From: Alexander Popov Date: Sat, 14 Jan 2023 15:46:45 +0000 (+0300) Subject: Update the KSPP recommendations X-Git-Tag: v0.6.1~17 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=4225858a8fc7c8848d5469baff8efd9080f4a718;p=kconfig-hardened-check.git Update the KSPP recommendations --- diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config index 621095f..d4493e7 100644 --- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config +++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config @@ -1,5 +1,4 @@ -# CONFIGs -# Linux/arm 5.17.0 Kernel Configuration +# Linux/arm 6.1.5 Kernel Configuration # Report BUG() conditions and kill the offending process. CONFIG_BUG=y diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config index 76c212f..50907ab 100644 --- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config +++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config @@ -1,5 +1,4 @@ -# CONFIGs -# Linux/arm64 5.17.0 Kernel Configuration +# Linux/arm64 6.1.5 Kernel Configuration # Report BUG() conditions and kill the offending process. CONFIG_BUG=y @@ -238,6 +237,9 @@ CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y +# Remove arm32 support to reduce syscall attack surface. +# CONFIG_COMPAT is not set + # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config index 7695976..4667aa2 100644 --- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config +++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config @@ -1,5 +1,4 @@ -# CONFIGs -# Linux/i386 5.17.0 Kernel Configuration +# Linux/i386 6.1.5 Kernel Configuration # Report BUG() conditions and kill the offending process. CONFIG_BUG=y diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config index 8f67300..f179b4e 100644 --- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config +++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config @@ -1,5 +1,4 @@ -# CONFIGs -# Linux/x86_64 5.17.0 Kernel Configuration +# Linux/x86_64 6.1.5 Kernel Configuration # Report BUG() conditions and kill the offending process. CONFIG_BUG=y @@ -249,9 +248,11 @@ CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y -# Remove additional attack surface, unless you really need them. +# Remove additional (32-bit) attack surface, unless you really need them. +# CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set +# CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support.