From f7a5e5402d9526ca2e3525bd51575be0790d94ed Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sun, 11 Aug 2024 16:49:57 +0300 Subject: [PATCH] Update the KSPP recommendations --- .../kspp-kconfig-arm.config | 11 ++++------- .../kspp-kconfig-arm64-clang.config | 11 ++++------- .../kspp-kconfig-arm64-gcc.config | 11 ++++------- .../kspp-kconfig-x86-32.config | 17 +++++++++-------- .../kspp-kconfig-x86-64-clang.config | 15 ++++++++------- .../kspp-kconfig-x86-64-gcc.config | 15 ++++++++------- 6 files changed, 37 insertions(+), 43 deletions(-) diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config index 3a1f67b..cc94116 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config @@ -86,9 +86,8 @@ CONFIG_PAGE_TABLE_CHECK_ENFORCED=y CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). -# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) -CONFIG_PAGE_POISONING=y -CONFIG_PAGE_POISONING_NO_SANITY=y +# This kernel feature was removed in v5.11. +# Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks the 0xAA poison pattern on allocation. CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) @@ -184,9 +183,6 @@ CONFIG_STATIC_USERMODEHELPER=y # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set -# Dangerous; enabling this disables VDSO ASLR. -# CONFIG_COMPAT_VDSO is not set - # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set @@ -212,7 +208,8 @@ CONFIG_STATIC_USERMODEHELPER=y CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 -# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table. +# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table: +# https://docs.kernel.org/admin-guide/sysrq.html CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-clang.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-clang.config index 0acc81e..6b93f63 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-clang.config +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-clang.config @@ -86,9 +86,8 @@ CONFIG_PAGE_TABLE_CHECK_ENFORCED=y CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). -# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) -CONFIG_PAGE_POISONING=y -CONFIG_PAGE_POISONING_NO_SANITY=y +# This kernel feature was removed in v5.11. +# Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks the 0xAA poison pattern on allocation. CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) @@ -184,9 +183,6 @@ CONFIG_STATIC_USERMODEHELPER=y # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set -# Dangerous; enabling this disables VDSO ASLR. -# CONFIG_COMPAT_VDSO is not set - # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set @@ -212,7 +208,8 @@ CONFIG_STATIC_USERMODEHELPER=y CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 -# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table. +# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table: +# https://docs.kernel.org/admin-guide/sysrq.html CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-gcc.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-gcc.config index f40be7f..fbbf1aa 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-gcc.config +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-gcc.config @@ -86,9 +86,8 @@ CONFIG_PAGE_TABLE_CHECK_ENFORCED=y CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). -# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) -CONFIG_PAGE_POISONING=y -CONFIG_PAGE_POISONING_NO_SANITY=y +# This kernel feature was removed in v5.11. +# Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks the 0xAA poison pattern on allocation. CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) @@ -184,9 +183,6 @@ CONFIG_STATIC_USERMODEHELPER=y # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set -# Dangerous; enabling this disables VDSO ASLR. -# CONFIG_COMPAT_VDSO is not set - # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set @@ -212,7 +208,8 @@ CONFIG_STATIC_USERMODEHELPER=y CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 -# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table. +# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table: +# https://docs.kernel.org/admin-guide/sysrq.html CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config index 4d1d1d3..2617fc3 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config @@ -86,9 +86,8 @@ CONFIG_PAGE_TABLE_CHECK_ENFORCED=y CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). -# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) -CONFIG_PAGE_POISONING=y -CONFIG_PAGE_POISONING_NO_SANITY=y +# This kernel feature was removed in v5.11. +# Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks the 0xAA poison pattern on allocation. CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) @@ -184,9 +183,6 @@ CONFIG_STATIC_USERMODEHELPER=y # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set -# Dangerous; enabling this disables VDSO ASLR. -# CONFIG_COMPAT_VDSO is not set - # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set @@ -212,7 +208,8 @@ CONFIG_STATIC_USERMODEHELPER=y CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 -# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table. +# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table: +# https://docs.kernel.org/admin-guide/sysrq.html CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. @@ -268,7 +265,7 @@ CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 CONFIG_RANDOMIZE_BASE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. -CONFIG_PAGE_TABLE_ISOLATION=y +CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y # Enable chip-specific IOMMU support. CONFIG_INTEL_IOMMU=y @@ -276,3 +273,7 @@ CONFIG_INTEL_IOMMU_DEFAULT_ON=y # Don't allow for 16-bit program emulation and associated LDT tricks. # CONFIG_MODIFY_LDT_SYSCALL is not set + +# Dangerous; enabling this disables vDSO ASLR on X86_64 and X86_32. +# On ARM64 this option has different meaning. +# CONFIG_COMPAT_VDSO is not set diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-clang.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-clang.config index a65abeb..00d7aad 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-clang.config +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-clang.config @@ -86,9 +86,8 @@ CONFIG_PAGE_TABLE_CHECK_ENFORCED=y CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). -# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) -CONFIG_PAGE_POISONING=y -CONFIG_PAGE_POISONING_NO_SANITY=y +# This kernel feature was removed in v5.11. +# Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks the 0xAA poison pattern on allocation. CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) @@ -184,9 +183,6 @@ CONFIG_STATIC_USERMODEHELPER=y # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set -# Dangerous; enabling this disables VDSO ASLR. -# CONFIG_COMPAT_VDSO is not set - # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set @@ -212,7 +208,8 @@ CONFIG_STATIC_USERMODEHELPER=y CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 -# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table. +# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table: +# https://docs.kernel.org/admin-guide/sysrq.html CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. @@ -296,3 +293,7 @@ CONFIG_MITIGATION_SLS=y # Enable Control Flow Integrity (since v6.1). CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set + +# Dangerous; enabling this disables vDSO ASLR on X86_64 and X86_32. +# On ARM64 this option has different meaning. +# CONFIG_COMPAT_VDSO is not set diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-gcc.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-gcc.config index 02a3c6f..8d36085 100644 --- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-gcc.config +++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-gcc.config @@ -86,9 +86,8 @@ CONFIG_PAGE_TABLE_CHECK_ENFORCED=y CONFIG_SLUB_DEBUG=y # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below). -# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n) -CONFIG_PAGE_POISONING=y -CONFIG_PAGE_POISONING_NO_SANITY=y +# This kernel feature was removed in v5.11. +# Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks the 0xAA poison pattern on allocation. CONFIG_PAGE_POISONING_ZERO=y # Wipe slab and page allocations (since v5.3) @@ -184,9 +183,6 @@ CONFIG_STATIC_USERMODEHELPER=y # Dangerous; exposes kernel text image layout. # CONFIG_PROC_KCORE is not set -# Dangerous; enabling this disables VDSO ASLR. -# CONFIG_COMPAT_VDSO is not set - # Dangerous; enabling this allows replacement of running kernel. # CONFIG_KEXEC is not set @@ -212,7 +208,8 @@ CONFIG_STATIC_USERMODEHELPER=y CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=-1 -# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table. +# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table: +# https://docs.kernel.org/admin-guide/sysrq.html CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176 # Keep root from altering kernel memory via loadable modules. @@ -296,3 +293,7 @@ CONFIG_MITIGATION_SLS=y # Enable Control Flow Integrity (since v6.1). CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set + +# Dangerous; enabling this disables vDSO ASLR on X86_64 and X86_32. +# On ARM64 this option has different meaning. +# CONFIG_COMPAT_VDSO is not set -- 2.31.1