kconfig-hardened-check.git
2 years agoEFI mitigations can't be enabled if EFI is not set 59/head
Martin Rowe [Tue, 15 Mar 2022 12:38:05 +0000 (12:38 +0000)]
EFI mitigations can't be enabled if EFI is not set

Both EFI_DISABLE_PCI_DMA and RESET_ATTACK_MITIGATION depend on EFI, but if EFI is not set, neither config is required.

Useful on embedded devices that use u-boot or similar instead of EFI.

2 years agoFix the BPF_UNPRIV_DEFAULT_OFF check (it is enabled by default)
Alexander Popov [Sun, 13 Mar 2022 22:28:18 +0000 (01:28 +0300)]
Fix the BPF_UNPRIV_DEFAULT_OFF check (it is enabled by default)

2 years agoAdd CONFIG_SLS vs CVE-2021-26341 in Straight-Line-Speculation
Alexander Popov [Sun, 13 Mar 2022 18:12:23 +0000 (21:12 +0300)]
Add CONFIG_SLS vs CVE-2021-26341 in Straight-Line-Speculation

2 years agoAdd the comment that l1d_flush is a part of the l1tf option
Alexander Popov [Sun, 13 Mar 2022 17:39:06 +0000 (20:39 +0300)]
Add the comment that l1d_flush is a part of the l1tf option

2 years agoAdd BPF_UNPRIV_DEFAULT_OFF to cut_attack_surface
Alexander Popov [Sun, 13 Mar 2022 17:18:48 +0000 (20:18 +0300)]
Add BPF_UNPRIV_DEFAULT_OFF to cut_attack_surface

2 years agoUse the option type instead of calling hasattr()
Alexander Popov [Sat, 5 Mar 2022 15:44:16 +0000 (18:44 +0300)]
Use the option type instead of calling hasattr()

2 years agoMerge branch 'refactoring'
Alexander Popov [Sat, 5 Mar 2022 14:42:24 +0000 (17:42 +0300)]
Merge branch 'refactoring'

It has more preparations for solving #46.

2 years agoIntroduce the json_dump() class method refactoring
Alexander Popov [Mon, 14 Feb 2022 21:57:42 +0000 (00:57 +0300)]
Introduce the json_dump() class method

2 years agoImprove 'type' for ComplexOptCheck and PresenceCheck classes
Alexander Popov [Mon, 14 Feb 2022 21:19:42 +0000 (00:19 +0300)]
Improve 'type' for ComplexOptCheck and PresenceCheck classes

2 years agoMake populate_with_data() aware of data type
Alexander Popov [Mon, 14 Feb 2022 21:18:50 +0000 (00:18 +0300)]
Make populate_with_data() aware of data type

2 years agoAdd 'type' for PresenceCheck and VersionCheck
Alexander Popov [Mon, 14 Feb 2022 18:23:58 +0000 (21:23 +0300)]
Add 'type' for PresenceCheck and VersionCheck

2 years agoRename VerCheck to VersionCheck
Alexander Popov [Mon, 14 Feb 2022 18:22:17 +0000 (21:22 +0300)]
Rename VerCheck to VersionCheck

2 years agoAdd more ComplexOptCheck validation
Alexander Popov [Mon, 14 Feb 2022 16:50:21 +0000 (19:50 +0300)]
Add more ComplexOptCheck validation

2 years agoImprove print_unknown_options()
Alexander Popov [Mon, 14 Feb 2022 14:47:21 +0000 (17:47 +0300)]
Improve print_unknown_options()

Don't miss options behind the second level of ComplexOptCheck

2 years agoRemove 'CONFIG_' hardcoding
Alexander Popov [Mon, 14 Feb 2022 07:59:36 +0000 (10:59 +0300)]
Remove 'CONFIG_' hardcoding

2 years agoMerge branch 'refactoring'
Alexander Popov [Fri, 11 Feb 2022 22:16:44 +0000 (01:16 +0300)]
Merge branch 'refactoring'

It has preparations for solving #46.

2 years agoRefactor the OR logic code
Alexander Popov [Fri, 11 Feb 2022 22:03:06 +0000 (01:03 +0300)]
Refactor the OR logic code

2 years agoRename config to kconfig where needed (part II)
Alexander Popov [Fri, 11 Feb 2022 17:08:41 +0000 (20:08 +0300)]
Rename config to kconfig where needed (part II)

2 years agoExtract populate_with_data() from perform_checks()
Alexander Popov [Sat, 22 Jan 2022 23:15:13 +0000 (02:15 +0300)]
Extract populate_with_data() from perform_checks()

2 years agoRename config to kconfig where needed
Alexander Popov [Sat, 22 Jan 2022 22:10:09 +0000 (01:10 +0300)]
Rename config to kconfig where needed

2 years agoPrint the type of a check in the json mode
Alexander Popov [Sat, 22 Jan 2022 21:34:01 +0000 (00:34 +0300)]
Print the type of a check in the json mode

2 years agoComplexOptCheck type has the type of the first opt in it
Alexander Popov [Sat, 22 Jan 2022 21:33:04 +0000 (00:33 +0300)]
ComplexOptCheck type has the type of the first opt in it

2 years agoUpdate the example output in the README (yes, now I like it!)
Alexander Popov [Fri, 21 Jan 2022 23:22:37 +0000 (02:22 +0300)]
Update the example output in the README (yes, now I like it!)

2 years agoDo more output tuning
Alexander Popov [Fri, 21 Jan 2022 23:19:05 +0000 (02:19 +0300)]
Do more output tuning

2 years agoUpdate the example output in the README
Alexander Popov [Fri, 21 Jan 2022 22:35:42 +0000 (01:35 +0300)]
Update the example output in the README

2 years agoAdd check type
Alexander Popov [Fri, 21 Jan 2022 22:33:43 +0000 (01:33 +0300)]
Add check type

2 years agoUpdate the example output in the README
Alexander Popov [Fri, 21 Jan 2022 22:16:31 +0000 (01:16 +0300)]
Update the example output in the README

2 years agoPrint compactly
Alexander Popov [Fri, 21 Jan 2022 22:06:56 +0000 (01:06 +0300)]
Print compactly

2 years agoIntroduce KconfigCheck class
Alexander Popov [Fri, 21 Jan 2022 21:15:16 +0000 (00:15 +0300)]
Introduce KconfigCheck class

2 years agoFix TRIM_UNUSED_KSYMS check
Alexander Popov [Fri, 21 Jan 2022 15:45:54 +0000 (18:45 +0300)]
Fix TRIM_UNUSED_KSYMS check

TRIM_UNUSED_KSYMS can't be enabled if MODULES are disabled.

Thanks to @Churam for reporting.
Refers to #58.

2 years agoAdd l1d_flush (for future reference)
Alexander Popov [Fri, 24 Dec 2021 17:51:11 +0000 (20:51 +0300)]
Add l1d_flush (for future reference)

2 years agoAdd ARM64_PTR_AUTH_KERNEL extracted from ARM64_PTR_AUTH
Alexander Popov [Sun, 5 Dec 2021 11:57:08 +0000 (14:57 +0300)]
Add ARM64_PTR_AUTH_KERNEL extracted from ARM64_PTR_AUTH

2 years agoDocument the output modes specified by the `-m` parameter
Alexander Popov [Sun, 21 Nov 2021 13:09:53 +0000 (16:09 +0300)]
Document the output modes specified by the `-m` parameter

2 years agoTODO: RISC-V
Alexander Popov [Sun, 21 Nov 2021 12:08:39 +0000 (15:08 +0300)]
TODO: RISC-V

See #56

2 years agoUpdate the README (a lot of new checks appeared)
Alexander Popov [Tue, 9 Nov 2021 18:59:43 +0000 (21:59 +0300)]
Update the README (a lot of new checks appeared)

2 years agoKeep the old X86_PTDUMP check as a backup
Alexander Popov [Tue, 9 Nov 2021 18:29:10 +0000 (21:29 +0300)]
Keep the old X86_PTDUMP check as a backup

2 years agoSimplify the check about PTDUMP_DEBUGFS (I was correct)
Alexander Popov [Tue, 9 Nov 2021 18:05:09 +0000 (21:05 +0300)]
Simplify the check about PTDUMP_DEBUGFS (I was correct)

2 years agoAdd more checks from grsecurity for cutting attack surface (part II)
Alexander Popov [Tue, 9 Nov 2021 18:02:57 +0000 (21:02 +0300)]
Add more checks from grsecurity for cutting attack surface (part II)

This includes:
 - KCMP
 - RSEQ
 - LATENCYTOP
 - KCOV
 - PROVIDE_OHCI1394_DMA_INIT
 - SUNRPC_DEBUG
 - FAIL_FUTEX
 - KPROBE_EVENTS
 - UPROBE_EVENTS
 - FUNCTION_TRACER
 - STACK_TRACER
 - HIST_TRIGGERS
 - BLK_DEV_IO_TRACE

2 years agoFix the 'decision' field of the IO_URING check
Alexander Popov [Tue, 9 Nov 2021 17:20:59 +0000 (20:20 +0300)]
Fix the 'decision' field of the IO_URING check

grsecurity disables IO_URING as well to cut attack surface

2 years agoAdd more checks from grsecurity for cutting attack surface (part I)
Alexander Popov [Tue, 9 Nov 2021 17:11:22 +0000 (20:11 +0300)]
Add more checks from grsecurity for cutting attack surface (part I)

This includes:
 - PUNIT_ATOM_DEBUG
 - ACPI_CONFIGFS
 - EDAC_DEBUG
 - DRM_I915_DEBUG
 - BCACHE_CLOSURES_DEBUG
 - DVB_C8SECTPFE
 - MTD_SLRAM
 - MTD_PHRAM

2 years agoFix the 'decision' field of the KPROBES check
Alexander Popov [Tue, 9 Nov 2021 16:48:32 +0000 (19:48 +0300)]
Fix the 'decision' field of the KPROBES check

2 years agoAdd the comment
Alexander Popov [Tue, 9 Nov 2021 16:46:18 +0000 (19:46 +0300)]
Add the comment

3 years agoImprove the README
Alexander Popov [Thu, 23 Sep 2021 12:56:34 +0000 (15:56 +0300)]
Improve the README

3 years agoGet a bit more coverage
Alexander Popov [Thu, 23 Sep 2021 12:35:20 +0000 (15:35 +0300)]
Get a bit more coverage

3 years agoUpdate the README v0.5.14
Alexander Popov [Thu, 23 Sep 2021 12:01:36 +0000 (15:01 +0300)]
Update the README

Ready for the release 0.5.14.

3 years agoMove 'self_protection' & 'maintainer' higher
Alexander Popov [Wed, 22 Sep 2021 10:50:11 +0000 (13:50 +0300)]
Move 'self_protection' & 'maintainer' higher

3 years agoAdd HARDENED_USERCOPY_PAGESPAN check from KSPP
Alexander Popov [Tue, 21 Sep 2021 19:29:22 +0000 (22:29 +0300)]
Add HARDENED_USERCOPY_PAGESPAN check from KSPP

3 years agoAdd comments about the maintainer recommendations
Alexander Popov [Tue, 21 Sep 2021 18:35:12 +0000 (21:35 +0300)]
Add comments about the maintainer recommendations

Refers to #53

3 years agoFix UBSAN_BOUNDS recommendations
Alexander Popov [Tue, 21 Sep 2021 18:19:51 +0000 (21:19 +0300)]
Fix UBSAN_BOUNDS recommendations

Thanks to @kees and @equaeghe

Refers to #53

3 years agoRANDOMIZE_KSTACK_OFFSET_DEFAULT is recommended by KSPP
Alexander Popov [Tue, 21 Sep 2021 17:44:17 +0000 (20:44 +0300)]
RANDOMIZE_KSTACK_OFFSET_DEFAULT is recommended by KSPP

Thanks to @anthraxx

3 years agoUpdate the KSPP recommendations
Alexander Popov [Thu, 16 Sep 2021 18:01:57 +0000 (21:01 +0300)]
Update the KSPP recommendations

3 years agoAdd defconfigs for Linux v5.14
Alexander Popov [Thu, 16 Sep 2021 16:54:35 +0000 (19:54 +0300)]
Add defconfigs for Linux v5.14

3 years agoMerge pull request #54 from evdenis/master
Alexander Popov [Fri, 10 Sep 2021 21:26:54 +0000 (00:26 +0300)]
Merge pull request #54 from evdenis/master

Recommend disabling CONFIG_BLK_DEV_FD ( thanks to @evdenis )

3 years agoAdd BLK_DEV_FD 54/head
Denis Efremov [Fri, 10 Sep 2021 12:30:04 +0000 (15:30 +0300)]
Add BLK_DEV_FD

Floppy driver was written many years ago. It was designed to
work in a single-threaded environment (many global variables)
and to work on real hardware which has significant delays
(floppy drives are slow). Nowadays, when we use virtual
devices (which are fast) and multi-core cpus, floppy driver
shows its problems including deadlocking/livelocking and
other security-related issues. However, we can't just
rewrite it because lack of real hardware and compatibility
with existing userspace tools, many of which rely on
undocumented driver behavior.

Here are some CVEs related to floppy driver:
 - CVE-2014-1737 privileges escalation in FDRAWCMD ioctl
 - CVE-2014-1738 info leak from kernel heap in FDRAWCMD ioctl
 - CVE-2018-7755 kernel pointer lead in FDGETPRM ioctl
 - CVE-2019-14283 integer overflow and out-of-bounds read in set_geometry
 - CVE-2019-14284 denial of service in setup_format_params
 - CVE-2020-9383 out-of-bounds read in set_fdc
 - CVE-2021-20261 race condition in floppy_revalidate,
   floppy_check_events

As pointed by Linus [1]:
> The only users are virtualization, and even they are going away
> because floppies are so small, and other things have become more
> standard anyway (ie USB disk) or easier to emulate (NVMe or whatever).
> So I suspect the only reason floppy is used even in that area is just
> legacy "we haven't bothered updating to anything better and we have
> old scripts and images that work".

CONFIG_BLK_DEV_FD is not enabled in defconfig on x86_64.
Many distros already require root access for /dev/fd0.
However, qemu (5.2.0) still enables floppy device by default.

[1] https://lore.kernel.org/all/CAHk-=whFAAV_TOLFNnj=wu4mD2L9OvgB6n2sKDdmd8buMKFv8A@mail.gmail.com/

3 years agoAdd RANDOMIZE_KSTACK_OFFSET_DEFAULT
Alexander Popov [Fri, 20 Aug 2021 16:34:35 +0000 (19:34 +0300)]
Add RANDOMIZE_KSTACK_OFFSET_DEFAULT

This refers to the pull request #52.

Thanks to Levente Polyak aka @anthraxx.

3 years agoAdd CFI_CLANG
Alexander Popov [Sun, 29 Aug 2021 21:16:27 +0000 (00:16 +0300)]
Add CFI_CLANG

3 years agoAdd ARM64_EPAN
Alexander Popov [Fri, 20 Aug 2021 17:10:54 +0000 (20:10 +0300)]
Add ARM64_EPAN

3 years agoMerge pull request #51 from Hacks4Snacks/master
Alexander Popov [Fri, 20 Aug 2021 18:19:03 +0000 (21:19 +0300)]
Merge pull request #51 from Hacks4Snacks/master

Added the CBL-Mariner kernel configuration file.

3 years agoAdded Linux/x86_64 kernel config link for CBL-Mariner 51/head
Mark D. Gray [Fri, 20 Aug 2021 17:39:03 +0000 (12:39 -0500)]
Added Linux/x86_64 kernel config link for CBL-Mariner

3 years agoAdded cbl-mariner kernel configuration file.
Mark D. Gray [Thu, 19 Aug 2021 20:40:09 +0000 (15:40 -0500)]
Added cbl-mariner kernel configuration file.

3 years agoAdd hardware tag-based KASAN with arm64 Memory Tagging Extension
Alexander Popov [Sat, 14 Aug 2021 07:10:13 +0000 (10:10 +0300)]
Add hardware tag-based KASAN with arm64 Memory Tagging Extension

3 years agoAdd the command line parameters that should NOT be set
Alexander Popov [Sat, 14 Aug 2021 06:33:14 +0000 (09:33 +0300)]
Add the command line parameters that should NOT be set

3 years agoDocument the changes of vm.unprivileged_userfaultfd in v5.11
Alexander Popov [Sun, 8 Aug 2021 22:00:28 +0000 (01:00 +0300)]
Document the changes of vm.unprivileged_userfaultfd in v5.11

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=37cd0575b8510159992d279c530c05f872990b02
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d0d4730ac2e404a5b0da9a87ef38c73e51cb1664

3 years agoAdd the news about PAGE_POISONING
Alexander Popov [Sun, 8 Aug 2021 13:48:04 +0000 (16:48 +0300)]
Add the news about PAGE_POISONING

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f289041ed4cf9a3f6e8a32068fef9ffb2acc5662
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8f424750baaafcef229791882e879da01c9473b5

3 years agoImprove wording
Alexander Popov [Fri, 2 Jul 2021 12:56:13 +0000 (15:56 +0300)]
Improve wording

3 years agoUpdate the README. v0.5.10
Alexander Popov [Sat, 19 Jun 2021 17:36:31 +0000 (20:36 +0300)]
Update the README.

Ready for the release 0.5.10.

3 years agoFix pylint warning
Alexander Popov [Sat, 19 Jun 2021 15:42:02 +0000 (18:42 +0300)]
Fix pylint warning

3 years agoRemember that SHADOW_CALL_STACK depends on clang
Alexander Popov [Sat, 19 Jun 2021 15:22:23 +0000 (18:22 +0300)]
Remember that SHADOW_CALL_STACK depends on clang

3 years agoSTACKPROTECTOR_PER_TASK is also available for ARM64
Alexander Popov [Sat, 19 Jun 2021 15:20:02 +0000 (18:20 +0300)]
STACKPROTECTOR_PER_TASK is also available for ARM64

3 years agoINTEL_IOMMU_SVM is available only for X86_64
Alexander Popov [Sat, 19 Jun 2021 15:17:33 +0000 (18:17 +0300)]
INTEL_IOMMU_SVM is available only for X86_64

3 years agoReorder arch checks
Alexander Popov [Sat, 19 Jun 2021 15:08:30 +0000 (18:08 +0300)]
Reorder arch checks

3 years agoSECURITY_DMESG_RESTRICT is recommended by KSPP now
Alexander Popov [Sat, 19 Jun 2021 12:40:13 +0000 (15:40 +0300)]
SECURITY_DMESG_RESTRICT is recommended by KSPP now

3 years agoThink about kptr_restrict later (KSPP recommends to set it to 1)
Alexander Popov [Sat, 19 Jun 2021 11:49:03 +0000 (14:49 +0300)]
Think about kptr_restrict later (KSPP recommends to set it to 1)

3 years agoMention that nosmt is slow
Alexander Popov [Sat, 19 Jun 2021 11:46:54 +0000 (14:46 +0300)]
Mention that nosmt is slow

3 years agoMore info on init_on_free and init_on_alloc
Alexander Popov [Sat, 19 Jun 2021 11:46:07 +0000 (14:46 +0300)]
More info on init_on_free and init_on_alloc

3 years agoSLUB_DEBUG_ON is very slow, leave it for the kernel command line
Alexander Popov [Sat, 19 Jun 2021 11:45:02 +0000 (14:45 +0300)]
SLUB_DEBUG_ON is very slow, leave it for the kernel command line

3 years agoUpdate KSPP recommendations
Alexander Popov [Sat, 19 Jun 2021 11:27:21 +0000 (14:27 +0300)]
Update KSPP recommendations

3 years agoAdd defconfigs for v5.10
Alexander Popov [Sat, 19 Jun 2021 11:15:14 +0000 (14:15 +0300)]
Add defconfigs for v5.10

Made with updated https://github.com/a13xp0p0v/kernel-build-containers

Excellent!

3 years agoHARDEN_BRANCH_PREDICTOR for ARM64 is enabled by default since v5.10
Alexander Popov [Sat, 19 Jun 2021 10:04:30 +0000 (13:04 +0300)]
HARDEN_BRANCH_PREDICTOR for ARM64 is enabled by default since v5.10

3 years agoAdd ARM64_MTE for userspace
Alexander Popov [Fri, 18 Jun 2021 21:12:46 +0000 (00:12 +0300)]
Add ARM64_MTE for userspace

3 years agoMaybe SHADOW_CALL_STACK should be alternative to STACKPROTECTOR_STRONG
Alexander Popov [Fri, 18 Jun 2021 21:11:41 +0000 (00:11 +0300)]
Maybe SHADOW_CALL_STACK should be alternative to STACKPROTECTOR_STRONG

3 years agoSave 'debugfs=no-mount' for future
Alexander Popov [Fri, 18 Jun 2021 17:47:20 +0000 (20:47 +0300)]
Save 'debugfs=no-mount' for future

4 years agoUpdate the README. v0.5.9
Alexander Popov [Fri, 30 Oct 2020 17:56:45 +0000 (20:56 +0300)]
Update the README.

Ready for the release 0.5.9.

4 years agoFix indentation (thanks to pylint)
Alexander Popov [Fri, 30 Oct 2020 17:44:07 +0000 (20:44 +0300)]
Fix indentation (thanks to pylint)

4 years agoAdd a Q&A about spectre-meltdown-checker maintained by @speed47
Alexander Popov [Thu, 29 Oct 2020 08:03:24 +0000 (11:03 +0300)]
Add a Q&A about spectre-meltdown-checker maintained by @speed47

4 years agoINIT_STACK_ALL -> INIT_STACK_ALL_ZERO (was renamed)
Alexander Popov [Fri, 23 Oct 2020 18:03:01 +0000 (21:03 +0300)]
INIT_STACK_ALL -> INIT_STACK_ALL_ZERO (was renamed)

4 years agoAdd SHADOW_CALL_STACK for ARM64
Alexander Popov [Fri, 23 Oct 2020 17:53:33 +0000 (20:53 +0300)]
Add SHADOW_CALL_STACK for ARM64

4 years agoAdd the recommendation about TRIM_UNUSED_KSYMS
Alexander Popov [Thu, 22 Oct 2020 19:46:27 +0000 (22:46 +0300)]
Add the recommendation about TRIM_UNUSED_KSYMS

4 years agoAdd ARM64_BTI_KERNEL
Alexander Popov [Thu, 22 Oct 2020 19:38:35 +0000 (22:38 +0300)]
Add ARM64_BTI_KERNEL

4 years agoAdd the recommendation about UBSAN_BOUNDS
Alexander Popov [Thu, 22 Oct 2020 18:42:21 +0000 (21:42 +0300)]
Add the recommendation about UBSAN_BOUNDS

Enable UBSAN_BOUNDS and UBSAN_TRAP.
But keep UBSAN_MISC disabled to avoid useless reports.

4 years agoPAGE_POISONING -> PAGE_POISONING_ZERO
Alexander Popov [Thu, 22 Oct 2020 17:46:04 +0000 (20:46 +0300)]
PAGE_POISONING -> PAGE_POISONING_ZERO

In fact, KSPP recommends PAGE_POISONING_ZERO.

4 years agoImprove AND check reports
Alexander Popov [Thu, 22 Oct 2020 16:59:00 +0000 (19:59 +0300)]
Improve AND check reports

4 years agoImprove HARDEN_EL2_VECTORS check
Alexander Popov [Thu, 22 Oct 2020 16:09:35 +0000 (19:09 +0300)]
Improve HARDEN_EL2_VECTORS check

In fact HARDEN_EL2_VECTORS was included in RANDOMIZE_BASE in v5.9.
Use new nested ComplexOptChecks for this rule.

Refers to #48.

4 years agoMerge remote-tracking branch 'pgils/el2_vectors'
Alexander Popov [Thu, 22 Oct 2020 15:55:31 +0000 (18:55 +0300)]
Merge remote-tracking branch 'pgils/el2_vectors'

Thanks, @pgils.

Refers to #48.

4 years agoAdd nested ComplexOptChecks support
Alexander Popov [Wed, 21 Oct 2020 18:20:37 +0000 (21:20 +0300)]
Add nested ComplexOptChecks support

Now we can do things like OR(opt1, AND(opt2, opt3)).
Cool!

Refers to #48

4 years agoDo not check CONFIG_HARDEN_EL2_VECTORS for v5.9+ 48/head
Pelle van Gils [Mon, 19 Oct 2020 13:07:53 +0000 (15:07 +0200)]
Do not check CONFIG_HARDEN_EL2_VECTORS for v5.9+

4 years agoAdd TODO about SLUB_DEBUG_ON
Alexander Popov [Fri, 16 Oct 2020 15:51:01 +0000 (18:51 +0300)]
Add TODO about SLUB_DEBUG_ON

4 years agoAdd CLIP OS recommendation about EFI_CUSTOM_SSDT_OVERLAYS
Alexander Popov [Fri, 16 Oct 2020 15:39:41 +0000 (18:39 +0300)]
Add CLIP OS recommendation about EFI_CUSTOM_SSDT_OVERLAYS

4 years agoDisabling ACPI_TABLE_UPGRADE is now recommended by CLIP OS
Alexander Popov [Fri, 16 Oct 2020 15:37:35 +0000 (18:37 +0300)]
Disabling ACPI_TABLE_UPGRADE is now recommended by CLIP OS

4 years agoWithdraw my recommendation about BPF_JIT
Alexander Popov [Fri, 16 Oct 2020 15:05:37 +0000 (18:05 +0300)]
Withdraw my recommendation about BPF_JIT

CLIP OS wiki and Kees say that BPF interpreter is worse for the kernel
security than BPF_JIT.

So for now I withdraw my recommendation about BPF_JIT.

N.B. LOCKDOWN disables BPF_SYSCALL, but not BPF_JIT.