Add a KSPP recommendations config for arm64

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>

Add a KSPP recommendations config for arm64
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
e4fb1b20 · Tyler Hicks · Alexander Popov · 07408d5c · e4fb1b20
Commit e4fb1b20 authored Jan 17, 2019 by Tyler Hicks Committed by Alexander Popov Jan 21, 2019
Show whitespace changes
Inline Side-by-side

Showing with 146 additions and 0 deletions

kspp-recommendations-arm64.config config_files/kspp-recommendations-arm64.config +146 -0

No files found.
--- a/config_files/kspp-recommendations-arm64.config
+++ b/config_files/kspp-recommendations-arm64.config
+# CONFIGs
+# Linux/arm64 4.20 Kernel Configuration
+
+# Report BUG() conditions and kill the offending process.
+CONFIG_BUG=y
+
+# Make sure kernel page tables have safe permissions.
+CONFIG_STRICT_KERNEL_RWX=y
+
+# Report any dangerous memory permissions (not available on all archs).
+CONFIG_DEBUG_WX=y
+
+# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
+CONFIG_STACKPROTECTOR=y
+CONFIG_STACKPROTECTOR_STRONG=y
+
+# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)
+# CONFIG_DEVMEM is not set
+CONFIG_STRICT_DEVMEM=y
+CONFIG_IO_STRICT_DEVMEM=y
+
+# Provides some protections against SYN flooding.
+CONFIG_SYN_COOKIES=y
+
+# Perform additional validation of various commonly targeted structures.
+CONFIG_DEBUG_CREDENTIALS=y
+CONFIG_DEBUG_NOTIFIERS=y
+CONFIG_DEBUG_LIST=y
+CONFIG_DEBUG_SG=y
+CONFIG_BUG_ON_DATA_CORRUPTION=y
+CONFIG_SCHED_STACK_END_CHECK=y
+
+# Provide userspace with seccomp BPF API for syscall attack surface reduction.
+CONFIG_SECCOMP=y
+CONFIG_SECCOMP_FILTER=y
+
+# Provide userspace with ptrace ancestry protections.
+CONFIG_SECURITY=y
+CONFIG_SECURITY_YAMA=y
+
+# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)
+CONFIG_HARDENED_USERCOPY=y
+# CONFIG_HARDENED_USERCOPY_FALLBACK is not set
+
+# Randomize allocator freelists, harden metadata.
+CONFIG_SLAB_FREELIST_RANDOM=y
+CONFIG_SLAB_FREELIST_HARDENED=y
+
+# Allow allocator validation checking to be enabled (see "slub_debug=P" below).
+CONFIG_SLUB_DEBUG=y
+
+# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).
+# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)
+CONFIG_PAGE_POISONING=y
+CONFIG_PAGE_POISONING_NO_SANITY=y
+CONFIG_PAGE_POISONING_ZERO=y
+
+# Adds guard pages to kernel stacks (not all architectures support this yet).
+CONFIG_VMAP_STACK=y
+
+# Perform extensive checks on reference counting.
+CONFIG_REFCOUNT_FULL=y
+
+# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.
+CONFIG_FORTIFY_SOURCE=y
+
+# Dangerous; enabling this allows direct physical memory writing.
+# CONFIG_ACPI_CUSTOM_METHOD is not set
+
+# Dangerous; enabling this disables brk ASLR.
+# CONFIG_COMPAT_BRK is not set
+
+# Dangerous; enabling this allows direct kernel memory writing.
+# CONFIG_DEVKMEM is not set
+
+# Dangerous; exposes kernel text image layout.
+# CONFIG_PROC_KCORE is not set
+
+# Dangerous; enabling this disables VDSO ASLR.
+# CONFIG_COMPAT_VDSO is not set
+
+# Dangerous; enabling this allows replacement of running kernel.
+# CONFIG_KEXEC is not set
+
+# Dangerous; enabling this allows replacement of running kernel.
+# CONFIG_HIBERNATION is not set
+
+# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.
+# CONFIG_INET_DIAG is not set
+
+# Easily confused by misconfigured userspace, keep off.
+# CONFIG_BINFMT_MISC is not set
+
+# Use the modern PTY interface (devpts) only.
+# CONFIG_LEGACY_PTYS is not set
+
+# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.
+# CONFIG_SECURITY_SELINUX_DISABLE is not set
+
+# Reboot devices immediately if kernel experiences an Oops.
+CONFIG_PANIC_ON_OOPS=y
+CONFIG_PANIC_TIMEOUT=-1
+
+# Keep root from altering kernel memory via loadable modules.
+# CONFIG_MODULES is not set
+
+# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.
+CONFIG_STRICT_MODULE_RWX=y
+CONFIG_MODULE_SIG=y
+CONFIG_MODULE_SIG_FORCE=y
+CONFIG_MODULE_SIG_ALL=y
+CONFIG_MODULE_SIG_SHA512=y
+CONFIG_MODULE_SIG_HASH="sha512"
+CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
+
+
+# GCC plugins
+
+# Enable GCC Plugins
+CONFIG_GCC_PLUGINS=y
+
+# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
+CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y
+
+# Force all structures to be initialized before they are passed to other functions.
+CONFIG_GCC_PLUGIN_STRUCTLEAK=y
+CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
+
+# Randomize the layout of system structures. This may have dramatic performance impact, so
+# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
+CONFIG_GCC_PLUGIN_RANDSTRUCT=y
+
+
+#arm64
+
+# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).
+CONFIG_DEFAULT_MMAP_MIN_ADDR=32768
+
+# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).
+CONFIG_RANDOMIZE_BASE=y
+
+# Make sure PAN emulation is enabled.
+CONFIG_ARM64_SW_TTBR0_PAN=y
+
+# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
+CONFIG_UNMAP_KERNEL_AT_EL0=y