diff --git a/Recommended_Settings.md b/Recommended_Settings.md index 5a515af..aeabf3f 100644 --- a/Recommended_Settings.md +++ b/Recommended_Settings.md @@ -60,12 +60,12 @@ CONFIG_SECCOMP_FILTER=y # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. -# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. +# Make sure that "yama" is also present in the CONFIG_LSM="yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. -# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. +# Make sure that "landlock" is also present in the CONFIG_LSM="landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. @@ -75,12 +75,14 @@ CONFIG_SECURITY_LANDLOCK=y # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. +# Make sure that "lockdown" is also present in the CONFIG_LSM="lockdown,..." list. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y +CONFIG_HARDENED_USERCOPY_DEFAULT_ON=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set @@ -96,7 +98,7 @@ CONFIG_RANDOM_KMALLOC_CACHES=y # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y -# Sanity check userspace page table mappings (since v5.17) +# Sanity check userspace page table mappings (since v5.17, not all architectures support this yet). CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y @@ -138,6 +140,7 @@ CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_SIGNED_WRAP is not set +# CONFIG_UBSAN_INTEGER_WRAP is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set @@ -148,7 +151,7 @@ CONFIG_UBSAN_LOCAL_BOUNDS=y CONFIG_KFENCE=y CONFIG_KFENCE_SAMPLE_INTERVAL=100 -# Randomize kernel stack offset on syscall entry (since v5.13). +# Randomize kernel stack offset on syscall entry (since v5.13, not all architectures support this yet). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) @@ -262,9 +265,12 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) -CONFIG_GCC_PLUGIN_STACKLEAK=y -# CONFIG_STACKLEAK_METRICS is not set -# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set +CONFIG_GCC_PLUGIN_STACKLEAK=y (prior to v6.17) +# CONFIG_STACKLEAK_METRICS is not set (prior to v6.17) +# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set (prior to v6.17) +CONFIG_KSTACK_ERASE=y (since v6.17) +# CONFIG_KSTACK_ERASE_METRICS is not set (since v6.17) +# CONFIG_KSTACK_ERASE_RUNTIME_DISABLE is not set (since v6.17) ``` ## x86_64 @@ -317,6 +323,9 @@ CONFIG_MITIGATION_SLS=y CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set +# Use KCFI instead of FineIBT (see the "cfi" command line parameter below) +# CONFIG_CFI_AUTO_DEFAULT is not set + # Dangerous; enabling this disables vDSO ASLR on X86_64 and X86_32. # On ARM64 this option has different meaning. # CONFIG_COMPAT_VDSO is not set @@ -369,9 +378,9 @@ CONFIG_CFI_CLANG=y ``` # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set -# CONFIG_HIGHMEM4G is not set -CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y +CONFIG_HIGHMEM64G=y (prior to v6.15) +CONFIG_HIGHMEM4G=y (since v6.15) # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 @@ -414,6 +423,10 @@ CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set + +# Report any dangerous memory permissions +# (this feature is called CONFIG_DEBUG_WX on other archs). +CONFIG_ARM_DEBUG_WX=y ``` # kernel command line options