Update the KSPP recommendations

kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config

 # CONFIGs
-# Linux/arm 5.14.0 Kernel Configuration
+# Linux/arm 5.17.0 Kernel Configuration
 
 # Report BUG() conditions and kill the offending process.
 CONFIG_BUG=y
@@ -38,9 +38,24 @@ CONFIG_SECCOMP=y
 CONFIG_SECCOMP_FILTER=y
 
 # Provide userspace with ptrace ancestry protections.
+# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.
 CONFIG_SECURITY=y
 CONFIG_SECURITY_YAMA=y
 
+# Provide userspace with Landlock MAC interface.
+# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.
+CONFIG_SECURITY_LANDLOCK=y
+
+# Make sure SELinux cannot be disabled trivially.
+# SECURITY_SELINUX_BOOTPARAM is not set
+# SECURITY_SELINUX_DEVELOP is not set
+# CONFIG_SECURITY_WRITABLE_HOOKS is not set
+
+# Enable "lockdown" LSM for bright line between the root user and kernel memory.
+CONFIG_SECURITY_LOCKDOWN_LSM=y
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y
+
 # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)
 CONFIG_HARDENED_USERCOPY=y
 # CONFIG_HARDENED_USERCOPY_FALLBACK is not set
@@ -83,24 +98,54 @@ CONFIG_FORTIFY_SOURCE=y
 # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)
 CONFIG_SECURITY_DMESG_RESTRICT=y
 
+# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.
+CONFIG_UBSAN=y
+CONFIG_UBSAN_TRAP=y
+CONFIG_UBSAN_BOUNDS=y
+CONFIG_UBSAN_SANITIZE_ALL=y
+# CONFIG_UBSAN_SHIFT is not set
+# CONFIG_UBSAN_DIV_ZERO is not set
+# CONFIG_UBSAN_UNREACHABLE is not set
+# CONFIG_UBSAN_BOOL is not set
+# CONFIG_UBSAN_ENUM is not set
+# CONFIG_UBSAN_ALIGNMENT is not set
+# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:
+CONFIG_UBSAN_LOCAL_BOUNDS=y
+
+# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.
+CONFIG_KFENCE=y
+
 # Randomize kernel stack offset on syscall entry (since v5.13).
 CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
 
-# Enable sampling-based overflow detection. This is similar to KASAN coverage, but with almost zero runtime overhead.
-CONFIG_KFENCE=y
-
 # Do not ignore compile-time warnings (since v5.15)
 CONFIG_WERROR=y
 
+# Disable DMA between EFI hand-off and the kernel's IOMMU setup.
+CONFIG_EFI_DISABLE_PCI_DMA=y
+
 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
+CONFIG_IOMMU_SUPPORT=y
 CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
 
+# Enable feeding RNG entropy from TPM, if available.
+CONFIG_HW_RANDOM_TPM=y
+
+# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even
+# malicious sources should not cause problems.
+CONFIG_RANDOM_TRUST_BOOTLOADER=y
+CONFIG_RANDOM_TRUST_CPU=y
+
 # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
 CONFIG_SCHED_CORE=y
 
-# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers)
+# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and
+# minimizes stale data in registers). (Since v5.15)
 CONFIG_ZERO_CALL_USED_REGS=y
 
+# Wipe RAM at reboot via EFI.
+CONFIG_RESET_ATTACK_MITIGATION=y
+
 # Dangerous; enabling this allows direct physical memory writing.
 # CONFIG_ACPI_CUSTOM_METHOD is not set
 
@@ -165,10 +210,13 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
 
 # Wipe stack contents on syscall exit (reduces stale data lifetime in stack)
 CONFIG_GCC_PLUGIN_STACKLEAK=y
+# CONFIG_STACKLEAK_METRICS is not set
+# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
 
 # Randomize the layout of system structures. This may have dramatic performance impact, so
 # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
 CONFIG_GCC_PLUGIN_RANDSTRUCT=y
+# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set
 
 # arm
 

kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config

 # CONFIGs
-# Linux/arm64 5.14.0 Kernel Configuration
+# Linux/arm64 5.17.0 Kernel Configuration
 
 # Report BUG() conditions and kill the offending process.
 CONFIG_BUG=y
@@ -38,9 +38,24 @@ CONFIG_SECCOMP=y
 CONFIG_SECCOMP_FILTER=y
 
 # Provide userspace with ptrace ancestry protections.
+# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.
 CONFIG_SECURITY=y
 CONFIG_SECURITY_YAMA=y
 
+# Provide userspace with Landlock MAC interface.
+# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.
+CONFIG_SECURITY_LANDLOCK=y
+
+# Make sure SELinux cannot be disabled trivially.
+# SECURITY_SELINUX_BOOTPARAM is not set
+# SECURITY_SELINUX_DEVELOP is not set
+# CONFIG_SECURITY_WRITABLE_HOOKS is not set
+
+# Enable "lockdown" LSM for bright line between the root user and kernel memory.
+CONFIG_SECURITY_LOCKDOWN_LSM=y
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y
+
 # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)
 CONFIG_HARDENED_USERCOPY=y
 # CONFIG_HARDENED_USERCOPY_FALLBACK is not set
@@ -83,24 +98,54 @@ CONFIG_FORTIFY_SOURCE=y
 # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)
 CONFIG_SECURITY_DMESG_RESTRICT=y
 
+# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.
+CONFIG_UBSAN=y
+CONFIG_UBSAN_TRAP=y
+CONFIG_UBSAN_BOUNDS=y
+CONFIG_UBSAN_SANITIZE_ALL=y
+# CONFIG_UBSAN_SHIFT is not set
+# CONFIG_UBSAN_DIV_ZERO is not set
+# CONFIG_UBSAN_UNREACHABLE is not set
+# CONFIG_UBSAN_BOOL is not set
+# CONFIG_UBSAN_ENUM is not set
+# CONFIG_UBSAN_ALIGNMENT is not set
+# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:
+CONFIG_UBSAN_LOCAL_BOUNDS=y
+
+# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.
+CONFIG_KFENCE=y
+
 # Randomize kernel stack offset on syscall entry (since v5.13).
 CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
 
-# Enable sampling-based overflow detection. This is similar to KASAN coverage, but with almost zero runtime overhead.
-CONFIG_KFENCE=y
-
 # Do not ignore compile-time warnings (since v5.15)
 CONFIG_WERROR=y
 
+# Disable DMA between EFI hand-off and the kernel's IOMMU setup.
+CONFIG_EFI_DISABLE_PCI_DMA=y
+
 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
+CONFIG_IOMMU_SUPPORT=y
 CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
 
+# Enable feeding RNG entropy from TPM, if available.
+CONFIG_HW_RANDOM_TPM=y
+
+# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even
+# malicious sources should not cause problems.
+CONFIG_RANDOM_TRUST_BOOTLOADER=y
+CONFIG_RANDOM_TRUST_CPU=y
+
 # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
 CONFIG_SCHED_CORE=y
 
-# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers)
+# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and
+# minimizes stale data in registers). (Since v5.15)
 CONFIG_ZERO_CALL_USED_REGS=y
 
+# Wipe RAM at reboot via EFI.
+CONFIG_RESET_ATTACK_MITIGATION=y
+
 # Dangerous; enabling this allows direct physical memory writing.
 # CONFIG_ACPI_CUSTOM_METHOD is not set
 
@@ -165,10 +210,13 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
 
 # Wipe stack contents on syscall exit (reduces stale data lifetime in stack)
 CONFIG_GCC_PLUGIN_STACKLEAK=y
+# CONFIG_STACKLEAK_METRICS is not set
+# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
 
 # Randomize the layout of system structures. This may have dramatic performance impact, so
 # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
 CONFIG_GCC_PLUGIN_RANDSTRUCT=y
+# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set
 
 # arm64
 
@@ -186,4 +234,24 @@ CONFIG_ARM64_SW_TTBR0_PAN=y
 # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
 CONFIG_UNMAP_KERNEL_AT_EL0=y
 
+# Software Shadow Stack or PAC
+CONFIG_SHADOW_CALL_STACK=y
+
+# Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can
+# turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.
+CONFIG_ARM64_PTR_AUTH=y
+CONFIG_ARM64_PTR_AUTH_KERNEL=y
+
+# Available in ARMv8.5 and later.
+CONFIG_ARM64_BTI=y
+CONFIG_ARM64_BTI_KERNEL=y
+CONFIG_ARM64_MTE=y
+CONFIG_KASAN_HW_TAGS=y
+CONFIG_ARM64_E0PD=y
+
+# Available in ARMv8.7 and later.
+CONFIG_ARM64_EPAN=y
 
+# Enable Control Flow Integrity
+CONFIG_CFI_CLANG=y
+# CONFIG_CFI_PERMISSIVE is not set

kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config

 # CONFIGs
-# Linux/i386 5.14.0 Kernel Configuration
+# Linux/i386 5.17.0 Kernel Configuration
 
 # Report BUG() conditions and kill the offending process.
 CONFIG_BUG=y
@@ -38,9 +38,24 @@ CONFIG_SECCOMP=y
 CONFIG_SECCOMP_FILTER=y
 
 # Provide userspace with ptrace ancestry protections.
+# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.
 CONFIG_SECURITY=y
 CONFIG_SECURITY_YAMA=y
 
+# Provide userspace with Landlock MAC interface.
+# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.
+CONFIG_SECURITY_LANDLOCK=y
+
+# Make sure SELinux cannot be disabled trivially.
+# SECURITY_SELINUX_BOOTPARAM is not set
+# SECURITY_SELINUX_DEVELOP is not set
+# CONFIG_SECURITY_WRITABLE_HOOKS is not set
+
+# Enable "lockdown" LSM for bright line between the root user and kernel memory.
+CONFIG_SECURITY_LOCKDOWN_LSM=y
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y
+
 # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)
 CONFIG_HARDENED_USERCOPY=y
 # CONFIG_HARDENED_USERCOPY_FALLBACK is not set
@@ -83,24 +98,54 @@ CONFIG_FORTIFY_SOURCE=y
 # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)
 CONFIG_SECURITY_DMESG_RESTRICT=y
 
+# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.
+CONFIG_UBSAN=y
+CONFIG_UBSAN_TRAP=y
+CONFIG_UBSAN_BOUNDS=y
+CONFIG_UBSAN_SANITIZE_ALL=y
+# CONFIG_UBSAN_SHIFT is not set
+# CONFIG_UBSAN_DIV_ZERO is not set
+# CONFIG_UBSAN_UNREACHABLE is not set
+# CONFIG_UBSAN_BOOL is not set
+# CONFIG_UBSAN_ENUM is not set
+# CONFIG_UBSAN_ALIGNMENT is not set
+# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:
+CONFIG_UBSAN_LOCAL_BOUNDS=y
+
+# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.
+CONFIG_KFENCE=y
+
 # Randomize kernel stack offset on syscall entry (since v5.13).
 CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
 
-# Enable sampling-based overflow detection. This is similar to KASAN coverage, but with almost zero runtime overhead.
-CONFIG_KFENCE=y
-
 # Do not ignore compile-time warnings (since v5.15)
 CONFIG_WERROR=y
 
+# Disable DMA between EFI hand-off and the kernel's IOMMU setup.
+CONFIG_EFI_DISABLE_PCI_DMA=y
+
 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
+CONFIG_IOMMU_SUPPORT=y
 CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
 
+# Enable feeding RNG entropy from TPM, if available.
+CONFIG_HW_RANDOM_TPM=y
+
+# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even
+# malicious sources should not cause problems.
+CONFIG_RANDOM_TRUST_BOOTLOADER=y
+CONFIG_RANDOM_TRUST_CPU=y
+
 # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
 CONFIG_SCHED_CORE=y
 
-# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers)
+# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and
+# minimizes stale data in registers). (Since v5.15)
 CONFIG_ZERO_CALL_USED_REGS=y
 
+# Wipe RAM at reboot via EFI.
+CONFIG_RESET_ATTACK_MITIGATION=y
+
 # Dangerous; enabling this allows direct physical memory writing.
 # CONFIG_ACPI_CUSTOM_METHOD is not set
 
@@ -165,10 +210,13 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
 
 # Wipe stack contents on syscall exit (reduces stale data lifetime in stack)
 CONFIG_GCC_PLUGIN_STACKLEAK=y
+# CONFIG_STACKLEAK_METRICS is not set
+# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
 
 # Randomize the layout of system structures. This may have dramatic performance impact, so
 # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
 CONFIG_GCC_PLUGIN_RANDSTRUCT=y
+# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set
 
 # x86_32
 

kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config

 # CONFIGs
-# Linux/x86_64 5.14.0 Kernel Configuration
+# Linux/x86_64 5.17.0 Kernel Configuration
 
 # Report BUG() conditions and kill the offending process.
 CONFIG_BUG=y
@@ -38,9 +38,24 @@ CONFIG_SECCOMP=y
 CONFIG_SECCOMP_FILTER=y
 
 # Provide userspace with ptrace ancestry protections.
+# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.
 CONFIG_SECURITY=y
 CONFIG_SECURITY_YAMA=y
 
+# Provide userspace with Landlock MAC interface.
+# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.
+CONFIG_SECURITY_LANDLOCK=y
+
+# Make sure SELinux cannot be disabled trivially.
+# SECURITY_SELINUX_BOOTPARAM is not set
+# SECURITY_SELINUX_DEVELOP is not set
+# CONFIG_SECURITY_WRITABLE_HOOKS is not set
+
+# Enable "lockdown" LSM for bright line between the root user and kernel memory.
+CONFIG_SECURITY_LOCKDOWN_LSM=y
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y
+
 # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)
 CONFIG_HARDENED_USERCOPY=y
 # CONFIG_HARDENED_USERCOPY_FALLBACK is not set
@@ -83,24 +98,54 @@ CONFIG_FORTIFY_SOURCE=y
 # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)
 CONFIG_SECURITY_DMESG_RESTRICT=y
 
+# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.
+CONFIG_UBSAN=y
+CONFIG_UBSAN_TRAP=y
+CONFIG_UBSAN_BOUNDS=y
+CONFIG_UBSAN_SANITIZE_ALL=y
+# CONFIG_UBSAN_SHIFT is not set
+# CONFIG_UBSAN_DIV_ZERO is not set
+# CONFIG_UBSAN_UNREACHABLE is not set
+# CONFIG_UBSAN_BOOL is not set
+# CONFIG_UBSAN_ENUM is not set
+# CONFIG_UBSAN_ALIGNMENT is not set
+# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:
+CONFIG_UBSAN_LOCAL_BOUNDS=y
+
+# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.
+CONFIG_KFENCE=y
+
 # Randomize kernel stack offset on syscall entry (since v5.13).
 CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
 
-# Enable sampling-based overflow detection. This is similar to KASAN coverage, but with almost zero runtime overhead.
-CONFIG_KFENCE=y
-
 # Do not ignore compile-time warnings (since v5.15)
 CONFIG_WERROR=y
 
+# Disable DMA between EFI hand-off and the kernel's IOMMU setup.
+CONFIG_EFI_DISABLE_PCI_DMA=y
+
 # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)
+CONFIG_IOMMU_SUPPORT=y
 CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
 
+# Enable feeding RNG entropy from TPM, if available.
+CONFIG_HW_RANDOM_TPM=y
+
+# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even
+# malicious sources should not cause problems.
+CONFIG_RANDOM_TRUST_BOOTLOADER=y
+CONFIG_RANDOM_TRUST_CPU=y
+
 # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).
 CONFIG_SCHED_CORE=y
 
-# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers)
+# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and
+# minimizes stale data in registers). (Since v5.15)
 CONFIG_ZERO_CALL_USED_REGS=y
 
+# Wipe RAM at reboot via EFI.
+CONFIG_RESET_ATTACK_MITIGATION=y
+
 # Dangerous; enabling this allows direct physical memory writing.
 # CONFIG_ACPI_CUSTOM_METHOD is not set
 
@@ -165,10 +210,13 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
 
 # Wipe stack contents on syscall exit (reduces stale data lifetime in stack)
 CONFIG_GCC_PLUGIN_STACKLEAK=y
+# CONFIG_STACKLEAK_METRICS is not set
+# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set
 
 # Randomize the layout of system structures. This may have dramatic performance impact, so
 # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
 CONFIG_GCC_PLUGIN_RANDSTRUCT=y
+# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set
 
 # x86_64
 
@@ -196,4 +244,12 @@ CONFIG_PAGE_TABLE_ISOLATION=y
 # CONFIG_X86_X32 is not set
 # CONFIG_MODIFY_LDT_SYSCALL is not set
 
+# Enable chip-specific IOMMU support. 
+CONFIG_INTEL_IOMMU=y
+CONFIG_INTEL_IOMMU_DEFAULT_ON=y
+CONFIG_INTEL_IOMMU_SVM=y
+CONFIG_AMD_IOMMU=y
+CONFIG_AMD_IOMMU_V2=y
 
+# Straight-Line-Speculation
+CONFIG_SLS=y