From b22708589a1f4138db2fbb192cd28b00d046cdaa Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Mon, 10 Jun 2024 16:44:21 +0300 Subject: [PATCH] Update the KSPP recommendations Thanks to Kees for working together! --- .../kspp-cmdline-x86-64.txt | 2 +- .../kspp-kconfig-arm.config | 16 +++++++++++++ .../kspp-kconfig-arm64.config | 19 ++++++++++++++- .../kspp-kconfig-x86-32.config | 16 +++++++++++++ .../kspp-kconfig-x86-64.config | 24 ++++++++++++++++++- .../kspp-recommendations/kspp-sysctl.txt | 3 +++ 6 files changed, 77 insertions(+), 3 deletions(-) diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-cmdline-x86-64.txt b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-cmdline-x86-64.txt index e053b2d..f2a666c 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-cmdline-x86-64.txt +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-cmdline-x86-64.txt @@ -1 +1 @@ -hardened_usercopy=1 init_on_alloc=1 init_on_free=1 randomize_kstack_offset=on page_alloc.shuffle=1 slab_nomerge pti=on nosmt slub_debug=ZF slub_debug=P page_poison=1 iommu.passthrough=0 iommu.strict=1 mitigations=auto,nosmt vsyscall=none vdso32=0 +hardened_usercopy=1 init_on_alloc=1 init_on_free=1 randomize_kstack_offset=on page_alloc.shuffle=1 slab_nomerge pti=on nosmt slub_debug=ZF slub_debug=P page_poison=1 iommu.passthrough=0 iommu.strict=1 mitigations=auto,nosmt vsyscall=none vdso32=0 cfi=kcfi diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config index c750260..e0818e3 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config @@ -25,6 +25,7 @@ CONFIG_IO_STRICT_DEVMEM=y CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. +CONFIG_LIST_HARDENED=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y @@ -52,6 +53,7 @@ CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set +# CONFIG_SECURITY_SELINUX_DEBUG is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. @@ -67,11 +69,19 @@ CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y +CONFIG_RANDOM_KMALLOC_CACHES=y + +# Make cross-slab heap attacks not as trivial when object sizes are the same. (Same as slab_nomerge boot param.) +# CONFIG_SLAB_MERGE_DEFAULT is not set # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y +# Sanity check userspace page table mappings (since v5.17) +CONFIG_PAGE_TABLE_CHECK=y +CONFIG_PAGE_TABLE_CHECK_ENFORCED=y + # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y @@ -118,6 +128,7 @@ CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y +CONFIG_KFENCE_SAMPLE_INTERVAL=100 # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y @@ -196,10 +207,14 @@ CONFIG_STATIC_USERMODEHELPER=y CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 +# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table. +CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 + # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. +# See also kernel.modules_disabled sysctl below. CONFIG_STRICT_MODULE_RWX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y @@ -207,6 +222,7 @@ CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" +# CONFIG_MODULE_FORCE_LOAD is not set # GCC plugins diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64.config index c059256..a68f819 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64.config +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64.config @@ -25,6 +25,7 @@ CONFIG_IO_STRICT_DEVMEM=y CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. +CONFIG_LIST_HARDENED=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y @@ -52,6 +53,7 @@ CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set +# CONFIG_SECURITY_SELINUX_DEBUG is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. @@ -67,11 +69,19 @@ CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y +CONFIG_RANDOM_KMALLOC_CACHES=y + +# Make cross-slab heap attacks not as trivial when object sizes are the same. (Same as slab_nomerge boot param.) +# CONFIG_SLAB_MERGE_DEFAULT is not set # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y +# Sanity check userspace page table mappings (since v5.17) +CONFIG_PAGE_TABLE_CHECK=y +CONFIG_PAGE_TABLE_CHECK_ENFORCED=y + # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y @@ -118,6 +128,7 @@ CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y +CONFIG_KFENCE_SAMPLE_INTERVAL=100 # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y @@ -196,10 +207,14 @@ CONFIG_STATIC_USERMODEHELPER=y CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 +# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table. +CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 + # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. +# See also kernel.modules_disabled sysctl below. CONFIG_STRICT_MODULE_RWX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y @@ -207,6 +222,7 @@ CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" +# CONFIG_MODULE_FORCE_LOAD is not set # GCC plugins @@ -250,8 +266,9 @@ CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y -# Software Shadow Stack or PAC +# Enable Software Shadow Stack when hardware Pointer Authentication (PAC) isn't available. CONFIG_SHADOW_CALL_STACK=y +CONFIG_UNWIND_PATCH_PAC_INTO_SCS=y # Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can # turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config index 9db30cb..a88dde5 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config @@ -25,6 +25,7 @@ CONFIG_IO_STRICT_DEVMEM=y CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. +CONFIG_LIST_HARDENED=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y @@ -52,6 +53,7 @@ CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set +# CONFIG_SECURITY_SELINUX_DEBUG is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. @@ -67,11 +69,19 @@ CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y +CONFIG_RANDOM_KMALLOC_CACHES=y + +# Make cross-slab heap attacks not as trivial when object sizes are the same. (Same as slab_nomerge boot param.) +# CONFIG_SLAB_MERGE_DEFAULT is not set # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y +# Sanity check userspace page table mappings (since v5.17) +CONFIG_PAGE_TABLE_CHECK=y +CONFIG_PAGE_TABLE_CHECK_ENFORCED=y + # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y @@ -118,6 +128,7 @@ CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y +CONFIG_KFENCE_SAMPLE_INTERVAL=100 # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y @@ -196,10 +207,14 @@ CONFIG_STATIC_USERMODEHELPER=y CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 +# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table. +CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 + # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. +# See also kernel.modules_disabled sysctl below. CONFIG_STRICT_MODULE_RWX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y @@ -207,6 +222,7 @@ CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" +# CONFIG_MODULE_FORCE_LOAD is not set # GCC plugins diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64.config index f374cda..cd9afbd 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64.config +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64.config @@ -25,6 +25,7 @@ CONFIG_IO_STRICT_DEVMEM=y CONFIG_SYN_COOKIES=y # Perform additional validation of various commonly targeted structures. +CONFIG_LIST_HARDENED=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y @@ -52,6 +53,7 @@ CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set +# CONFIG_SECURITY_SELINUX_DEBUG is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. @@ -67,11 +69,19 @@ CONFIG_HARDENED_USERCOPY=y # Randomize allocator freelists, harden metadata. CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y +CONFIG_RANDOM_KMALLOC_CACHES=y + +# Make cross-slab heap attacks not as trivial when object sizes are the same. (Same as slab_nomerge boot param.) +# CONFIG_SLAB_MERGE_DEFAULT is not set # Allow for randomization of high-order page allocation freelist. Must be enabled with # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y +# Sanity check userspace page table mappings (since v5.17) +CONFIG_PAGE_TABLE_CHECK=y +CONFIG_PAGE_TABLE_CHECK_ENFORCED=y + # Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y @@ -118,6 +128,7 @@ CONFIG_UBSAN_LOCAL_BOUNDS=y # Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y +CONFIG_KFENCE_SAMPLE_INTERVAL=100 # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y @@ -196,10 +207,14 @@ CONFIG_STATIC_USERMODEHELPER=y CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 +# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table. +CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 + # Keep root from altering kernel memory via loadable modules. # CONFIG_MODULES is not set # But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key. +# See also kernel.modules_disabled sysctl below. CONFIG_STRICT_MODULE_RWX=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y @@ -207,6 +222,7 @@ CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" +# CONFIG_MODULE_FORCE_LOAD is not set # GCC plugins @@ -253,6 +269,12 @@ CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y +# Enforce CET Indirect Branch Tracking in the kernel. (Since v5.18) +CONFIG_X86_KERNEL_IBT=y + +# Support userspace CET Shadow Stack +CONFIG_X86_USER_SHADOW_STACK=y + # Remove additional (32-bit) attack surface, unless you really need them. # CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set @@ -270,6 +292,6 @@ CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y -# Enable Control Flow Integrity (since v6.1) +# Enable Control Flow Integrity (since v6.1). CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-sysctl.txt b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-sysctl.txt index 9f99c6c..c45c201 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-sysctl.txt +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-sysctl.txt @@ -1,6 +1,7 @@ kernel.printk = 3 4 1 7 kernel.kptr_restrict = 2 kernel.dmesg_restrict = 1 +kernel.disable_modules = 1 kernel.perf_event_paranoid = 3 kernel.kexec_load_disabled = 1 kernel.randomize_va_space = 2 @@ -9,6 +10,8 @@ user.max_user_namespaces = 0 dev.tty.ldisc_autoload = 0 dev.tty.legacy_tiocsti = 0 kernel.unprivileged_bpf_disabled = 1 +kernel.warn_limit = 1 +kernel.oops_limit = 1 net.core.bpf_jit_harden = 2 vm.unprivileged_userfaultfd = 0 fs.protected_symlinks = 1 -- 2.31.1