From 4225858a8fc7c8848d5469baff8efd9080f4a718 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sat, 14 Jan 2023 18:46:45 +0300 Subject: [PATCH] Update the KSPP recommendations --- .../kspp-recommendations/kspp-recommendations-arm.config | 3 +-- .../kspp-recommendations/kspp-recommendations-arm64.config | 6 ++++-- .../kspp-recommendations-x86-32.config | 3 +-- .../kspp-recommendations-x86-64.config | 7 ++++--- 4 files changed, 10 insertions(+), 9 deletions(-) diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config index 621095f..d4493e7 100644 --- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config +++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config @@ -1,5 +1,4 @@ -# CONFIGs -# Linux/arm 5.17.0 Kernel Configuration +# Linux/arm 6.1.5 Kernel Configuration # Report BUG() conditions and kill the offending process. CONFIG_BUG=y diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config index 76c212f..50907ab 100644 --- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config +++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config @@ -1,5 +1,4 @@ -# CONFIGs -# Linux/arm64 5.17.0 Kernel Configuration +# Linux/arm64 6.1.5 Kernel Configuration # Report BUG() conditions and kill the offending process. CONFIG_BUG=y @@ -238,6 +237,9 @@ CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property). CONFIG_RANDOMIZE_BASE=y +# Remove arm32 support to reduce syscall attack surface. +# CONFIG_COMPAT is not set + # Make sure PAN emulation is enabled. CONFIG_ARM64_SW_TTBR0_PAN=y diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config index 7695976..4667aa2 100644 --- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config +++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config @@ -1,5 +1,4 @@ -# CONFIGs -# Linux/i386 5.17.0 Kernel Configuration +# Linux/i386 6.1.5 Kernel Configuration # Report BUG() conditions and kill the offending process. CONFIG_BUG=y diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config index 8f67300..f179b4e 100644 --- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config +++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config @@ -1,5 +1,4 @@ -# CONFIGs -# Linux/x86_64 5.17.0 Kernel Configuration +# Linux/x86_64 6.1.5 Kernel Configuration # Report BUG() conditions and kill the offending process. CONFIG_BUG=y @@ -249,9 +248,11 @@ CONFIG_LEGACY_VSYSCALL_NONE=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_PAGE_TABLE_ISOLATION=y -# Remove additional attack surface, unless you really need them. +# Remove additional (32-bit) attack surface, unless you really need them. +# CONFIG_COMPAT is not set # CONFIG_IA32_EMULATION is not set # CONFIG_X86_X32 is not set +# CONFIG_X86_X32_ABI is not set # CONFIG_MODIFY_LDT_SYSCALL is not set # Enable chip-specific IOMMU support. -- 2.31.1