From e8a2c606adbd3400dd9e38be2edd5c908eeabbd2 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sat, 22 Oct 2022 21:34:56 +0300 Subject: [PATCH] Update the KSPP recommendations again --- .../kspp-recommendations-arm.config | 16 +++++++++++---- .../kspp-recommendations-arm64.config | 14 +++++++++++-- .../kspp-recommendations-x86-32.config | 20 +++++++++++++++---- .../kspp-recommendations-x86-64.config | 18 +++++++++++++++-- 4 files changed, 56 insertions(+), 12 deletions(-) diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config index 349cf61..621095f 100644 --- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config +++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config @@ -30,6 +30,7 @@ CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y +CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y @@ -37,6 +38,9 @@ CONFIG_SCHED_STACK_END_CHECK=y CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y +# Make sure line disciplines can't be autoloaded (since v5.1). +# CONFIG_LDISC_AUTOLOAD is not set + # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y @@ -47,8 +51,8 @@ CONFIG_SECURITY_YAMA=y CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. -# SECURITY_SELINUX_BOOTPARAM is not set -# SECURITY_SELINUX_DEVELOP is not set +# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set +# CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. @@ -144,8 +148,14 @@ CONFIG_SCHED_CORE=y CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. +# For more details, see: +# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ +# https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y +# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk +CONFIG_STATIC_USERMODEHELPER=y + # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set @@ -233,5 +243,3 @@ CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set - - diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config index 91e6189..76c212f 100644 --- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config +++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config @@ -30,6 +30,7 @@ CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y +CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y @@ -37,6 +38,9 @@ CONFIG_SCHED_STACK_END_CHECK=y CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y +# Make sure line disciplines can't be autoloaded (since v5.1). +# CONFIG_LDISC_AUTOLOAD is not set + # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y @@ -47,8 +51,8 @@ CONFIG_SECURITY_YAMA=y CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. -# SECURITY_SELINUX_BOOTPARAM is not set -# SECURITY_SELINUX_DEVELOP is not set +# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set +# CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. @@ -144,8 +148,14 @@ CONFIG_SCHED_CORE=y CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. +# For more details, see: +# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ +# https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y +# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk +CONFIG_STATIC_USERMODEHELPER=y + # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config index 32c1dad..7695976 100644 --- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config +++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config @@ -30,6 +30,7 @@ CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y +CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y @@ -37,6 +38,9 @@ CONFIG_SCHED_STACK_END_CHECK=y CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y +# Make sure line disciplines can't be autoloaded (since v5.1). +# CONFIG_LDISC_AUTOLOAD is not set + # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y @@ -47,8 +51,8 @@ CONFIG_SECURITY_YAMA=y CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. -# SECURITY_SELINUX_BOOTPARAM is not set -# SECURITY_SELINUX_DEVELOP is not set +# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set +# CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. @@ -144,8 +148,14 @@ CONFIG_SCHED_CORE=y CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. +# For more details, see: +# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ +# https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y +# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk +CONFIG_STATIC_USERMODEHELPER=y + # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set @@ -240,7 +250,9 @@ CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y +# Enable chip-specific IOMMU support. +CONFIG_INTEL_IOMMU=y +CONFIG_INTEL_IOMMU_DEFAULT_ON=y + # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set - - diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config index 560f682..8f67300 100644 --- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config +++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config @@ -30,6 +30,7 @@ CONFIG_DEBUG_CREDENTIALS=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y +CONFIG_DEBUG_VIRTUAL=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_SCHED_STACK_END_CHECK=y @@ -37,6 +38,9 @@ CONFIG_SCHED_STACK_END_CHECK=y CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y +# Make sure line disciplines can't be autoloaded (since v5.1). +# CONFIG_LDISC_AUTOLOAD is not set + # Provide userspace with ptrace ancestry protections. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y @@ -47,8 +51,8 @@ CONFIG_SECURITY_YAMA=y CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. -# SECURITY_SELINUX_BOOTPARAM is not set -# SECURITY_SELINUX_DEVELOP is not set +# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set +# CONFIG_SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. @@ -144,8 +148,14 @@ CONFIG_SCHED_CORE=y CONFIG_ZERO_CALL_USED_REGS=y # Wipe RAM at reboot via EFI. +# For more details, see: +# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/ +# https://bugzilla.redhat.com/show_bug.cgi?id=1532058 CONFIG_RESET_ATTACK_MITIGATION=y +# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk +CONFIG_STATIC_USERMODEHELPER=y + # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set @@ -253,3 +263,7 @@ CONFIG_AMD_IOMMU_V2=y # Straight-Line-Speculation CONFIG_SLS=y + +# Enable Control Flow Integrity (since v6.1) +CONFIG_CFI_CLANG=y +# CONFIG_CFI_PERMISSIVE is not set -- 2.31.1