Update the KSPP recommendations

6d0bc7d9 · Alexander Popov · 4852f766 · 6d0bc7d9 · 6d0bc7d9 · 6d0bc7d9
Commit 6d0bc7d9 authored Sep 16, 2021 by Alexander Popov
4 changed files
--- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config
+++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config
 # CONFIGs
-# Linux/arm 5.4.0 Kernel Configuration
+# Linux/arm 5.14.0 Kernel Configuration

 # Report BUG() conditions and kill the offending process.
 CONFIG_BUG=y
@@ -152,7 +152,6 @@ CONFIG_GCC_PLUGIN_STACKLEAK=y
 # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
 CONFIG_GCC_PLUGIN_RANDSTRUCT=y

-
 # arm

 CONFIG_ARM=y
@@ -168,3 +167,5 @@ CONFIG_CPU_SW_DOMAIN_PAN=y

 # Dangerous; old interfaces and needless additional attack surface.
 # CONFIG_OABI_COMPAT is not set
+
+
--- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config
+++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config
 # CONFIGs
-# Linux/arm64 5.4.0 Kernel Configuration
+# Linux/arm64 5.14.0 Kernel Configuration

 # Report BUG() conditions and kill the offending process.
 CONFIG_BUG=y
@@ -152,7 +152,6 @@ CONFIG_GCC_PLUGIN_STACKLEAK=y
 # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
 CONFIG_GCC_PLUGIN_RANDSTRUCT=y

-
 # arm64

 CONFIG_ARM64=y
@@ -163,8 +162,13 @@ CONFIG_DEFAULT_MMAP_MIN_ADDR=32768
 # Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).
 CONFIG_RANDOMIZE_BASE=y

+# Randomize kernel stack offset on syscall entry (since v5.13).
+CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
+
 # Make sure PAN emulation is enabled.
 CONFIG_ARM64_SW_TTBR0_PAN=y

 # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
 CONFIG_UNMAP_KERNEL_AT_EL0=y
+
+
--- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config
+++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config
 # CONFIGs
-# Linux/i386 5.4.0 Kernel Configuration
+# Linux/i386 5.14.0 Kernel Configuration

 # Report BUG() conditions and kill the offending process.
 CONFIG_BUG=y
@@ -171,6 +171,9 @@ CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
 # Randomize position of kernel.
 CONFIG_RANDOMIZE_BASE=y

+# Randomize kernel stack offset on syscall entry (since v5.13).
+CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
+
 # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
 CONFIG_PAGE_TABLE_ISOLATION=y


--- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config
+++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config
 # CONFIGs
-# Linux/x86_64 5.4.0 Kernel Configuration
+# Linux/x86_64 5.14.0 Kernel Configuration

 # Report BUG() conditions and kill the offending process.
 CONFIG_BUG=y
@@ -167,6 +167,9 @@ CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
 CONFIG_RANDOMIZE_BASE=y
 CONFIG_RANDOMIZE_MEMORY=y

+# Randomize kernel stack offset on syscall entry (since v5.13).
+CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
+
 # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
 CONFIG_LEGACY_VSYSCALL_NONE=y