_TIMEOUT=-1
 
-# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table.
+# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table:
+# https://docs.kernel.org/admin-guide/sysrq.html
 CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176
 
 # Keep root from altering kernel memory via loadable modules.
@@ -268,7 +265,7 @@ CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
 CONFIG_RANDOMIZE_BASE=y
 
 # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
-CONFIG_PAGE_TABLE_ISOLATION=y
+CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y
 
 # Enable chip-specific IOMMU support. 
 CONFIG_INTEL_IOMMU=y
@@ -276,3 +273,7 @@ CONFIG_INTEL_IOMMU_DEFAULT_ON=y
 
 # Don't allow for 16-bit program emulation and associated LDT tricks.
 # CONFIG_MODIFY_LDT_SYSCALL is not set
+
+# Dangerous; enabling this disables vDSO ASLR on X86_64 and X86_32.
+# On ARM64 this option has different meaning.
+# CONFIG_COMPAT_VDSO is not set

diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-clang.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-clang.config
index a65abeb61bc938a9d6df9b5e5c1e35f9e4804a27..00d7aadf52db5b290271082759482386a751a536 100644 (file)
--- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-clang.config
+++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-clang.config
@@ -86,9 +86,8 @@ CONFIG_PAGE_TABLE_CHECK_ENFORCED=y
 CONFIG_SLUB_DEBUG=y
 
 # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).
-# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)
-CONFIG_PAGE_POISONING=y
-CONFIG_PAGE_POISONING_NO_SANITY=y
+# This kernel feature was removed in v5.11.
+# Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks the 0xAA poison pattern on allocation.
 CONFIG_PAGE_POISONING_ZERO=y
 
 # Wipe slab and page allocations (since v5.3)
@@ -184,9 +183,6 @@ CONFIG_STATIC_USERMODEHELPER=y
 # Dangerous; exposes kernel text image layout.
 # CONFIG_PROC_KCORE is not set
 
-# Dangerous; enabling this disables VDSO ASLR.
-# CONFIG_COMPAT_VDSO is not set
-
 # Dangerous; enabling this allows replacement of running kernel.
 # CONFIG_KEXEC is not set
 
@@ -212,7 +208,8 @@ CONFIG_STATIC_USERMODEHELPER=y
 CONFIG_PANIC_ON_OOPS=y
 CONFIG_PANIC_TIMEOUT=-1
 
-# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table.
+# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table:
+# https://docs.kernel.org/admin-guide/sysrq.html
 CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176
 
 # Keep root from altering kernel memory via loadable modules.
@@ -296,3 +293,7 @@ CONFIG_MITIGATION_SLS=y
 # Enable Control Flow Integrity (since v6.1).
 CONFIG_CFI_CLANG=y
 # CONFIG_CFI_PERMISSIVE is not set
+
+# Dangerous; enabling this disables vDSO ASLR on X86_64 and X86_32.
+# On ARM64 this option has different meaning.
+# CONFIG_COMPAT_VDSO is not set

diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-gcc.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-gcc.config
index 02a3c6fae3ba1d7181c3d07e699920f8096f44b2..8d36085426c6abac922ac52faa580304b3581f74 100644 (file)
--- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-gcc.config
+++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-gcc.config
@@ -86,9 +86,8 @@ CONFIG_PAGE_TABLE_CHECK_ENFORCED=y
 CONFIG_SLUB_DEBUG=y
 
 # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).
-# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)
-CONFIG_PAGE_POISONING=y
-CONFIG_PAGE_POISONING_NO_SANITY=y
+# This kernel feature was removed in v5.11.
+# Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks the 0xAA poison pattern on allocation.
 CONFIG_PAGE_POISONING_ZERO=y
 
 # Wipe slab and page allocations (since v5.3)
@@ -184,9 +183,6 @@ CONFIG_STATIC_USERMODEHELPER=y
 # Dangerous; exposes kernel text image layout.
 # CONFIG_PROC_KCORE is not set
 
-# Dangerous; enabling this disables VDSO ASLR.
-# CONFIG_COMPAT_VDSO is not set
-
 # Dangerous; enabling this allows replacement of running kernel.
 # CONFIG_KEXEC is not set
 
@@ -212,7 +208,8 @@ CONFIG_STATIC_USERMODEHELPER=y
 CONFIG_PANIC_ON_OOPS=y
 CONFIG_PANIC_TIMEOUT=-1
 
-# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table.
+# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table:
+# https://docs.kernel.org/admin-guide/sysrq.html
 CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176
 
 # Keep root from altering kernel memory via loadable modules.
@@ -296,3 +293,7 @@ CONFIG_MITIGATION_SLS=y
 # Enable Control Flow Integrity (since v6.1).
 CONFIG_CFI_CLANG=y
 # CONFIG_CFI_PERMISSIVE is not set
+
+# Dangerous; enabling this disables vDSO ASLR on X86_64 and X86_32.
+# On ARM64 this option has different meaning.
+# CONFIG_COMPAT_VDSO is not set