Skip to content

K
kernel-hardening-checker
Commit e8a2c606 by Alexander Popov
Options

Update the KSPP recommendations again

parent ef4a19b8
Showing with 56 additions and 12 deletions
kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config
...@@ -30,6 +30,7 @@ CONFIG_DEBUG_CREDENTIALS=y ...@@ -30,6 +30,7 @@ CONFIG_DEBUG_CREDENTIALS=y
CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_NOTIFIERS=y
CONFIG_DEBUG_LIST=y CONFIG_DEBUG_LIST=y
CONFIG_DEBUG_SG=y CONFIG_DEBUG_SG=y
CONFIG_DEBUG_VIRTUAL=y
CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_BUG_ON_DATA_CORRUPTION=y
CONFIG_SCHED_STACK_END_CHECK=y CONFIG_SCHED_STACK_END_CHECK=y
...@@ -37,6 +38,9 @@ CONFIG_SCHED_STACK_END_CHECK=y ...@@ -37,6 +38,9 @@ CONFIG_SCHED_STACK_END_CHECK=y
CONFIG_SECCOMP=y CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y CONFIG_SECCOMP_FILTER=y
# Make sure line disciplines can't be autoloaded (since v5.1).
# CONFIG_LDISC_AUTOLOAD is not set
# Provide userspace with ptrace ancestry protections. # Provide userspace with ptrace ancestry protections.
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.
CONFIG_SECURITY=y CONFIG_SECURITY=y
...@@ -47,8 +51,8 @@ CONFIG_SECURITY_YAMA=y ...@@ -47,8 +51,8 @@ CONFIG_SECURITY_YAMA=y
CONFIG_SECURITY_LANDLOCK=y CONFIG_SECURITY_LANDLOCK=y
# Make sure SELinux cannot be disabled trivially. # Make sure SELinux cannot be disabled trivially.
# SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
# SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set
# CONFIG_SECURITY_WRITABLE_HOOKS is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set
# Enable "lockdown" LSM for bright line between the root user and kernel memory. # Enable "lockdown" LSM for bright line between the root user and kernel memory.
...@@ -144,8 +148,14 @@ CONFIG_SCHED_CORE=y ...@@ -144,8 +148,14 @@ CONFIG_SCHED_CORE=y
CONFIG_ZERO_CALL_USED_REGS=y CONFIG_ZERO_CALL_USED_REGS=y
# Wipe RAM at reboot via EFI. # Wipe RAM at reboot via EFI.
# For more details, see:
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
CONFIG_RESET_ATTACK_MITIGATION=y CONFIG_RESET_ATTACK_MITIGATION=y
# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk
CONFIG_STATIC_USERMODEHELPER=y
# Dangerous; enabling this allows direct physical memory writing. # Dangerous; enabling this allows direct physical memory writing.
# CONFIG_ACPI_CUSTOM_METHOD is not set # CONFIG_ACPI_CUSTOM_METHOD is not set
...@@ -233,5 +243,3 @@ CONFIG_CPU_SW_DOMAIN_PAN=y ...@@ -233,5 +243,3 @@ CONFIG_CPU_SW_DOMAIN_PAN=y
# Dangerous; old interfaces and needless additional attack surface. # Dangerous; old interfaces and needless additional attack surface.
# CONFIG_OABI_COMPAT is not set # CONFIG_OABI_COMPAT is not set
kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config
...@@ -30,6 +30,7 @@ CONFIG_DEBUG_CREDENTIALS=y ...@@ -30,6 +30,7 @@ CONFIG_DEBUG_CREDENTIALS=y
CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_NOTIFIERS=y
CONFIG_DEBUG_LIST=y CONFIG_DEBUG_LIST=y
CONFIG_DEBUG_SG=y CONFIG_DEBUG_SG=y
CONFIG_DEBUG_VIRTUAL=y
CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_BUG_ON_DATA_CORRUPTION=y
CONFIG_SCHED_STACK_END_CHECK=y CONFIG_SCHED_STACK_END_CHECK=y
...@@ -37,6 +38,9 @@ CONFIG_SCHED_STACK_END_CHECK=y ...@@ -37,6 +38,9 @@ CONFIG_SCHED_STACK_END_CHECK=y
CONFIG_SECCOMP=y CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y CONFIG_SECCOMP_FILTER=y
# Make sure line disciplines can't be autoloaded (since v5.1).
# CONFIG_LDISC_AUTOLOAD is not set
# Provide userspace with ptrace ancestry protections. # Provide userspace with ptrace ancestry protections.
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.
CONFIG_SECURITY=y CONFIG_SECURITY=y
...@@ -47,8 +51,8 @@ CONFIG_SECURITY_YAMA=y ...@@ -47,8 +51,8 @@ CONFIG_SECURITY_YAMA=y
CONFIG_SECURITY_LANDLOCK=y CONFIG_SECURITY_LANDLOCK=y
# Make sure SELinux cannot be disabled trivially. # Make sure SELinux cannot be disabled trivially.
# SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
# SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set
# CONFIG_SECURITY_WRITABLE_HOOKS is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set
# Enable "lockdown" LSM for bright line between the root user and kernel memory. # Enable "lockdown" LSM for bright line between the root user and kernel memory.
...@@ -144,8 +148,14 @@ CONFIG_SCHED_CORE=y ...@@ -144,8 +148,14 @@ CONFIG_SCHED_CORE=y
CONFIG_ZERO_CALL_USED_REGS=y CONFIG_ZERO_CALL_USED_REGS=y
# Wipe RAM at reboot via EFI. # Wipe RAM at reboot via EFI.
# For more details, see:
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
CONFIG_RESET_ATTACK_MITIGATION=y CONFIG_RESET_ATTACK_MITIGATION=y
# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk
CONFIG_STATIC_USERMODEHELPER=y
# Dangerous; enabling this allows direct physical memory writing. # Dangerous; enabling this allows direct physical memory writing.
# CONFIG_ACPI_CUSTOM_METHOD is not set # CONFIG_ACPI_CUSTOM_METHOD is not set
......
kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config
...@@ -30,6 +30,7 @@ CONFIG_DEBUG_CREDENTIALS=y ...@@ -30,6 +30,7 @@ CONFIG_DEBUG_CREDENTIALS=y
CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_NOTIFIERS=y
CONFIG_DEBUG_LIST=y CONFIG_DEBUG_LIST=y
CONFIG_DEBUG_SG=y CONFIG_DEBUG_SG=y
CONFIG_DEBUG_VIRTUAL=y
CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_BUG_ON_DATA_CORRUPTION=y
CONFIG_SCHED_STACK_END_CHECK=y CONFIG_SCHED_STACK_END_CHECK=y
...@@ -37,6 +38,9 @@ CONFIG_SCHED_STACK_END_CHECK=y ...@@ -37,6 +38,9 @@ CONFIG_SCHED_STACK_END_CHECK=y
CONFIG_SECCOMP=y CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y CONFIG_SECCOMP_FILTER=y
# Make sure line disciplines can't be autoloaded (since v5.1).
# CONFIG_LDISC_AUTOLOAD is not set
# Provide userspace with ptrace ancestry protections. # Provide userspace with ptrace ancestry protections.
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.
CONFIG_SECURITY=y CONFIG_SECURITY=y
...@@ -47,8 +51,8 @@ CONFIG_SECURITY_YAMA=y ...@@ -47,8 +51,8 @@ CONFIG_SECURITY_YAMA=y
CONFIG_SECURITY_LANDLOCK=y CONFIG_SECURITY_LANDLOCK=y
# Make sure SELinux cannot be disabled trivially. # Make sure SELinux cannot be disabled trivially.
# SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
# SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set
# CONFIG_SECURITY_WRITABLE_HOOKS is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set
# Enable "lockdown" LSM for bright line between the root user and kernel memory. # Enable "lockdown" LSM for bright line between the root user and kernel memory.
...@@ -144,8 +148,14 @@ CONFIG_SCHED_CORE=y ...@@ -144,8 +148,14 @@ CONFIG_SCHED_CORE=y
CONFIG_ZERO_CALL_USED_REGS=y CONFIG_ZERO_CALL_USED_REGS=y
# Wipe RAM at reboot via EFI. # Wipe RAM at reboot via EFI.
# For more details, see:
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
CONFIG_RESET_ATTACK_MITIGATION=y CONFIG_RESET_ATTACK_MITIGATION=y
# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk
CONFIG_STATIC_USERMODEHELPER=y
# Dangerous; enabling this allows direct physical memory writing. # Dangerous; enabling this allows direct physical memory writing.
# CONFIG_ACPI_CUSTOM_METHOD is not set # CONFIG_ACPI_CUSTOM_METHOD is not set
...@@ -240,7 +250,9 @@ CONFIG_RANDOMIZE_BASE=y ...@@ -240,7 +250,9 @@ CONFIG_RANDOMIZE_BASE=y
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
CONFIG_PAGE_TABLE_ISOLATION=y CONFIG_PAGE_TABLE_ISOLATION=y
# Enable chip-specific IOMMU support.
CONFIG_INTEL_IOMMU=y
CONFIG_INTEL_IOMMU_DEFAULT_ON=y
# Don't allow for 16-bit program emulation and associated LDT tricks. # Don't allow for 16-bit program emulation and associated LDT tricks.
# CONFIG_MODIFY_LDT_SYSCALL is not set # CONFIG_MODIFY_LDT_SYSCALL is not set
kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config
...@@ -30,6 +30,7 @@ CONFIG_DEBUG_CREDENTIALS=y ...@@ -30,6 +30,7 @@ CONFIG_DEBUG_CREDENTIALS=y
CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_NOTIFIERS=y
CONFIG_DEBUG_LIST=y CONFIG_DEBUG_LIST=y
CONFIG_DEBUG_SG=y CONFIG_DEBUG_SG=y
CONFIG_DEBUG_VIRTUAL=y
CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_BUG_ON_DATA_CORRUPTION=y
CONFIG_SCHED_STACK_END_CHECK=y CONFIG_SCHED_STACK_END_CHECK=y
...@@ -37,6 +38,9 @@ CONFIG_SCHED_STACK_END_CHECK=y ...@@ -37,6 +38,9 @@ CONFIG_SCHED_STACK_END_CHECK=y
CONFIG_SECCOMP=y CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y CONFIG_SECCOMP_FILTER=y
# Make sure line disciplines can't be autoloaded (since v5.1).
# CONFIG_LDISC_AUTOLOAD is not set
# Provide userspace with ptrace ancestry protections. # Provide userspace with ptrace ancestry protections.
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. # Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.
CONFIG_SECURITY=y CONFIG_SECURITY=y
...@@ -47,8 +51,8 @@ CONFIG_SECURITY_YAMA=y ...@@ -47,8 +51,8 @@ CONFIG_SECURITY_YAMA=y
CONFIG_SECURITY_LANDLOCK=y CONFIG_SECURITY_LANDLOCK=y
# Make sure SELinux cannot be disabled trivially. # Make sure SELinux cannot be disabled trivially.
# SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
# SECURITY_SELINUX_DEVELOP is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set
# CONFIG_SECURITY_WRITABLE_HOOKS is not set # CONFIG_SECURITY_WRITABLE_HOOKS is not set
# Enable "lockdown" LSM for bright line between the root user and kernel memory. # Enable "lockdown" LSM for bright line between the root user and kernel memory.
...@@ -144,8 +148,14 @@ CONFIG_SCHED_CORE=y ...@@ -144,8 +148,14 @@ CONFIG_SCHED_CORE=y
CONFIG_ZERO_CALL_USED_REGS=y CONFIG_ZERO_CALL_USED_REGS=y
# Wipe RAM at reboot via EFI. # Wipe RAM at reboot via EFI.
# For more details, see:
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
CONFIG_RESET_ATTACK_MITIGATION=y CONFIG_RESET_ATTACK_MITIGATION=y
# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk
CONFIG_STATIC_USERMODEHELPER=y
# Dangerous; enabling this allows direct physical memory writing. # Dangerous; enabling this allows direct physical memory writing.
# CONFIG_ACPI_CUSTOM_METHOD is not set # CONFIG_ACPI_CUSTOM_METHOD is not set
...@@ -253,3 +263,7 @@ CONFIG_AMD_IOMMU_V2=y ...@@ -253,3 +263,7 @@ CONFIG_AMD_IOMMU_V2=y
# Straight-Line-Speculation # Straight-Line-Speculation
CONFIG_SLS=y CONFIG_SLS=y
# Enable Control Flow Integrity (since v6.1)
CONFIG_CFI_CLANG=y
# CONFIG_CFI_PERMISSIVE is not set
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment