CONFIG_DEBUG_NOTIFIERS=y
CONFIG_DEBUG_LIST=y
CONFIG_DEBUG_SG=y
+CONFIG_DEBUG_VIRTUAL=y
CONFIG_BUG_ON_DATA_CORRUPTION=y
CONFIG_SCHED_STACK_END_CHECK=y
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y
+# Make sure line disciplines can't be autoloaded (since v5.1).
+# CONFIG_LDISC_AUTOLOAD is not set
+
# Provide userspace with ptrace ancestry protections.
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.
CONFIG_SECURITY=y
CONFIG_SECURITY_LANDLOCK=y
# Make sure SELinux cannot be disabled trivially.
-# SECURITY_SELINUX_BOOTPARAM is not set
-# SECURITY_SELINUX_DEVELOP is not set
+# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
+# CONFIG_SECURITY_SELINUX_DEVELOP is not set
# CONFIG_SECURITY_WRITABLE_HOOKS is not set
# Enable "lockdown" LSM for bright line between the root user and kernel memory.
CONFIG_ZERO_CALL_USED_REGS=y
# Wipe RAM at reboot via EFI.
+# For more details, see:
+# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
+# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
CONFIG_RESET_ATTACK_MITIGATION=y
+# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk
+CONFIG_STATIC_USERMODEHELPER=y
+
# Dangerous; enabling this allows direct physical memory writing.
# CONFIG_ACPI_CUSTOM_METHOD is not set
# Dangerous; old interfaces and needless additional attack surface.
# CONFIG_OABI_COMPAT is not set
-
-
CONFIG_DEBUG_NOTIFIERS=y
CONFIG_DEBUG_LIST=y
CONFIG_DEBUG_SG=y
+CONFIG_DEBUG_VIRTUAL=y
CONFIG_BUG_ON_DATA_CORRUPTION=y
CONFIG_SCHED_STACK_END_CHECK=y
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y
+# Make sure line disciplines can't be autoloaded (since v5.1).
+# CONFIG_LDISC_AUTOLOAD is not set
+
# Provide userspace with ptrace ancestry protections.
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.
CONFIG_SECURITY=y
CONFIG_SECURITY_LANDLOCK=y
# Make sure SELinux cannot be disabled trivially.
-# SECURITY_SELINUX_BOOTPARAM is not set
-# SECURITY_SELINUX_DEVELOP is not set
+# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
+# CONFIG_SECURITY_SELINUX_DEVELOP is not set
# CONFIG_SECURITY_WRITABLE_HOOKS is not set
# Enable "lockdown" LSM for bright line between the root user and kernel memory.
CONFIG_ZERO_CALL_USED_REGS=y
# Wipe RAM at reboot via EFI.
+# For more details, see:
+# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
+# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
CONFIG_RESET_ATTACK_MITIGATION=y
+# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk
+CONFIG_STATIC_USERMODEHELPER=y
+
# Dangerous; enabling this allows direct physical memory writing.
# CONFIG_ACPI_CUSTOM_METHOD is not set
CONFIG_DEBUG_NOTIFIERS=y
CONFIG_DEBUG_LIST=y
CONFIG_DEBUG_SG=y
+CONFIG_DEBUG_VIRTUAL=y
CONFIG_BUG_ON_DATA_CORRUPTION=y
CONFIG_SCHED_STACK_END_CHECK=y
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y
+# Make sure line disciplines can't be autoloaded (since v5.1).
+# CONFIG_LDISC_AUTOLOAD is not set
+
# Provide userspace with ptrace ancestry protections.
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.
CONFIG_SECURITY=y
CONFIG_SECURITY_LANDLOCK=y
# Make sure SELinux cannot be disabled trivially.
-# SECURITY_SELINUX_BOOTPARAM is not set
-# SECURITY_SELINUX_DEVELOP is not set
+# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
+# CONFIG_SECURITY_SELINUX_DEVELOP is not set
# CONFIG_SECURITY_WRITABLE_HOOKS is not set
# Enable "lockdown" LSM for bright line between the root user and kernel memory.
CONFIG_ZERO_CALL_USED_REGS=y
# Wipe RAM at reboot via EFI.
+# For more details, see:
+# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
+# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
CONFIG_RESET_ATTACK_MITIGATION=y
+# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk
+CONFIG_STATIC_USERMODEHELPER=y
+
# Dangerous; enabling this allows direct physical memory writing.
# CONFIG_ACPI_CUSTOM_METHOD is not set
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.
CONFIG_PAGE_TABLE_ISOLATION=y
+# Enable chip-specific IOMMU support.
+CONFIG_INTEL_IOMMU=y
+CONFIG_INTEL_IOMMU_DEFAULT_ON=y
+
# Don't allow for 16-bit program emulation and associated LDT tricks.
# CONFIG_MODIFY_LDT_SYSCALL is not set
-
-
CONFIG_DEBUG_NOTIFIERS=y
CONFIG_DEBUG_LIST=y
CONFIG_DEBUG_SG=y
+CONFIG_DEBUG_VIRTUAL=y
CONFIG_BUG_ON_DATA_CORRUPTION=y
CONFIG_SCHED_STACK_END_CHECK=y
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y
+# Make sure line disciplines can't be autoloaded (since v5.1).
+# CONFIG_LDISC_AUTOLOAD is not set
+
# Provide userspace with ptrace ancestry protections.
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.
CONFIG_SECURITY=y
CONFIG_SECURITY_LANDLOCK=y
# Make sure SELinux cannot be disabled trivially.
-# SECURITY_SELINUX_BOOTPARAM is not set
-# SECURITY_SELINUX_DEVELOP is not set
+# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
+# CONFIG_SECURITY_SELINUX_DEVELOP is not set
# CONFIG_SECURITY_WRITABLE_HOOKS is not set
# Enable "lockdown" LSM for bright line between the root user and kernel memory.
CONFIG_ZERO_CALL_USED_REGS=y
# Wipe RAM at reboot via EFI.
+# For more details, see:
+# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
+# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
CONFIG_RESET_ATTACK_MITIGATION=y
+# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk
+CONFIG_STATIC_USERMODEHELPER=y
+
# Dangerous; enabling this allows direct physical memory writing.
# CONFIG_ACPI_CUSTOM_METHOD is not set
# Straight-Line-Speculation
CONFIG_SLS=y
+
+# Enable Control Flow Integrity (since v6.1)
+CONFIG_CFI_CLANG=y
+# CONFIG_CFI_PERMISSIVE is not set
projects / kconfig-hardened-check.git / commitdiff