From: Alexander Popov Date: Wed, 19 Jun 2024 18:12:05 +0000 (+0300) Subject: Update the KSPP recommendations (https://github.com/KSPP/linux/issues/362) X-Git-Tag: v0.6.10~43 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=b0a5937d6c0102adc9b24e89899681059c3af3a4;p=kconfig-hardened-check.git Update the KSPP recommendations (https://github.com/KSPP/linux/issues/362) Thanks to @kees! --- diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config index 1b4caac..3a1f67b 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config @@ -142,6 +142,7 @@ CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y +# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y @@ -151,6 +152,10 @@ CONFIG_HW_RANDOM_TPM=y CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y +# Randomize the layout of system structures. This may have dramatic performance impact, so +# use with caution. If using GCC, you can check if using CONFIG_RANDSTRUCT_PERFORMANCE=y is better. +CONFIG_RANDSTRUCT_FULL=y + # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y @@ -242,11 +247,6 @@ CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set -# Randomize the layout of system structures. This may have dramatic performance impact, so -# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y -CONFIG_GCC_PLUGIN_RANDSTRUCT=y -# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set - # arm CONFIG_ARM=y diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-clang.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-clang.config index d2af013..0acc81e 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-clang.config +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-clang.config @@ -142,6 +142,7 @@ CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y +# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y @@ -151,6 +152,10 @@ CONFIG_HW_RANDOM_TPM=y CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y +# Randomize the layout of system structures. This may have dramatic performance impact, so +# use with caution. If using GCC, you can check if using CONFIG_RANDSTRUCT_PERFORMANCE=y is better. +CONFIG_RANDSTRUCT_FULL=y + # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y @@ -242,11 +247,6 @@ CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set -# Randomize the layout of system structures. This may have dramatic performance impact, so -# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y -CONFIG_GCC_PLUGIN_RANDSTRUCT=y -# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set - # arm64 CONFIG_ARM64=y diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-gcc.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-gcc.config index 350d8e1..f40be7f 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-gcc.config +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-gcc.config @@ -142,6 +142,7 @@ CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y +# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y @@ -151,6 +152,10 @@ CONFIG_HW_RANDOM_TPM=y CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y +# Randomize the layout of system structures. This may have dramatic performance impact, so +# use with caution. If using GCC, you can check if using CONFIG_RANDSTRUCT_PERFORMANCE=y is better. +CONFIG_RANDSTRUCT_FULL=y + # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y @@ -242,11 +247,6 @@ CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set -# Randomize the layout of system structures. This may have dramatic performance impact, so -# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y -CONFIG_GCC_PLUGIN_RANDSTRUCT=y -# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set - # arm64 CONFIG_ARM64=y diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config index 3e02972..4d1d1d3 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config @@ -142,6 +142,7 @@ CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y +# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y @@ -151,6 +152,10 @@ CONFIG_HW_RANDOM_TPM=y CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y +# Randomize the layout of system structures. This may have dramatic performance impact, so +# use with caution. If using GCC, you can check if using CONFIG_RANDSTRUCT_PERFORMANCE=y is better. +CONFIG_RANDSTRUCT_FULL=y + # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y @@ -242,11 +247,6 @@ CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set -# Randomize the layout of system structures. This may have dramatic performance impact, so -# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y -CONFIG_GCC_PLUGIN_RANDSTRUCT=y -# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set - # x86_32 CONFIG_X86_32=y diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-clang.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-clang.config index b6e4b6f..a65abeb 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-clang.config +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-clang.config @@ -142,6 +142,7 @@ CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y +# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y @@ -151,6 +152,10 @@ CONFIG_HW_RANDOM_TPM=y CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y +# Randomize the layout of system structures. This may have dramatic performance impact, so +# use with caution. If using GCC, you can check if using CONFIG_RANDSTRUCT_PERFORMANCE=y is better. +CONFIG_RANDSTRUCT_FULL=y + # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y @@ -242,11 +247,6 @@ CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set -# Randomize the layout of system structures. This may have dramatic performance impact, so -# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y -CONFIG_GCC_PLUGIN_RANDSTRUCT=y -# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set - # x86_64 # Full 64-bit means PAE and NX bit. @@ -268,7 +268,7 @@ CONFIG_RANDOMIZE_MEMORY=y CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. -CONFIG_PAGE_TABLE_ISOLATION=y +CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y # Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18) CONFIG_X86_KERNEL_IBT=y @@ -291,7 +291,7 @@ CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation -CONFIG_SLS=y +CONFIG_MITIGATION_SLS=y # Enable Control Flow Integrity (since v6.1). CONFIG_CFI_CLANG=y diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-gcc.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-gcc.config index caa10c8..02a3c6f 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-gcc.config +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-gcc.config @@ -142,6 +142,7 @@ CONFIG_EFI_DISABLE_PCI_DMA=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y +# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set # Enable feeding RNG entropy from TPM, if available. CONFIG_HW_RANDOM_TPM=y @@ -151,6 +152,10 @@ CONFIG_HW_RANDOM_TPM=y CONFIG_RANDOM_TRUST_BOOTLOADER=y CONFIG_RANDOM_TRUST_CPU=y +# Randomize the layout of system structures. This may have dramatic performance impact, so +# use with caution. If using GCC, you can check if using CONFIG_RANDSTRUCT_PERFORMANCE=y is better. +CONFIG_RANDSTRUCT_FULL=y + # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y @@ -242,11 +247,6 @@ CONFIG_GCC_PLUGIN_STACKLEAK=y # CONFIG_STACKLEAK_METRICS is not set # CONFIG_STACKLEAK_RUNTIME_DISABLE is not set -# Randomize the layout of system structures. This may have dramatic performance impact, so -# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y -CONFIG_GCC_PLUGIN_RANDSTRUCT=y -# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set - # x86_64 # Full 64-bit means PAE and NX bit. @@ -268,7 +268,7 @@ CONFIG_RANDOMIZE_MEMORY=y CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. -CONFIG_PAGE_TABLE_ISOLATION=y +CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y # Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18) CONFIG_X86_KERNEL_IBT=y @@ -291,7 +291,7 @@ CONFIG_AMD_IOMMU=y CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation -CONFIG_SLS=y +CONFIG_MITIGATION_SLS=y # Enable Control Flow Integrity (since v6.1). CONFIG_CFI_CLANG=y diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-sysctl.txt b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-sysctl.txt index c45c201..4c0c6eb 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-sysctl.txt +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-sysctl.txt @@ -1,7 +1,7 @@ kernel.printk = 3 4 1 7 kernel.kptr_restrict = 2 kernel.dmesg_restrict = 1 -kernel.disable_modules = 1 +kernel.modules_disabled = 1 kernel.perf_event_paranoid = 3 kernel.kexec_load_disabled = 1 kernel.randomize_va_space = 2