Update the KSPP recommendations again

e8a2c606 · Alexander Popov · ef4a19b8 · e8a2c606 · e8a2c606 · e8a2c606
Commit e8a2c606 authored Oct 22, 2022 by Alexander Popov
4 changed files
--- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config
+++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config
@@ -30,6 +30,7 @@ CONFIG_DEBUG_CREDENTIALS=y
 CONFIG_DEBUG_NOTIFIERS=y
 CONFIG_DEBUG_LIST=y
 CONFIG_DEBUG_SG=y
+CONFIG_DEBUG_VIRTUAL=y
 CONFIG_BUG_ON_DATA_CORRUPTION=y
 CONFIG_SCHED_STACK_END_CHECK=y

@@ -37,6 +38,9 @@ CONFIG_SCHED_STACK_END_CHECK=y
 CONFIG_SECCOMP=y
 CONFIG_SECCOMP_FILTER=y

+# Make sure line disciplines can't be autoloaded (since v5.1).
+# CONFIG_LDISC_AUTOLOAD is not set
+
 # Provide userspace with ptrace ancestry protections.
 # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.
 CONFIG_SECURITY=y
@@ -47,8 +51,8 @@ CONFIG_SECURITY_YAMA=y
 CONFIG_SECURITY_LANDLOCK=y

 # Make sure SELinux cannot be disabled trivially.
-# SECURITY_SELINUX_BOOTPARAM is not set
-# SECURITY_SELINUX_DEVELOP is not set
+# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
+# CONFIG_SECURITY_SELINUX_DEVELOP is not set
 # CONFIG_SECURITY_WRITABLE_HOOKS is not set

 # Enable "lockdown" LSM for bright line between the root user and kernel memory.
@@ -144,8 +148,14 @@ CONFIG_SCHED_CORE=y
 CONFIG_ZERO_CALL_USED_REGS=y

 # Wipe RAM at reboot via EFI.
+# For more details, see:
+# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
+# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
 CONFIG_RESET_ATTACK_MITIGATION=y

+# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk
+CONFIG_STATIC_USERMODEHELPER=y
+
 # Dangerous; enabling this allows direct physical memory writing.
 # CONFIG_ACPI_CUSTOM_METHOD is not set

@@ -233,5 +243,3 @@ CONFIG_CPU_SW_DOMAIN_PAN=y

 # Dangerous; old interfaces and needless additional attack surface.
 # CONFIG_OABI_COMPAT is not set
-
-
--- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config
+++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config
@@ -30,6 +30,7 @@ CONFIG_DEBUG_CREDENTIALS=y
 CONFIG_DEBUG_NOTIFIERS=y
 CONFIG_DEBUG_LIST=y
 CONFIG_DEBUG_SG=y
+CONFIG_DEBUG_VIRTUAL=y
 CONFIG_BUG_ON_DATA_CORRUPTION=y
 CONFIG_SCHED_STACK_END_CHECK=y

@@ -37,6 +38,9 @@ CONFIG_SCHED_STACK_END_CHECK=y
 CONFIG_SECCOMP=y
 CONFIG_SECCOMP_FILTER=y

+# Make sure line disciplines can't be autoloaded (since v5.1).
+# CONFIG_LDISC_AUTOLOAD is not set
+
 # Provide userspace with ptrace ancestry protections.
 # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.
 CONFIG_SECURITY=y
@@ -47,8 +51,8 @@ CONFIG_SECURITY_YAMA=y
 CONFIG_SECURITY_LANDLOCK=y

 # Make sure SELinux cannot be disabled trivially.
-# SECURITY_SELINUX_BOOTPARAM is not set
-# SECURITY_SELINUX_DEVELOP is not set
+# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
+# CONFIG_SECURITY_SELINUX_DEVELOP is not set
 # CONFIG_SECURITY_WRITABLE_HOOKS is not set

 # Enable "lockdown" LSM for bright line between the root user and kernel memory.
@@ -144,8 +148,14 @@ CONFIG_SCHED_CORE=y
 CONFIG_ZERO_CALL_USED_REGS=y

 # Wipe RAM at reboot via EFI.
+# For more details, see:
+# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
+# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
 CONFIG_RESET_ATTACK_MITIGATION=y

+# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk
+CONFIG_STATIC_USERMODEHELPER=y
+
 # Dangerous; enabling this allows direct physical memory writing.
 # CONFIG_ACPI_CUSTOM_METHOD is not set


--- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config
+++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config
@@ -30,6 +30,7 @@ CONFIG_DEBUG_CREDENTIALS=y
 CONFIG_DEBUG_NOTIFIERS=y
 CONFIG_DEBUG_LIST=y
 CONFIG_DEBUG_SG=y
+CONFIG_DEBUG_VIRTUAL=y
 CONFIG_BUG_ON_DATA_CORRUPTION=y
 CONFIG_SCHED_STACK_END_CHECK=y

@@ -37,6 +38,9 @@ CONFIG_SCHED_STACK_END_CHECK=y
 CONFIG_SECCOMP=y
 CONFIG_SECCOMP_FILTER=y

+# Make sure line disciplines can't be autoloaded (since v5.1).
+# CONFIG_LDISC_AUTOLOAD is not set
+
 # Provide userspace with ptrace ancestry protections.
 # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.
 CONFIG_SECURITY=y
@@ -47,8 +51,8 @@ CONFIG_SECURITY_YAMA=y
 CONFIG_SECURITY_LANDLOCK=y

 # Make sure SELinux cannot be disabled trivially.
-# SECURITY_SELINUX_BOOTPARAM is not set
-# SECURITY_SELINUX_DEVELOP is not set
+# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
+# CONFIG_SECURITY_SELINUX_DEVELOP is not set
 # CONFIG_SECURITY_WRITABLE_HOOKS is not set

 # Enable "lockdown" LSM for bright line between the root user and kernel memory.
@@ -144,8 +148,14 @@ CONFIG_SCHED_CORE=y
 CONFIG_ZERO_CALL_USED_REGS=y

 # Wipe RAM at reboot via EFI.
+# For more details, see:
+# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
+# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
 CONFIG_RESET_ATTACK_MITIGATION=y

+# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk
+CONFIG_STATIC_USERMODEHELPER=y
+
 # Dangerous; enabling this allows direct physical memory writing.
 # CONFIG_ACPI_CUSTOM_METHOD is not set

@@ -240,7 +250,9 @@ CONFIG_RANDOMIZE_BASE=y
 # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
 CONFIG_PAGE_TABLE_ISOLATION=y

+# Enable chip-specific IOMMU support. 
+CONFIG_INTEL_IOMMU=y
+CONFIG_INTEL_IOMMU_DEFAULT_ON=y
+
 # Don't allow for 16-bit program emulation and associated LDT tricks.
 # CONFIG_MODIFY_LDT_SYSCALL is not set
-
-
--- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config
+++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config
@@ -30,6 +30,7 @@ CONFIG_DEBUG_CREDENTIALS=y
 CONFIG_DEBUG_NOTIFIERS=y
 CONFIG_DEBUG_LIST=y
 CONFIG_DEBUG_SG=y
+CONFIG_DEBUG_VIRTUAL=y
 CONFIG_BUG_ON_DATA_CORRUPTION=y
 CONFIG_SCHED_STACK_END_CHECK=y

@@ -37,6 +38,9 @@ CONFIG_SCHED_STACK_END_CHECK=y
 CONFIG_SECCOMP=y
 CONFIG_SECCOMP_FILTER=y

+# Make sure line disciplines can't be autoloaded (since v5.1).
+# CONFIG_LDISC_AUTOLOAD is not set
+
 # Provide userspace with ptrace ancestry protections.
 # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.
 CONFIG_SECURITY=y
@@ -47,8 +51,8 @@ CONFIG_SECURITY_YAMA=y
 CONFIG_SECURITY_LANDLOCK=y

 # Make sure SELinux cannot be disabled trivially.
-# SECURITY_SELINUX_BOOTPARAM is not set
-# SECURITY_SELINUX_DEVELOP is not set
+# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
+# CONFIG_SECURITY_SELINUX_DEVELOP is not set
 # CONFIG_SECURITY_WRITABLE_HOOKS is not set

 # Enable "lockdown" LSM for bright line between the root user and kernel memory.
@@ -144,8 +148,14 @@ CONFIG_SCHED_CORE=y
 CONFIG_ZERO_CALL_USED_REGS=y

 # Wipe RAM at reboot via EFI.
+# For more details, see:
+# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
+# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
 CONFIG_RESET_ATTACK_MITIGATION=y

+# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk
+CONFIG_STATIC_USERMODEHELPER=y
+
 # Dangerous; enabling this allows direct physical memory writing.
 # CONFIG_ACPI_CUSTOM_METHOD is not set

@@ -253,3 +263,7 @@ CONFIG_AMD_IOMMU_V2=y

 # Straight-Line-Speculation
 CONFIG_SLS=y
+
+# Enable Control Flow Integrity (since v6.1)
+CONFIG_CFI_CLANG=y
+# CONFIG_CFI_PERMISSIVE is not set