mirror of
https://github.com/torvalds/linux.git
synced 2024-11-24 21:21:41 +00:00
hardening: Provide Kconfig fragments for basic options
Inspired by Salvatore Mesoraca's earlier[1] efforts to provide some in-tree guidance for kernel hardening Kconfig options, add a new fragment named "hardening-basic.config" (along with some arch-specific fragments) that enable a basic set of kernel hardening options that have the least (or no) performance impact and remove a reasonable set of legacy APIs. Using this fragment is as simple as running "make hardening.config". More extreme fragments can be added[2] in the future to cover all the recognized hardening options, and more per-architecture files can be added too. For now, document the fragments directly via comments. Perhaps .rst documentation can be generated from them in the future (rather than the other way around). [1] https://lore.kernel.org/kernel-hardening/1536516257-30871-1-git-send-email-s.mesoraca16@gmail.com/ [2] https://github.com/KSPP/linux/issues/14 Cc: Salvatore Mesoraca <s.mesoraca16@gmail.com> Cc: x86@kernel.org Cc: linux-arm-kernel@lists.infradead.org Cc: linux-doc@vger.kernel.org Cc: linux-kbuild@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org>
This commit is contained in:
parent
ce9ecca023
commit
215199e3d9
@ -11398,8 +11398,10 @@ S: Supported
|
|||||||
T: git git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git for-next/hardening
|
T: git git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git for-next/hardening
|
||||||
F: Documentation/ABI/testing/sysfs-kernel-oops_count
|
F: Documentation/ABI/testing/sysfs-kernel-oops_count
|
||||||
F: Documentation/ABI/testing/sysfs-kernel-warn_count
|
F: Documentation/ABI/testing/sysfs-kernel-warn_count
|
||||||
|
F: arch/*/configs/hardening.config
|
||||||
F: include/linux/overflow.h
|
F: include/linux/overflow.h
|
||||||
F: include/linux/randomize_kstack.h
|
F: include/linux/randomize_kstack.h
|
||||||
|
F: kernel/configs/hardening.config
|
||||||
F: mm/usercopy.c
|
F: mm/usercopy.c
|
||||||
K: \b(add|choose)_random_kstack_offset\b
|
K: \b(add|choose)_random_kstack_offset\b
|
||||||
K: \b__check_(object_size|heap_object)\b
|
K: \b__check_(object_size|heap_object)\b
|
||||||
|
7
arch/arm/configs/hardening.config
Normal file
7
arch/arm/configs/hardening.config
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
# Basic kernel hardening options (specific to arm)
|
||||||
|
|
||||||
|
# Make sure PXN/PAN emulation is enabled.
|
||||||
|
CONFIG_CPU_SW_DOMAIN_PAN=y
|
||||||
|
|
||||||
|
# Dangerous; old interfaces and needless additional attack surface.
|
||||||
|
# CONFIG_OABI_COMPAT is not set
|
22
arch/arm64/configs/hardening.config
Normal file
22
arch/arm64/configs/hardening.config
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
# Basic kernel hardening options (specific to arm64)
|
||||||
|
|
||||||
|
# Make sure PAN emulation is enabled.
|
||||||
|
CONFIG_ARM64_SW_TTBR0_PAN=y
|
||||||
|
|
||||||
|
# Software Shadow Stack or PAC
|
||||||
|
CONFIG_SHADOW_CALL_STACK=y
|
||||||
|
|
||||||
|
# Pointer authentication (ARMv8.3 and later). If hardware actually supports
|
||||||
|
# it, one can turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.
|
||||||
|
CONFIG_ARM64_PTR_AUTH=y
|
||||||
|
CONFIG_ARM64_PTR_AUTH_KERNEL=y
|
||||||
|
|
||||||
|
# Available in ARMv8.5 and later.
|
||||||
|
CONFIG_ARM64_BTI=y
|
||||||
|
CONFIG_ARM64_BTI_KERNEL=y
|
||||||
|
CONFIG_ARM64_MTE=y
|
||||||
|
CONFIG_KASAN_HW_TAGS=y
|
||||||
|
CONFIG_ARM64_E0PD=y
|
||||||
|
|
||||||
|
# Available in ARMv8.7 and later.
|
||||||
|
CONFIG_ARM64_EPAN=y
|
10
arch/powerpc/configs/hardening.config
Normal file
10
arch/powerpc/configs/hardening.config
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
# PowerPC specific hardening options
|
||||||
|
|
||||||
|
# Block kernel from unexpectedly reading userspace memory.
|
||||||
|
CONFIG_PPC_KUAP=y
|
||||||
|
|
||||||
|
# Attack surface reduction.
|
||||||
|
# CONFIG_SCOM_DEBUGFS is not set
|
||||||
|
|
||||||
|
# Disable internal kernel debugger.
|
||||||
|
# CONFIG_XMON is not set
|
15
arch/x86/configs/hardening.config
Normal file
15
arch/x86/configs/hardening.config
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
# Basic kernel hardening options (specific to x86)
|
||||||
|
|
||||||
|
# Modern libc no longer needs a fixed-position mapping in userspace, remove
|
||||||
|
# it as a possible target.
|
||||||
|
CONFIG_LEGACY_VSYSCALL_NONE=y
|
||||||
|
|
||||||
|
# Enable chip-specific IOMMU support.
|
||||||
|
CONFIG_INTEL_IOMMU=y
|
||||||
|
CONFIG_INTEL_IOMMU_DEFAULT_ON=y
|
||||||
|
CONFIG_INTEL_IOMMU_SVM=y
|
||||||
|
CONFIG_AMD_IOMMU=y
|
||||||
|
CONFIG_AMD_IOMMU_V2=y
|
||||||
|
|
||||||
|
# Enable CET Shadow Stack for userspace.
|
||||||
|
CONFIG_X86_USER_SHADOW_STACK=y
|
98
kernel/configs/hardening.config
Normal file
98
kernel/configs/hardening.config
Normal file
@ -0,0 +1,98 @@
|
|||||||
|
# Help: Basic kernel hardening options
|
||||||
|
#
|
||||||
|
# These are considered the basic kernel hardening, self-protection, and
|
||||||
|
# attack surface reduction options. They are expected to have low (or
|
||||||
|
# no) performance impact on most workloads, and have a reasonable level
|
||||||
|
# of legacy API removals.
|
||||||
|
|
||||||
|
# Make sure reporting of various hardening actions is possible.
|
||||||
|
CONFIG_BUG=y
|
||||||
|
|
||||||
|
# Basic kernel memory permission enforcement.
|
||||||
|
CONFIG_STRICT_KERNEL_RWX=y
|
||||||
|
CONFIG_STRICT_MODULE_RWX=y
|
||||||
|
CONFIG_VMAP_STACK=y
|
||||||
|
|
||||||
|
# Kernel image and memory ASLR.
|
||||||
|
CONFIG_RANDOMIZE_BASE=y
|
||||||
|
CONFIG_RANDOMIZE_MEMORY=y
|
||||||
|
|
||||||
|
# Randomize allocator freelists, harden metadata.
|
||||||
|
CONFIG_SLAB_FREELIST_RANDOM=y
|
||||||
|
CONFIG_SLAB_FREELIST_HARDENED=y
|
||||||
|
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
|
||||||
|
CONFIG_RANDOM_KMALLOC_CACHES=y
|
||||||
|
|
||||||
|
# Randomize kernel stack offset on syscall entry.
|
||||||
|
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
|
||||||
|
|
||||||
|
# Basic stack frame overflow protection.
|
||||||
|
CONFIG_STACKPROTECTOR=y
|
||||||
|
CONFIG_STACKPROTECTOR_STRONG=y
|
||||||
|
|
||||||
|
# Basic buffer length bounds checking.
|
||||||
|
CONFIG_HARDENED_USERCOPY=y
|
||||||
|
CONFIG_FORTIFY_SOURCE=y
|
||||||
|
|
||||||
|
# Basic array index bounds checking.
|
||||||
|
CONFIG_UBSAN=y
|
||||||
|
CONFIG_UBSAN_TRAP=y
|
||||||
|
CONFIG_UBSAN_BOUNDS=y
|
||||||
|
# CONFIG_UBSAN_SHIFT is not set
|
||||||
|
# CONFIG_UBSAN_DIV_ZERO
|
||||||
|
# CONFIG_UBSAN_UNREACHABLE
|
||||||
|
# CONFIG_UBSAN_BOOL
|
||||||
|
# CONFIG_UBSAN_ENUM
|
||||||
|
# CONFIG_UBSAN_ALIGNMENT
|
||||||
|
CONFIG_UBSAN_SANITIZE_ALL=y
|
||||||
|
|
||||||
|
# Linked list integrity checking.
|
||||||
|
CONFIG_LIST_HARDENED=y
|
||||||
|
|
||||||
|
# Initialize all heap variables to zero on allocation.
|
||||||
|
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
|
||||||
|
|
||||||
|
# Initialize all stack variables to zero on function entry.
|
||||||
|
CONFIG_INIT_STACK_ALL_ZERO=y
|
||||||
|
|
||||||
|
# Wipe RAM at reboot via EFI. For more details, see:
|
||||||
|
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
|
||||||
|
CONFIG_RESET_ATTACK_MITIGATION=y
|
||||||
|
|
||||||
|
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.
|
||||||
|
CONFIG_EFI_DISABLE_PCI_DMA=y
|
||||||
|
|
||||||
|
# Force IOMMU TLB invalidation so devices will never be able to access stale
|
||||||
|
# data content.
|
||||||
|
CONFIG_IOMMU_SUPPORT=y
|
||||||
|
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
|
||||||
|
|
||||||
|
# Do not allow direct physical memory access to non-device memory.
|
||||||
|
CONFIG_STRICT_DEVMEM=y
|
||||||
|
CONFIG_IO_STRICT_DEVMEM=y
|
||||||
|
|
||||||
|
# Provide userspace with seccomp BPF API for syscall attack surface reduction.
|
||||||
|
CONFIG_SECCOMP=y
|
||||||
|
CONFIG_SECCOMP_FILTER=y
|
||||||
|
|
||||||
|
# Provides some protections against SYN flooding.
|
||||||
|
CONFIG_SYN_COOKIES=y
|
||||||
|
|
||||||
|
# Attack surface reduction: do not autoload TTY line disciplines.
|
||||||
|
# CONFIG_LDISC_AUTOLOAD is not set
|
||||||
|
|
||||||
|
# Dangerous; enabling this disables userspace brk ASLR.
|
||||||
|
# CONFIG_COMPAT_BRK is not set
|
||||||
|
|
||||||
|
# Dangerous; exposes kernel text image layout.
|
||||||
|
# CONFIG_PROC_KCORE is not set
|
||||||
|
|
||||||
|
# Dangerous; enabling this disables userspace VDSO ASLR.
|
||||||
|
# CONFIG_COMPAT_VDSO is not set
|
||||||
|
|
||||||
|
# Attack surface reduction: Use the modern PTY interface (devpts) only.
|
||||||
|
# CONFIG_LEGACY_PTYS is not set
|
||||||
|
|
||||||
|
# Attack surface reduction: Use only modesetting video drivers.
|
||||||
|
# CONFIG_DRM_LEGACY is not set
|
Loading…
Reference in New Issue
Block a user