From: Tyler Hicks Date: Thu, 17 Jan 2019 17:47:44 +0000 (+0000) Subject: Make KSPP recommendations config x86_64 specific X-Git-Tag: v0.5.2~59^2~3 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=531d8f0d3da8668e74f6b7f74dda7c0587a8a0e0;p=kconfig-hardened-check.git Make KSPP recommendations config x86_64 specific Rename the file so that it is clear that the recommendations are x86-64 specific. Signed-off-by: Tyler Hicks --- diff --git a/config_files/kspp-recommendations-x86-64.config b/config_files/kspp-recommendations-x86-64.config new file mode 100644 index 0000000..71ebe6e --- /dev/null +++ b/config_files/kspp-recommendations-x86-64.config @@ -0,0 +1,157 @@ +# CONFIGs +# Linux/x86_64 4.20 Kernel Configuration + +# Report BUG() conditions and kill the offending process. +CONFIG_BUG=y + +# Make sure kernel page tables have safe permissions. +CONFIG_STRICT_KERNEL_RWX=y + +# Report any dangerous memory permissions (not available on all archs). +CONFIG_DEBUG_WX=y + +# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. +CONFIG_STACKPROTECTOR=y +CONFIG_STACKPROTECTOR_STRONG=y + +# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) +# CONFIG_DEVMEM is not set +CONFIG_STRICT_DEVMEM=y +CONFIG_IO_STRICT_DEVMEM=y + +# Provides some protections against SYN flooding. +CONFIG_SYN_COOKIES=y + +# Perform additional validation of various commonly targeted structures. +CONFIG_DEBUG_CREDENTIALS=y +CONFIG_DEBUG_NOTIFIERS=y +CONFIG_DEBUG_LIST=y +CONFIG_DEBUG_SG=y +CONFIG_BUG_ON_DATA_CORRUPTION=y +CONFIG_SCHED_STACK_END_CHECK=y + +# Provide userspace with seccomp BPF API for syscall attack surface reduction. +CONFIG_SECCOMP=y +CONFIG_SECCOMP_FILTER=y + +# Provide userspace with ptrace ancestry protections. +CONFIG_SECURITY=y +CONFIG_SECURITY_YAMA=y + +# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) +CONFIG_HARDENED_USERCOPY=y +# CONFIG_HARDENED_USERCOPY_FALLBACK is not set + +# Randomize allocator freelists, harden metadata. +CONFIG_SLAB_FREELIST_RANDOM=y +CONFIG_SLAB_FREELIST_HARDENED=y + +# Allow allocator validation checking to be enabled (see "slub_debug=P" below). +CONFIG_SLUB_DEBUG=y + +# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). +# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) +CONFIG_PAGE_POISONING=y +CONFIG_PAGE_POISONING_NO_SANITY=y +CONFIG_PAGE_POISONING_ZERO=y + +# Adds guard pages to kernel stacks (not all architectures support this yet). +CONFIG_VMAP_STACK=y + +# Perform extensive checks on reference counting. +CONFIG_REFCOUNT_FULL=y + +# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. +CONFIG_FORTIFY_SOURCE=y + +# Dangerous; enabling this allows direct physical memory writing. +# CONFIG_ACPI_CUSTOM_METHOD is not set + +# Dangerous; enabling this disables brk ASLR. +# CONFIG_COMPAT_BRK is not set + +# Dangerous; enabling this allows direct kernel memory writing. +# CONFIG_DEVKMEM is not set + +# Dangerous; exposes kernel text image layout. +# CONFIG_PROC_KCORE is not set + +# Dangerous; enabling this disables VDSO ASLR. +# CONFIG_COMPAT_VDSO is not set + +# Dangerous; enabling this allows replacement of running kernel. +# CONFIG_KEXEC is not set + +# Dangerous; enabling this allows replacement of running kernel. +# CONFIG_HIBERNATION is not set + +# Prior to v4.1, assists heap memory attacks; best to keep interface disabled. +# CONFIG_INET_DIAG is not set + +# Easily confused by misconfigured userspace, keep off. +# CONFIG_BINFMT_MISC is not set + +# Use the modern PTY interface (devpts) only. +# CONFIG_LEGACY_PTYS is not set + +# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. +# CONFIG_SECURITY_SELINUX_DISABLE is not set + +# Reboot devices immediately if kernel experiences an Oops. +CONFIG_PANIC_ON_OOPS=y +CONFIG_PANIC_TIMEOUT=-1 + +# Keep root from altering kernel memory via loadable modules. +# CONFIG_MODULES is not set + +# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. +CONFIG_STRICT_MODULE_RWX=y +CONFIG_MODULE_SIG=y +CONFIG_MODULE_SIG_FORCE=y +CONFIG_MODULE_SIG_ALL=y +CONFIG_MODULE_SIG_SHA512=y +CONFIG_MODULE_SIG_HASH="sha512" +CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" + + +# GCC plugins + +# Enable GCC Plugins +CONFIG_GCC_PLUGINS=y + +# Gather additional entropy at boot time for systems that may not have appropriate entropy sources. +CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y + +# Force all structures to be initialized before they are passed to other functions. +CONFIG_GCC_PLUGIN_STRUCTLEAK=y +CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y + +# Randomize the layout of system structures. This may have dramatic performance impact, so +# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y +CONFIG_GCC_PLUGIN_RANDSTRUCT=y + + +#x86_64 + +# Full 64-bit means PAE and NX bit. +CONFIG_X86_64=y + +# Disallow allocating the first 64k of memory. +CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 + +# Randomize position of kernel and memory. +CONFIG_RANDOMIZE_BASE=y +CONFIG_RANDOMIZE_MEMORY=y + +# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. +CONFIG_LEGACY_VSYSCALL_NONE=y + +# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. +CONFIG_PAGE_TABLE_ISOLATION=y + +# Remove additional attack surface, unless you really need them. +# CONFIG_IA32_EMULATION is not set +# CONFIG_X86_X32 is not set +# CONFIG_MODIFY_LDT_SYSCALL is not set + + diff --git a/config_files/kspp-recommendations.config b/config_files/kspp-recommendations.config deleted file mode 100644 index 71ebe6e..0000000 --- a/config_files/kspp-recommendations.config +++ /dev/null @@ -1,157 +0,0 @@ -# CONFIGs -# Linux/x86_64 4.20 Kernel Configuration - -# Report BUG() conditions and kill the offending process. -CONFIG_BUG=y - -# Make sure kernel page tables have safe permissions. -CONFIG_STRICT_KERNEL_RWX=y - -# Report any dangerous memory permissions (not available on all archs). -CONFIG_DEBUG_WX=y - -# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. -CONFIG_STACKPROTECTOR=y -CONFIG_STACKPROTECTOR_STRONG=y - -# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) -# CONFIG_DEVMEM is not set -CONFIG_STRICT_DEVMEM=y -CONFIG_IO_STRICT_DEVMEM=y - -# Provides some protections against SYN flooding. -CONFIG_SYN_COOKIES=y - -# Perform additional validation of various commonly targeted structures. -CONFIG_DEBUG_CREDENTIALS=y -CONFIG_DEBUG_NOTIFIERS=y -CONFIG_DEBUG_LIST=y -CONFIG_DEBUG_SG=y -CONFIG_BUG_ON_DATA_CORRUPTION=y -CONFIG_SCHED_STACK_END_CHECK=y - -# Provide userspace with seccomp BPF API for syscall attack surface reduction. -CONFIG_SECCOMP=y -CONFIG_SECCOMP_FILTER=y - -# Provide userspace with ptrace ancestry protections. -CONFIG_SECURITY=y -CONFIG_SECURITY_YAMA=y - -# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) -CONFIG_HARDENED_USERCOPY=y -# CONFIG_HARDENED_USERCOPY_FALLBACK is not set - -# Randomize allocator freelists, harden metadata. -CONFIG_SLAB_FREELIST_RANDOM=y -CONFIG_SLAB_FREELIST_HARDENED=y - -# Allow allocator validation checking to be enabled (see "slub_debug=P" below). -CONFIG_SLUB_DEBUG=y - -# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). -# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) -CONFIG_PAGE_POISONING=y -CONFIG_PAGE_POISONING_NO_SANITY=y -CONFIG_PAGE_POISONING_ZERO=y - -# Adds guard pages to kernel stacks (not all architectures support this yet). -CONFIG_VMAP_STACK=y - -# Perform extensive checks on reference counting. -CONFIG_REFCOUNT_FULL=y - -# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. -CONFIG_FORTIFY_SOURCE=y - -# Dangerous; enabling this allows direct physical memory writing. -# CONFIG_ACPI_CUSTOM_METHOD is not set - -# Dangerous; enabling this disables brk ASLR. -# CONFIG_COMPAT_BRK is not set - -# Dangerous; enabling this allows direct kernel memory writing. -# CONFIG_DEVKMEM is not set - -# Dangerous; exposes kernel text image layout. -# CONFIG_PROC_KCORE is not set - -# Dangerous; enabling this disables VDSO ASLR. -# CONFIG_COMPAT_VDSO is not set - -# Dangerous; enabling this allows replacement of running kernel. -# CONFIG_KEXEC is not set - -# Dangerous; enabling this allows replacement of running kernel. -# CONFIG_HIBERNATION is not set - -# Prior to v4.1, assists heap memory attacks; best to keep interface disabled. -# CONFIG_INET_DIAG is not set - -# Easily confused by misconfigured userspace, keep off. -# CONFIG_BINFMT_MISC is not set - -# Use the modern PTY interface (devpts) only. -# CONFIG_LEGACY_PTYS is not set - -# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off. -# CONFIG_SECURITY_SELINUX_DISABLE is not set - -# Reboot devices immediately if kernel experiences an Oops. -CONFIG_PANIC_ON_OOPS=y -CONFIG_PANIC_TIMEOUT=-1 - -# Keep root from altering kernel memory via loadable modules. -# CONFIG_MODULES is not set - -# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. -CONFIG_STRICT_MODULE_RWX=y -CONFIG_MODULE_SIG=y -CONFIG_MODULE_SIG_FORCE=y -CONFIG_MODULE_SIG_ALL=y -CONFIG_MODULE_SIG_SHA512=y -CONFIG_MODULE_SIG_HASH="sha512" -CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" - - -# GCC plugins - -# Enable GCC Plugins -CONFIG_GCC_PLUGINS=y - -# Gather additional entropy at boot time for systems that may not have appropriate entropy sources. -CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y - -# Force all structures to be initialized before they are passed to other functions. -CONFIG_GCC_PLUGIN_STRUCTLEAK=y -CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y - -# Randomize the layout of system structures. This may have dramatic performance impact, so -# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y -CONFIG_GCC_PLUGIN_RANDSTRUCT=y - - -#x86_64 - -# Full 64-bit means PAE and NX bit. -CONFIG_X86_64=y - -# Disallow allocating the first 64k of memory. -CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 - -# Randomize position of kernel and memory. -CONFIG_RANDOMIZE_BASE=y -CONFIG_RANDOMIZE_MEMORY=y - -# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. -CONFIG_LEGACY_VSYSCALL_NONE=y - -# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. -CONFIG_PAGE_TABLE_ISOLATION=y - -# Remove additional attack surface, unless you really need them. -# CONFIG_IA32_EMULATION is not set -# CONFIG_X86_X32 is not set -# CONFIG_MODIFY_LDT_SYSCALL is not set - -