From: Alexander Popov Date: Thu, 5 Mar 2020 20:11:55 +0000 (+0300) Subject: Update KSPP recommendations X-Git-Tag: v0.5.5~32 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=1d13eaad7cafd60abae7cbd47de9f18ebae86520;p=kconfig-hardened-check.git Update KSPP recommendations --- diff --git a/config_files/kspp-recommendations/kspp-recommendations-arm.config b/config_files/kspp-recommendations/kspp-recommendations-arm.config index 72d5f6a..9aaceb9 100644 --- a/config_files/kspp-recommendations/kspp-recommendations-arm.config +++ b/config_files/kspp-recommendations/kspp-recommendations-arm.config @@ -11,6 +11,9 @@ CONFIG_STRICT_KERNEL_RWX=y CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. +# Prior to v4.18, these are: +# CONFIG_CC_STACKPROTECTOR=y +# CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y @@ -41,11 +44,15 @@ CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set +# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y +# Randomize high-order page allocation freelist. +CONFIG_SHUFFLE_PAGE_ALLOCATOR=y + # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y @@ -55,6 +62,15 @@ CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y +# Wipe slab and page allocations (since v5.3) +# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. +# The init_on_free is only needed if there is concern about minimizing stale data lifetime. +CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y +CONFIG_INIT_ON_FREE_DEFAULT_ON=y + +# Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) +CONFIG_INIT_STACK_ALL=y + # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y @@ -113,7 +129,6 @@ CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" - # GCC plugins # Enable GCC Plugins @@ -123,15 +138,19 @@ CONFIG_GCC_PLUGINS=y CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. +# When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y +# Wipe stack contents on syscall exit (reduces stale data lifetime in stack) +CONFIG_GCC_PLUGIN_STACKLEAK=y + # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y -#arm +# arm CONFIG_ARM=y diff --git a/config_files/kspp-recommendations/kspp-recommendations-arm64.config b/config_files/kspp-recommendations/kspp-recommendations-arm64.config index ac4c865..b397673 100644 --- a/config_files/kspp-recommendations/kspp-recommendations-arm64.config +++ b/config_files/kspp-recommendations/kspp-recommendations-arm64.config @@ -11,6 +11,9 @@ CONFIG_STRICT_KERNEL_RWX=y CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. +# Prior to v4.18, these are: +# CONFIG_CC_STACKPROTECTOR=y +# CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y @@ -41,11 +44,15 @@ CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set +# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y +# Randomize high-order page allocation freelist. +CONFIG_SHUFFLE_PAGE_ALLOCATOR=y + # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y @@ -55,6 +62,15 @@ CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y +# Wipe slab and page allocations (since v5.3) +# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. +# The init_on_free is only needed if there is concern about minimizing stale data lifetime. +CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y +CONFIG_INIT_ON_FREE_DEFAULT_ON=y + +# Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) +CONFIG_INIT_STACK_ALL=y + # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y @@ -113,7 +129,6 @@ CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" - # GCC plugins # Enable GCC Plugins @@ -123,15 +138,19 @@ CONFIG_GCC_PLUGINS=y CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. +# When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y +# Wipe stack contents on syscall exit (reduces stale data lifetime in stack) +CONFIG_GCC_PLUGIN_STACKLEAK=y + # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y -#arm64 +# arm64 CONFIG_ARM64=y diff --git a/config_files/kspp-recommendations/kspp-recommendations-x86-32.config b/config_files/kspp-recommendations/kspp-recommendations-x86-32.config index 442eae8..04bdced 100644 --- a/config_files/kspp-recommendations/kspp-recommendations-x86-32.config +++ b/config_files/kspp-recommendations/kspp-recommendations-x86-32.config @@ -11,6 +11,9 @@ CONFIG_STRICT_KERNEL_RWX=y CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. +# Prior to v4.18, these are: +# CONFIG_CC_STACKPROTECTOR=y +# CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y @@ -41,11 +44,15 @@ CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set +# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y +# Randomize high-order page allocation freelist. +CONFIG_SHUFFLE_PAGE_ALLOCATOR=y + # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y @@ -55,6 +62,15 @@ CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y +# Wipe slab and page allocations (since v5.3) +# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. +# The init_on_free is only needed if there is concern about minimizing stale data lifetime. +CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y +CONFIG_INIT_ON_FREE_DEFAULT_ON=y + +# Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) +CONFIG_INIT_STACK_ALL=y + # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y @@ -113,7 +129,6 @@ CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" - # GCC plugins # Enable GCC Plugins @@ -123,15 +138,18 @@ CONFIG_GCC_PLUGINS=y CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. +# When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y +# Wipe stack contents on syscall exit (reduces stale data lifetime in stack) +CONFIG_GCC_PLUGIN_STACKLEAK=y + # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y - -#x86_32 +# x86_32 CONFIG_X86_32=y diff --git a/config_files/kspp-recommendations/kspp-recommendations-x86-64.config b/config_files/kspp-recommendations/kspp-recommendations-x86-64.config index 1345a07..a0ba882 100644 --- a/config_files/kspp-recommendations/kspp-recommendations-x86-64.config +++ b/config_files/kspp-recommendations/kspp-recommendations-x86-64.config @@ -11,6 +11,9 @@ CONFIG_STRICT_KERNEL_RWX=y CONFIG_DEBUG_WX=y # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. +# Prior to v4.18, these are: +# CONFIG_CC_STACKPROTECTOR=y +# CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y @@ -41,11 +44,15 @@ CONFIG_SECURITY_YAMA=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set +# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y +# Randomize high-order page allocation freelist. +CONFIG_SHUFFLE_PAGE_ALLOCATOR=y + # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y @@ -55,6 +62,15 @@ CONFIG_PAGE_POISONING=y CONFIG_PAGE_POISONING_NO_SANITY=y CONFIG_PAGE_POISONING_ZERO=y +# Wipe slab and page allocations (since v5.3) +# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now. +# The init_on_free is only needed if there is concern about minimizing stale data lifetime. +CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y +CONFIG_INIT_ON_FREE_DEFAULT_ON=y + +# Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below) +CONFIG_INIT_STACK_ALL=y + # Adds guard pages to kernel stacks (not all architectures support this yet). CONFIG_VMAP_STACK=y @@ -113,7 +129,6 @@ CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" - # GCC plugins # Enable GCC Plugins @@ -123,9 +138,13 @@ CONFIG_GCC_PLUGINS=y CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y # Force all structures to be initialized before they are passed to other functions. +# When building with GCC: CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y +# Wipe stack contents on syscall exit (reduces stale data lifetime in stack) +CONFIG_GCC_PLUGIN_STACKLEAK=y + # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y