From f7a5e5402d9526ca2e3525bd51575be0790d94ed Mon Sep 17 00:00:00 2001
From: Alexander Popov <alex.popov@linux.com>
Date: Sun, 11 Aug 2024 16:49:57 +0300
Subject: [PATCH] Update the KSPP recommendations

---
 .../kspp-kconfig-arm.config                     | 11 ++++-------
 .../kspp-kconfig-arm64-clang.config             | 11 ++++-------
 .../kspp-kconfig-arm64-gcc.config               | 11 ++++-------
 .../kspp-kconfig-x86-32.config                  | 17 +++++++++--------
 .../kspp-kconfig-x86-64-clang.config            | 15 ++++++++-------
 .../kspp-kconfig-x86-64-gcc.config              | 15 ++++++++-------
 6 files changed, 37 insertions(+), 43 deletions(-)

diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config
index 3a1f67b..cc94116 100644
--- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config
+++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm.config
@@ -86,9 +86,8 @@ CONFIG_PAGE_TABLE_CHECK_ENFORCED=y
 CONFIG_SLUB_DEBUG=y
 
 # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).
-# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)
-CONFIG_PAGE_POISONING=y
-CONFIG_PAGE_POISONING_NO_SANITY=y
+# This kernel feature was removed in v5.11.
+# Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks the 0xAA poison pattern on allocation.
 CONFIG_PAGE_POISONING_ZERO=y
 
 # Wipe slab and page allocations (since v5.3)
@@ -184,9 +183,6 @@ CONFIG_STATIC_USERMODEHELPER=y
 # Dangerous; exposes kernel text image layout.
 # CONFIG_PROC_KCORE is not set
 
-# Dangerous; enabling this disables VDSO ASLR.
-# CONFIG_COMPAT_VDSO is not set
-
 # Dangerous; enabling this allows replacement of running kernel.
 # CONFIG_KEXEC is not set
 
@@ -212,7 +208,8 @@ CONFIG_STATIC_USERMODEHELPER=y
 CONFIG_PANIC_ON_OOPS=y
 CONFIG_PANIC_TIMEOUT=-1
 
-# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table.
+# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table:
+# https://docs.kernel.org/admin-guide/sysrq.html
 CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176
 
 # Keep root from altering kernel memory via loadable modules.
diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-clang.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-clang.config
index 0acc81e..6b93f63 100644
--- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-clang.config
+++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-clang.config
@@ -86,9 +86,8 @@ CONFIG_PAGE_TABLE_CHECK_ENFORCED=y
 CONFIG_SLUB_DEBUG=y
 
 # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).
-# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)
-CONFIG_PAGE_POISONING=y
-CONFIG_PAGE_POISONING_NO_SANITY=y
+# This kernel feature was removed in v5.11.
+# Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks the 0xAA poison pattern on allocation.
 CONFIG_PAGE_POISONING_ZERO=y
 
 # Wipe slab and page allocations (since v5.3)
@@ -184,9 +183,6 @@ CONFIG_STATIC_USERMODEHELPER=y
 # Dangerous; exposes kernel text image layout.
 # CONFIG_PROC_KCORE is not set
 
-# Dangerous; enabling this disables VDSO ASLR.
-# CONFIG_COMPAT_VDSO is not set
-
 # Dangerous; enabling this allows replacement of running kernel.
 # CONFIG_KEXEC is not set
 
@@ -212,7 +208,8 @@ CONFIG_STATIC_USERMODEHELPER=y
 CONFIG_PANIC_ON_OOPS=y
 CONFIG_PANIC_TIMEOUT=-1
 
-# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table.
+# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table:
+# https://docs.kernel.org/admin-guide/sysrq.html
 CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176
 
 # Keep root from altering kernel memory via loadable modules.
diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-gcc.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-gcc.config
index f40be7f..fbbf1aa 100644
--- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-gcc.config
+++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-arm64-gcc.config
@@ -86,9 +86,8 @@ CONFIG_PAGE_TABLE_CHECK_ENFORCED=y
 CONFIG_SLUB_DEBUG=y
 
 # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).
-# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)
-CONFIG_PAGE_POISONING=y
-CONFIG_PAGE_POISONING_NO_SANITY=y
+# This kernel feature was removed in v5.11.
+# Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks the 0xAA poison pattern on allocation.
 CONFIG_PAGE_POISONING_ZERO=y
 
 # Wipe slab and page allocations (since v5.3)
@@ -184,9 +183,6 @@ CONFIG_STATIC_USERMODEHELPER=y
 # Dangerous; exposes kernel text image layout.
 # CONFIG_PROC_KCORE is not set
 
-# Dangerous; enabling this disables VDSO ASLR.
-# CONFIG_COMPAT_VDSO is not set
-
 # Dangerous; enabling this allows replacement of running kernel.
 # CONFIG_KEXEC is not set
 
@@ -212,7 +208,8 @@ CONFIG_STATIC_USERMODEHELPER=y
 CONFIG_PANIC_ON_OOPS=y
 CONFIG_PANIC_TIMEOUT=-1
 
-# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table.
+# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table:
+# https://docs.kernel.org/admin-guide/sysrq.html
 CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176
 
 # Keep root from altering kernel memory via loadable modules.
diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config
index 4d1d1d3..2617fc3 100644
--- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config
+++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-32.config
@@ -86,9 +86,8 @@ CONFIG_PAGE_TABLE_CHECK_ENFORCED=y
 CONFIG_SLUB_DEBUG=y
 
 # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).
-# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)
-CONFIG_PAGE_POISONING=y
-CONFIG_PAGE_POISONING_NO_SANITY=y
+# This kernel feature was removed in v5.11.
+# Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks the 0xAA poison pattern on allocation.
 CONFIG_PAGE_POISONING_ZERO=y
 
 # Wipe slab and page allocations (since v5.3)
@@ -184,9 +183,6 @@ CONFIG_STATIC_USERMODEHELPER=y
 # Dangerous; exposes kernel text image layout.
 # CONFIG_PROC_KCORE is not set
 
-# Dangerous; enabling this disables VDSO ASLR.
-# CONFIG_COMPAT_VDSO is not set
-
 # Dangerous; enabling this allows replacement of running kernel.
 # CONFIG_KEXEC is not set
 
@@ -212,7 +208,8 @@ CONFIG_STATIC_USERMODEHELPER=y
 CONFIG_PANIC_ON_OOPS=y
 CONFIG_PANIC_TIMEOUT=-1
 
-# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table.
+# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table:
+# https://docs.kernel.org/admin-guide/sysrq.html
 CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176
 
 # Keep root from altering kernel memory via loadable modules.
@@ -268,7 +265,7 @@ CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
 CONFIG_RANDOMIZE_BASE=y
 
 # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
-CONFIG_PAGE_TABLE_ISOLATION=y
+CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y
 
 # Enable chip-specific IOMMU support. 
 CONFIG_INTEL_IOMMU=y
@@ -276,3 +273,7 @@ CONFIG_INTEL_IOMMU_DEFAULT_ON=y
 
 # Don't allow for 16-bit program emulation and associated LDT tricks.
 # CONFIG_MODIFY_LDT_SYSCALL is not set
+
+# Dangerous; enabling this disables vDSO ASLR on X86_64 and X86_32.
+# On ARM64 this option has different meaning.
+# CONFIG_COMPAT_VDSO is not set
diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-clang.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-clang.config
index a65abeb..00d7aad 100644
--- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-clang.config
+++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-clang.config
@@ -86,9 +86,8 @@ CONFIG_PAGE_TABLE_CHECK_ENFORCED=y
 CONFIG_SLUB_DEBUG=y
 
 # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).
-# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)
-CONFIG_PAGE_POISONING=y
-CONFIG_PAGE_POISONING_NO_SANITY=y
+# This kernel feature was removed in v5.11.
+# Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks the 0xAA poison pattern on allocation.
 CONFIG_PAGE_POISONING_ZERO=y
 
 # Wipe slab and page allocations (since v5.3)
@@ -184,9 +183,6 @@ CONFIG_STATIC_USERMODEHELPER=y
 # Dangerous; exposes kernel text image layout.
 # CONFIG_PROC_KCORE is not set
 
-# Dangerous; enabling this disables VDSO ASLR.
-# CONFIG_COMPAT_VDSO is not set
-
 # Dangerous; enabling this allows replacement of running kernel.
 # CONFIG_KEXEC is not set
 
@@ -212,7 +208,8 @@ CONFIG_STATIC_USERMODEHELPER=y
 CONFIG_PANIC_ON_OOPS=y
 CONFIG_PANIC_TIMEOUT=-1
 
-# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table.
+# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table:
+# https://docs.kernel.org/admin-guide/sysrq.html
 CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176
 
 # Keep root from altering kernel memory via loadable modules.
@@ -296,3 +293,7 @@ CONFIG_MITIGATION_SLS=y
 # Enable Control Flow Integrity (since v6.1).
 CONFIG_CFI_CLANG=y
 # CONFIG_CFI_PERMISSIVE is not set
+
+# Dangerous; enabling this disables vDSO ASLR on X86_64 and X86_32.
+# On ARM64 this option has different meaning.
+# CONFIG_COMPAT_VDSO is not set
diff --git a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-gcc.config b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-gcc.config
index 02a3c6f..8d36085 100644
--- a/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-gcc.config
+++ b/kernel_hardening_checker/config_files/kspp-recommendations/kspp-kconfig-x86-64-gcc.config
@@ -86,9 +86,8 @@ CONFIG_PAGE_TABLE_CHECK_ENFORCED=y
 CONFIG_SLUB_DEBUG=y
 
 # Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).
-# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)
-CONFIG_PAGE_POISONING=y
-CONFIG_PAGE_POISONING_NO_SANITY=y
+# This kernel feature was removed in v5.11.
+# Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks the 0xAA poison pattern on allocation.
 CONFIG_PAGE_POISONING_ZERO=y
 
 # Wipe slab and page allocations (since v5.3)
@@ -184,9 +183,6 @@ CONFIG_STATIC_USERMODEHELPER=y
 # Dangerous; exposes kernel text image layout.
 # CONFIG_PROC_KCORE is not set
 
-# Dangerous; enabling this disables VDSO ASLR.
-# CONFIG_COMPAT_VDSO is not set
-
 # Dangerous; enabling this allows replacement of running kernel.
 # CONFIG_KEXEC is not set
 
@@ -212,7 +208,8 @@ CONFIG_STATIC_USERMODEHELPER=y
 CONFIG_PANIC_ON_OOPS=y
 CONFIG_PANIC_TIMEOUT=-1
 
-# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table.
+# Limit sysrq to sync,unmount,reboot. For more details see the sysrq bit field table:
+# https://docs.kernel.org/admin-guide/sysrq.html
 CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176
 
 # Keep root from altering kernel memory via loadable modules.
@@ -296,3 +293,7 @@ CONFIG_MITIGATION_SLS=y
 # Enable Control Flow Integrity (since v6.1).
 CONFIG_CFI_CLANG=y
 # CONFIG_CFI_PERMISSIVE is not set
+
+# Dangerous; enabling this disables vDSO ASLR on X86_64 and X86_32.
+# On ARM64 this option has different meaning.
+# CONFIG_COMPAT_VDSO is not set
-- 
2.31.1