https://kernsec.org/wiki/api.php?action=feedcontributions&user=KeesCook&feedformat=atomLinux Kernel Security Subsystem - User contributions [en]2024-03-28T10:28:55ZUser contributionsMediaWiki 1.36.1https://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4078Kernel Self Protection Project/Recommended Settings2023-10-20T19:04:15Z<p>KeesCook: Update kernel hardening checker URL (and name).</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kernel-hardening-checker/ kernel-hardening-checker]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_DEBUG_VIRTUAL=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Make sure line disciplines can't be autoloaded (since v5.1).<br />
# CONFIG_LDISC_AUTOLOAD is not set<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Provide userspace with Landlock MAC interface.<br />
# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.<br />
CONFIG_SECURITY_LANDLOCK=y<br />
<br />
# Make sure SELinux cannot be disabled trivially.<br />
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set<br />
# CONFIG_SECURITY_SELINUX_DEVELOP is not set<br />
# CONFIG_SECURITY_WRITABLE_HOOKS is not set<br />
<br />
# Enable "lockdown" LSM for bright line between the root user and kernel memory.<br />
CONFIG_SECURITY_LOCKDOWN_LSM=y<br />
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y<br />
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Allow for randomization of high-order page allocation freelist. Must be enabled with<br />
# the "page_alloc.shuffle=1" command line below).<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.<br />
CONFIG_UBSAN=y<br />
CONFIG_UBSAN_TRAP=y<br />
CONFIG_UBSAN_BOUNDS=y<br />
CONFIG_UBSAN_SANITIZE_ALL=y<br />
# CONFIG_UBSAN_SHIFT is not set<br />
# CONFIG_UBSAN_DIV_ZERO is not set<br />
# CONFIG_UBSAN_UNREACHABLE is not set<br />
# CONFIG_UBSAN_BOOL is not set<br />
# CONFIG_UBSAN_ENUM is not set<br />
# CONFIG_UBSAN_ALIGNMENT is not set<br />
# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:<br />
CONFIG_UBSAN_LOCAL_BOUNDS=y<br />
<br />
# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.<br />
CONFIG_KFENCE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.<br />
CONFIG_EFI_DISABLE_PCI_DMA=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_SUPPORT=y<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Enable feeding RNG entropy from TPM, if available.<br />
CONFIG_HW_RANDOM_TPM=y<br />
<br />
# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even<br />
# malicious sources should not cause problems.<br />
CONFIG_RANDOM_TRUST_BOOTLOADER=y<br />
CONFIG_RANDOM_TRUST_CPU=y<br />
<br />
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).<br />
CONFIG_SCHED_CORE=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and<br />
# minimizes stale data in registers). (Since v5.15)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Wipe RAM at reboot via EFI.<br />
# For more details, see:<br />
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/<br />
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058<br />
CONFIG_RESET_ATTACK_MITIGATION=y<br />
<br />
# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk<br />
CONFIG_STATIC_USERMODEHELPER=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below).<br />
# CONFIG_LEGACY_TIOCSTI is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
# CONFIG_STACKLEAK_METRICS is not set<br />
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
# CONFIG_X86_VSYSCALL_EMULATION is not set<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional (32-bit) attack surface, unless you really need them.<br />
# CONFIG_COMPAT is not set<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_X86_X32_ABI is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
CONFIG_INTEL_IOMMU_SVM=y<br />
CONFIG_AMD_IOMMU=y<br />
CONFIG_AMD_IOMMU_V2=y<br />
<br />
# Straight-Line-Speculation<br />
CONFIG_SLS=y<br />
<br />
# Enable Control Flow Integrity (since v6.1)<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Remove arm32 support to reduce syscall attack surface.<br />
# CONFIG_COMPAT is not set<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
# Software Shadow Stack or PAC<br />
CONFIG_SHADOW_CALL_STACK=y<br />
<br />
# Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can<br />
# turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.<br />
CONFIG_ARM64_PTR_AUTH=y<br />
CONFIG_ARM64_PTR_AUTH_KERNEL=y<br />
<br />
# Available in ARMv8.5 and later.<br />
CONFIG_ARM64_BTI=y<br />
CONFIG_ARM64_BTI_KERNEL=y<br />
CONFIG_ARM64_MTE=y<br />
CONFIG_KASAN_HW_TAGS=y<br />
CONFIG_ARM64_E0PD=y<br />
<br />
# Available in ARMv8.7 and later.<br />
CONFIG_ARM64_EPAN=y<br />
<br />
# Enable Control Flow Integrity<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
# Make sure CONFIG_HARDENED_USERCOPY stays enabled.<br />
hardened_usercopy=1<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too).<br />
page_alloc.shuffle=1<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
# Mitigates all known CPU vulnerabilities, disabling SMT *if needed*.<br />
mitigations=auto,nosmt<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
# Make sure COMPAT_VDSO stays disabled<br />
vdso32=0<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1".<br />
kernel.kptr_restrict = 2<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Make sure the expected default is enabled to enable full ASLR in userpsace.<br />
kernel.randomize_va_space = 2<br />
<br />
# Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1".<br />
kernel.yama.ptrace_scope = 3<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD).<br />
dev.tty.ldisc_autoload = 0<br />
<br />
# Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.)<br />
dev.tty.legacy_tiocsti = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2<br />
<br />
# Disable userfaultfd for unprivileged processes.<br />
vm.unprivileged_userfaultfd = 0<br />
<br />
# Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks.<br />
fs.protected_symlinks = 1<br />
fs.protected_hardlinks = 1<br />
<br />
# Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads!<br />
fs.protected_fifos = 2<br />
fs.protected_regular = 2<br />
<br />
# Make sure the default process dumpability is set (processes that changed privileges aren't dumpable).<br />
fs.suid_dumpable = 0</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4077Kernel Self Protection Project/Recommended Settings2023-10-20T19:03:08Z<p>KeesCook: /* CONFIGs */</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_DEBUG_VIRTUAL=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Make sure line disciplines can't be autoloaded (since v5.1).<br />
# CONFIG_LDISC_AUTOLOAD is not set<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Provide userspace with Landlock MAC interface.<br />
# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.<br />
CONFIG_SECURITY_LANDLOCK=y<br />
<br />
# Make sure SELinux cannot be disabled trivially.<br />
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set<br />
# CONFIG_SECURITY_SELINUX_DEVELOP is not set<br />
# CONFIG_SECURITY_WRITABLE_HOOKS is not set<br />
<br />
# Enable "lockdown" LSM for bright line between the root user and kernel memory.<br />
CONFIG_SECURITY_LOCKDOWN_LSM=y<br />
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y<br />
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Allow for randomization of high-order page allocation freelist. Must be enabled with<br />
# the "page_alloc.shuffle=1" command line below).<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.<br />
CONFIG_UBSAN=y<br />
CONFIG_UBSAN_TRAP=y<br />
CONFIG_UBSAN_BOUNDS=y<br />
CONFIG_UBSAN_SANITIZE_ALL=y<br />
# CONFIG_UBSAN_SHIFT is not set<br />
# CONFIG_UBSAN_DIV_ZERO is not set<br />
# CONFIG_UBSAN_UNREACHABLE is not set<br />
# CONFIG_UBSAN_BOOL is not set<br />
# CONFIG_UBSAN_ENUM is not set<br />
# CONFIG_UBSAN_ALIGNMENT is not set<br />
# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:<br />
CONFIG_UBSAN_LOCAL_BOUNDS=y<br />
<br />
# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.<br />
CONFIG_KFENCE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.<br />
CONFIG_EFI_DISABLE_PCI_DMA=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_SUPPORT=y<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Enable feeding RNG entropy from TPM, if available.<br />
CONFIG_HW_RANDOM_TPM=y<br />
<br />
# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even<br />
# malicious sources should not cause problems.<br />
CONFIG_RANDOM_TRUST_BOOTLOADER=y<br />
CONFIG_RANDOM_TRUST_CPU=y<br />
<br />
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).<br />
CONFIG_SCHED_CORE=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and<br />
# minimizes stale data in registers). (Since v5.15)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Wipe RAM at reboot via EFI.<br />
# For more details, see:<br />
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/<br />
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058<br />
CONFIG_RESET_ATTACK_MITIGATION=y<br />
<br />
# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk<br />
CONFIG_STATIC_USERMODEHELPER=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# Block TTY stuffing attacks (this will break screen readers, see "dev.tty.legacy_tiocsti" sysctl below).<br />
# CONFIG_LEGACY_TIOCSTI is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
# CONFIG_STACKLEAK_METRICS is not set<br />
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
# CONFIG_X86_VSYSCALL_EMULATION is not set<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional (32-bit) attack surface, unless you really need them.<br />
# CONFIG_COMPAT is not set<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_X86_X32_ABI is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
CONFIG_INTEL_IOMMU_SVM=y<br />
CONFIG_AMD_IOMMU=y<br />
CONFIG_AMD_IOMMU_V2=y<br />
<br />
# Straight-Line-Speculation<br />
CONFIG_SLS=y<br />
<br />
# Enable Control Flow Integrity (since v6.1)<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Remove arm32 support to reduce syscall attack surface.<br />
# CONFIG_COMPAT is not set<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
# Software Shadow Stack or PAC<br />
CONFIG_SHADOW_CALL_STACK=y<br />
<br />
# Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can<br />
# turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.<br />
CONFIG_ARM64_PTR_AUTH=y<br />
CONFIG_ARM64_PTR_AUTH_KERNEL=y<br />
<br />
# Available in ARMv8.5 and later.<br />
CONFIG_ARM64_BTI=y<br />
CONFIG_ARM64_BTI_KERNEL=y<br />
CONFIG_ARM64_MTE=y<br />
CONFIG_KASAN_HW_TAGS=y<br />
CONFIG_ARM64_E0PD=y<br />
<br />
# Available in ARMv8.7 and later.<br />
CONFIG_ARM64_EPAN=y<br />
<br />
# Enable Control Flow Integrity<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
# Make sure CONFIG_HARDENED_USERCOPY stays enabled.<br />
hardened_usercopy=1<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too).<br />
page_alloc.shuffle=1<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
# Mitigates all known CPU vulnerabilities, disabling SMT *if needed*.<br />
mitigations=auto,nosmt<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
# Make sure COMPAT_VDSO stays disabled<br />
vdso32=0<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1".<br />
kernel.kptr_restrict = 2<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Make sure the expected default is enabled to enable full ASLR in userpsace.<br />
kernel.randomize_va_space = 2<br />
<br />
# Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1".<br />
kernel.yama.ptrace_scope = 3<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD).<br />
dev.tty.ldisc_autoload = 0<br />
<br />
# Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.)<br />
dev.tty.legacy_tiocsti = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2<br />
<br />
# Disable userfaultfd for unprivileged processes.<br />
vm.unprivileged_userfaultfd = 0<br />
<br />
# Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks.<br />
fs.protected_symlinks = 1<br />
fs.protected_hardlinks = 1<br />
<br />
# Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads!<br />
fs.protected_fifos = 2<br />
fs.protected_regular = 2<br />
<br />
# Make sure the default process dumpability is set (processes that changed privileges aren't dumpable).<br />
fs.suid_dumpable = 0</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4076Kernel Self Protection Project/Recommended Settings2023-10-20T18:51:09Z<p>KeesCook: /* kernel command line options */</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_DEBUG_VIRTUAL=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Make sure line disciplines can't be autoloaded (since v5.1).<br />
# CONFIG_LDISC_AUTOLOAD is not set<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Provide userspace with Landlock MAC interface.<br />
# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.<br />
CONFIG_SECURITY_LANDLOCK=y<br />
<br />
# Make sure SELinux cannot be disabled trivially.<br />
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set<br />
# CONFIG_SECURITY_SELINUX_DEVELOP is not set<br />
# CONFIG_SECURITY_WRITABLE_HOOKS is not set<br />
<br />
# Enable "lockdown" LSM for bright line between the root user and kernel memory.<br />
CONFIG_SECURITY_LOCKDOWN_LSM=y<br />
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y<br />
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Allow for randomization of high-order page allocation freelist. Must be enabled with<br />
# the "page_alloc.shuffle=1" command line below).<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.<br />
CONFIG_UBSAN=y<br />
CONFIG_UBSAN_TRAP=y<br />
CONFIG_UBSAN_BOUNDS=y<br />
CONFIG_UBSAN_SANITIZE_ALL=y<br />
# CONFIG_UBSAN_SHIFT is not set<br />
# CONFIG_UBSAN_DIV_ZERO is not set<br />
# CONFIG_UBSAN_UNREACHABLE is not set<br />
# CONFIG_UBSAN_BOOL is not set<br />
# CONFIG_UBSAN_ENUM is not set<br />
# CONFIG_UBSAN_ALIGNMENT is not set<br />
# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:<br />
CONFIG_UBSAN_LOCAL_BOUNDS=y<br />
<br />
# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.<br />
CONFIG_KFENCE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.<br />
CONFIG_EFI_DISABLE_PCI_DMA=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_SUPPORT=y<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Enable feeding RNG entropy from TPM, if available.<br />
CONFIG_HW_RANDOM_TPM=y<br />
<br />
# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even<br />
# malicious sources should not cause problems.<br />
CONFIG_RANDOM_TRUST_BOOTLOADER=y<br />
CONFIG_RANDOM_TRUST_CPU=y<br />
<br />
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).<br />
CONFIG_SCHED_CORE=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and<br />
# minimizes stale data in registers). (Since v5.15)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Wipe RAM at reboot via EFI.<br />
# For more details, see:<br />
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/<br />
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058<br />
CONFIG_RESET_ATTACK_MITIGATION=y<br />
<br />
# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk<br />
CONFIG_STATIC_USERMODEHELPER=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
# CONFIG_STACKLEAK_METRICS is not set<br />
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
# CONFIG_X86_VSYSCALL_EMULATION is not set<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional (32-bit) attack surface, unless you really need them.<br />
# CONFIG_COMPAT is not set<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_X86_X32_ABI is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
CONFIG_INTEL_IOMMU_SVM=y<br />
CONFIG_AMD_IOMMU=y<br />
CONFIG_AMD_IOMMU_V2=y<br />
<br />
# Straight-Line-Speculation<br />
CONFIG_SLS=y<br />
<br />
# Enable Control Flow Integrity (since v6.1)<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Remove arm32 support to reduce syscall attack surface.<br />
# CONFIG_COMPAT is not set<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
# Software Shadow Stack or PAC<br />
CONFIG_SHADOW_CALL_STACK=y<br />
<br />
# Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can<br />
# turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.<br />
CONFIG_ARM64_PTR_AUTH=y<br />
CONFIG_ARM64_PTR_AUTH_KERNEL=y<br />
<br />
# Available in ARMv8.5 and later.<br />
CONFIG_ARM64_BTI=y<br />
CONFIG_ARM64_BTI_KERNEL=y<br />
CONFIG_ARM64_MTE=y<br />
CONFIG_KASAN_HW_TAGS=y<br />
CONFIG_ARM64_E0PD=y<br />
<br />
# Available in ARMv8.7 and later.<br />
CONFIG_ARM64_EPAN=y<br />
<br />
# Enable Control Flow Integrity<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
# Make sure CONFIG_HARDENED_USERCOPY stays enabled.<br />
hardened_usercopy=1<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Randomize page allocator (needs CONFIG_SHUFFLE_PAGE_ALLOCATOR=y too).<br />
page_alloc.shuffle=1<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
# Mitigates all known CPU vulnerabilities, disabling SMT *if needed*.<br />
mitigations=auto,nosmt<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
# Make sure COMPAT_VDSO stays disabled<br />
vdso32=0<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1".<br />
kernel.kptr_restrict = 2<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Make sure the expected default is enabled to enable full ASLR in userpsace.<br />
kernel.randomize_va_space = 2<br />
<br />
# Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1".<br />
kernel.yama.ptrace_scope = 3<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD).<br />
dev.tty.ldisc_autoload = 0<br />
<br />
# Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.)<br />
dev.tty.legacy_tiocsti = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2<br />
<br />
# Disable userfaultfd for unprivileged processes.<br />
vm.unprivileged_userfaultfd = 0<br />
<br />
# Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks.<br />
fs.protected_symlinks = 1<br />
fs.protected_hardlinks = 1<br />
<br />
# Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads!<br />
fs.protected_fifos = 2<br />
fs.protected_regular = 2<br />
<br />
# Make sure the default process dumpability is set (processes that changed privileges aren't dumpable).<br />
fs.suid_dumpable = 0</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4075Kernel Self Protection Project/Recommended Settings2023-10-20T18:50:20Z<p>KeesCook: /* CONFIGs */</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_DEBUG_VIRTUAL=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Make sure line disciplines can't be autoloaded (since v5.1).<br />
# CONFIG_LDISC_AUTOLOAD is not set<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Provide userspace with Landlock MAC interface.<br />
# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.<br />
CONFIG_SECURITY_LANDLOCK=y<br />
<br />
# Make sure SELinux cannot be disabled trivially.<br />
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set<br />
# CONFIG_SECURITY_SELINUX_DEVELOP is not set<br />
# CONFIG_SECURITY_WRITABLE_HOOKS is not set<br />
<br />
# Enable "lockdown" LSM for bright line between the root user and kernel memory.<br />
CONFIG_SECURITY_LOCKDOWN_LSM=y<br />
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y<br />
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Allow for randomization of high-order page allocation freelist. Must be enabled with<br />
# the "page_alloc.shuffle=1" command line below).<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.<br />
CONFIG_UBSAN=y<br />
CONFIG_UBSAN_TRAP=y<br />
CONFIG_UBSAN_BOUNDS=y<br />
CONFIG_UBSAN_SANITIZE_ALL=y<br />
# CONFIG_UBSAN_SHIFT is not set<br />
# CONFIG_UBSAN_DIV_ZERO is not set<br />
# CONFIG_UBSAN_UNREACHABLE is not set<br />
# CONFIG_UBSAN_BOOL is not set<br />
# CONFIG_UBSAN_ENUM is not set<br />
# CONFIG_UBSAN_ALIGNMENT is not set<br />
# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:<br />
CONFIG_UBSAN_LOCAL_BOUNDS=y<br />
<br />
# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.<br />
CONFIG_KFENCE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.<br />
CONFIG_EFI_DISABLE_PCI_DMA=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_SUPPORT=y<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Enable feeding RNG entropy from TPM, if available.<br />
CONFIG_HW_RANDOM_TPM=y<br />
<br />
# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even<br />
# malicious sources should not cause problems.<br />
CONFIG_RANDOM_TRUST_BOOTLOADER=y<br />
CONFIG_RANDOM_TRUST_CPU=y<br />
<br />
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).<br />
CONFIG_SCHED_CORE=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and<br />
# minimizes stale data in registers). (Since v5.15)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Wipe RAM at reboot via EFI.<br />
# For more details, see:<br />
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/<br />
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058<br />
CONFIG_RESET_ATTACK_MITIGATION=y<br />
<br />
# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk<br />
CONFIG_STATIC_USERMODEHELPER=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
# CONFIG_STACKLEAK_METRICS is not set<br />
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
# CONFIG_X86_VSYSCALL_EMULATION is not set<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional (32-bit) attack surface, unless you really need them.<br />
# CONFIG_COMPAT is not set<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_X86_X32_ABI is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
CONFIG_INTEL_IOMMU_SVM=y<br />
CONFIG_AMD_IOMMU=y<br />
CONFIG_AMD_IOMMU_V2=y<br />
<br />
# Straight-Line-Speculation<br />
CONFIG_SLS=y<br />
<br />
# Enable Control Flow Integrity (since v6.1)<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Remove arm32 support to reduce syscall attack surface.<br />
# CONFIG_COMPAT is not set<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
# Software Shadow Stack or PAC<br />
CONFIG_SHADOW_CALL_STACK=y<br />
<br />
# Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can<br />
# turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.<br />
CONFIG_ARM64_PTR_AUTH=y<br />
CONFIG_ARM64_PTR_AUTH_KERNEL=y<br />
<br />
# Available in ARMv8.5 and later.<br />
CONFIG_ARM64_BTI=y<br />
CONFIG_ARM64_BTI_KERNEL=y<br />
CONFIG_ARM64_MTE=y<br />
CONFIG_KASAN_HW_TAGS=y<br />
CONFIG_ARM64_E0PD=y<br />
<br />
# Available in ARMv8.7 and later.<br />
CONFIG_ARM64_EPAN=y<br />
<br />
# Enable Control Flow Integrity<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
# Make sure CONFIG_HARDENED_USERCOPY stays enabled.<br />
hardened_usercopy=1<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Randomize page allocator (for when CONFIG_SHUFFLE_PAGE_ALLOCATOR isn't already enabled).<br />
page_alloc.shuffle=1<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
# Mitigates all known CPU vulnerabilities, disabling SMT *if needed*.<br />
mitigations=auto,nosmt<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
# Make sure COMPAT_VDSO stays disabled<br />
vdso32=0<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1".<br />
kernel.kptr_restrict = 2<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Make sure the expected default is enabled to enable full ASLR in userpsace.<br />
kernel.randomize_va_space = 2<br />
<br />
# Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1".<br />
kernel.yama.ptrace_scope = 3<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD).<br />
dev.tty.ldisc_autoload = 0<br />
<br />
# Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.)<br />
dev.tty.legacy_tiocsti = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2<br />
<br />
# Disable userfaultfd for unprivileged processes.<br />
vm.unprivileged_userfaultfd = 0<br />
<br />
# Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks.<br />
fs.protected_symlinks = 1<br />
fs.protected_hardlinks = 1<br />
<br />
# Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads!<br />
fs.protected_fifos = 2<br />
fs.protected_regular = 2<br />
<br />
# Make sure the default process dumpability is set (processes that changed privileges aren't dumpable).<br />
fs.suid_dumpable = 0</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4074Kernel Self Protection Project/Recommended Settings2023-10-20T18:48:06Z<p>KeesCook: /* x86_64 */ typo noticed by Alexander Popov</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_DEBUG_VIRTUAL=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Make sure line disciplines can't be autoloaded (since v5.1).<br />
# CONFIG_LDISC_AUTOLOAD is not set<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Provide userspace with Landlock MAC interface.<br />
# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.<br />
CONFIG_SECURITY_LANDLOCK=y<br />
<br />
# Make sure SELinux cannot be disabled trivially.<br />
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set<br />
# CONFIG_SECURITY_SELINUX_DEVELOP is not set<br />
# CONFIG_SECURITY_WRITABLE_HOOKS is not set<br />
<br />
# Enable "lockdown" LSM for bright line between the root user and kernel memory.<br />
CONFIG_SECURITY_LOCKDOWN_LSM=y<br />
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y<br />
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.<br />
CONFIG_UBSAN=y<br />
CONFIG_UBSAN_TRAP=y<br />
CONFIG_UBSAN_BOUNDS=y<br />
CONFIG_UBSAN_SANITIZE_ALL=y<br />
# CONFIG_UBSAN_SHIFT is not set<br />
# CONFIG_UBSAN_DIV_ZERO is not set<br />
# CONFIG_UBSAN_UNREACHABLE is not set<br />
# CONFIG_UBSAN_BOOL is not set<br />
# CONFIG_UBSAN_ENUM is not set<br />
# CONFIG_UBSAN_ALIGNMENT is not set<br />
# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:<br />
CONFIG_UBSAN_LOCAL_BOUNDS=y<br />
<br />
# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.<br />
CONFIG_KFENCE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.<br />
CONFIG_EFI_DISABLE_PCI_DMA=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_SUPPORT=y<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Enable feeding RNG entropy from TPM, if available.<br />
CONFIG_HW_RANDOM_TPM=y<br />
<br />
# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even<br />
# malicious sources should not cause problems.<br />
CONFIG_RANDOM_TRUST_BOOTLOADER=y<br />
CONFIG_RANDOM_TRUST_CPU=y<br />
<br />
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).<br />
CONFIG_SCHED_CORE=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and<br />
# minimizes stale data in registers). (Since v5.15)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Wipe RAM at reboot via EFI.<br />
# For more details, see:<br />
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/<br />
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058<br />
CONFIG_RESET_ATTACK_MITIGATION=y<br />
<br />
# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk<br />
CONFIG_STATIC_USERMODEHELPER=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
# CONFIG_STACKLEAK_METRICS is not set<br />
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
# CONFIG_X86_VSYSCALL_EMULATION is not set<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional (32-bit) attack surface, unless you really need them.<br />
# CONFIG_COMPAT is not set<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_X86_X32_ABI is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
CONFIG_INTEL_IOMMU_SVM=y<br />
CONFIG_AMD_IOMMU=y<br />
CONFIG_AMD_IOMMU_V2=y<br />
<br />
# Straight-Line-Speculation<br />
CONFIG_SLS=y<br />
<br />
# Enable Control Flow Integrity (since v6.1)<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Remove arm32 support to reduce syscall attack surface.<br />
# CONFIG_COMPAT is not set<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
# Software Shadow Stack or PAC<br />
CONFIG_SHADOW_CALL_STACK=y<br />
<br />
# Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can<br />
# turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.<br />
CONFIG_ARM64_PTR_AUTH=y<br />
CONFIG_ARM64_PTR_AUTH_KERNEL=y<br />
<br />
# Available in ARMv8.5 and later.<br />
CONFIG_ARM64_BTI=y<br />
CONFIG_ARM64_BTI_KERNEL=y<br />
CONFIG_ARM64_MTE=y<br />
CONFIG_KASAN_HW_TAGS=y<br />
CONFIG_ARM64_E0PD=y<br />
<br />
# Available in ARMv8.7 and later.<br />
CONFIG_ARM64_EPAN=y<br />
<br />
# Enable Control Flow Integrity<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
# Make sure CONFIG_HARDENED_USERCOPY stays enabled.<br />
hardened_usercopy=1<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Randomize page allocator (for when CONFIG_SHUFFLE_PAGE_ALLOCATOR isn't already enabled).<br />
page_alloc.shuffle=1<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
# Mitigates all known CPU vulnerabilities, disabling SMT *if needed*.<br />
mitigations=auto,nosmt<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
# Make sure COMPAT_VDSO stays disabled<br />
vdso32=0<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1".<br />
kernel.kptr_restrict = 2<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Make sure the expected default is enabled to enable full ASLR in userpsace.<br />
kernel.randomize_va_space = 2<br />
<br />
# Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1".<br />
kernel.yama.ptrace_scope = 3<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD).<br />
dev.tty.ldisc_autoload = 0<br />
<br />
# Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.)<br />
dev.tty.legacy_tiocsti = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2<br />
<br />
# Disable userfaultfd for unprivileged processes.<br />
vm.unprivileged_userfaultfd = 0<br />
<br />
# Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks.<br />
fs.protected_symlinks = 1<br />
fs.protected_hardlinks = 1<br />
<br />
# Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads!<br />
fs.protected_fifos = 2<br />
fs.protected_regular = 2<br />
<br />
# Make sure the default process dumpability is set (processes that changed privileges aren't dumpable).<br />
fs.suid_dumpable = 0</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4073Kernel Self Protection Project/Recommended Settings2023-09-30T23:09:20Z<p>KeesCook: /* sysctls */ From Alexander Popov: lock down things even harder.</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_DEBUG_VIRTUAL=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Make sure line disciplines can't be autoloaded (since v5.1).<br />
# CONFIG_LDISC_AUTOLOAD is not set<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Provide userspace with Landlock MAC interface.<br />
# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.<br />
CONFIG_SECURITY_LANDLOCK=y<br />
<br />
# Make sure SELinux cannot be disabled trivially.<br />
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set<br />
# CONFIG_SECURITY_SELINUX_DEVELOP is not set<br />
# CONFIG_SECURITY_WRITABLE_HOOKS is not set<br />
<br />
# Enable "lockdown" LSM for bright line between the root user and kernel memory.<br />
CONFIG_SECURITY_LOCKDOWN_LSM=y<br />
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y<br />
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.<br />
CONFIG_UBSAN=y<br />
CONFIG_UBSAN_TRAP=y<br />
CONFIG_UBSAN_BOUNDS=y<br />
CONFIG_UBSAN_SANITIZE_ALL=y<br />
# CONFIG_UBSAN_SHIFT is not set<br />
# CONFIG_UBSAN_DIV_ZERO is not set<br />
# CONFIG_UBSAN_UNREACHABLE is not set<br />
# CONFIG_UBSAN_BOOL is not set<br />
# CONFIG_UBSAN_ENUM is not set<br />
# CONFIG_UBSAN_ALIGNMENT is not set<br />
# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:<br />
CONFIG_UBSAN_LOCAL_BOUNDS=y<br />
<br />
# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.<br />
CONFIG_KFENCE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.<br />
CONFIG_EFI_DISABLE_PCI_DMA=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_SUPPORT=y<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Enable feeding RNG entropy from TPM, if available.<br />
CONFIG_HW_RANDOM_TPM=y<br />
<br />
# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even<br />
# malicious sources should not cause problems.<br />
CONFIG_RANDOM_TRUST_BOOTLOADER=y<br />
CONFIG_RANDOM_TRUST_CPU=y<br />
<br />
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).<br />
CONFIG_SCHED_CORE=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and<br />
# minimizes stale data in registers). (Since v5.15)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Wipe RAM at reboot via EFI.<br />
# For more details, see:<br />
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/<br />
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058<br />
CONFIG_RESET_ATTACK_MITIGATION=y<br />
<br />
# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk<br />
CONFIG_STATIC_USERMODEHELPER=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
# CONFIG_STACKLEAK_METRICS is not set<br />
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
# CONFIG_X86_VSYSCALL_EMULATION is not set0<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional (32-bit) attack surface, unless you really need them.<br />
# CONFIG_COMPAT is not set<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_X86_X32_ABI is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
CONFIG_INTEL_IOMMU_SVM=y<br />
CONFIG_AMD_IOMMU=y<br />
CONFIG_AMD_IOMMU_V2=y<br />
<br />
# Straight-Line-Speculation<br />
CONFIG_SLS=y<br />
<br />
# Enable Control Flow Integrity (since v6.1)<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Remove arm32 support to reduce syscall attack surface.<br />
# CONFIG_COMPAT is not set<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
# Software Shadow Stack or PAC<br />
CONFIG_SHADOW_CALL_STACK=y<br />
<br />
# Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can<br />
# turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.<br />
CONFIG_ARM64_PTR_AUTH=y<br />
CONFIG_ARM64_PTR_AUTH_KERNEL=y<br />
<br />
# Available in ARMv8.5 and later.<br />
CONFIG_ARM64_BTI=y<br />
CONFIG_ARM64_BTI_KERNEL=y<br />
CONFIG_ARM64_MTE=y<br />
CONFIG_KASAN_HW_TAGS=y<br />
CONFIG_ARM64_E0PD=y<br />
<br />
# Available in ARMv8.7 and later.<br />
CONFIG_ARM64_EPAN=y<br />
<br />
# Enable Control Flow Integrity<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
# Make sure CONFIG_HARDENED_USERCOPY stays enabled.<br />
hardened_usercopy=1<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Randomize page allocator (for when CONFIG_SHUFFLE_PAGE_ALLOCATOR isn't already enabled).<br />
page_alloc.shuffle=1<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
# Mitigates all known CPU vulnerabilities, disabling SMT *if needed*.<br />
mitigations=auto,nosmt<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
# Make sure COMPAT_VDSO stays disabled<br />
vdso32=0<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.) If root absolutely needs values from /proc, use value "1".<br />
kernel.kptr_restrict = 2<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Make sure the expected default is enabled to enable full ASLR in userpsace.<br />
kernel.randomize_va_space = 2<br />
<br />
# Block all PTRACE_ATTACH. If you need ptrace to work, then avoid non-ancestor ptrace access to running processes and their credentials, and use value "1".<br />
kernel.yama.ptrace_scope = 3<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD).<br />
dev.tty.ldisc_autoload = 0<br />
<br />
# Disable TIOCSTI which is used to inject keypresses. (This will, however, break screen readers.)<br />
dev.tty.legacy_tiocsti = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2<br />
<br />
# Disable userfaultfd for unprivileged processes.<br />
vm.unprivileged_userfaultfd = 0<br />
<br />
# Disable POSIX symlink and hardlink corner cases that lead to lots of filesystem confusion attacks.<br />
fs.protected_symlinks = 1<br />
fs.protected_hardlinks = 1<br />
<br />
# Disable POSIX corner cases with creating files and fifos unless the directory owner matches. Check your workloads!<br />
fs.protected_fifos = 2<br />
fs.protected_regular = 2<br />
<br />
# Make sure the default process dumpability is set (processes that changed privileges aren't dumpable).<br />
fs.suid_dumpable = 0</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4072Kernel Self Protection Project/Recommended Settings2023-09-30T22:55:06Z<p>KeesCook: /* kernel command line options */ From Alexander Popov, adding options for maybe missing CONFIGs</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_DEBUG_VIRTUAL=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Make sure line disciplines can't be autoloaded (since v5.1).<br />
# CONFIG_LDISC_AUTOLOAD is not set<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Provide userspace with Landlock MAC interface.<br />
# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.<br />
CONFIG_SECURITY_LANDLOCK=y<br />
<br />
# Make sure SELinux cannot be disabled trivially.<br />
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set<br />
# CONFIG_SECURITY_SELINUX_DEVELOP is not set<br />
# CONFIG_SECURITY_WRITABLE_HOOKS is not set<br />
<br />
# Enable "lockdown" LSM for bright line between the root user and kernel memory.<br />
CONFIG_SECURITY_LOCKDOWN_LSM=y<br />
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y<br />
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.<br />
CONFIG_UBSAN=y<br />
CONFIG_UBSAN_TRAP=y<br />
CONFIG_UBSAN_BOUNDS=y<br />
CONFIG_UBSAN_SANITIZE_ALL=y<br />
# CONFIG_UBSAN_SHIFT is not set<br />
# CONFIG_UBSAN_DIV_ZERO is not set<br />
# CONFIG_UBSAN_UNREACHABLE is not set<br />
# CONFIG_UBSAN_BOOL is not set<br />
# CONFIG_UBSAN_ENUM is not set<br />
# CONFIG_UBSAN_ALIGNMENT is not set<br />
# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:<br />
CONFIG_UBSAN_LOCAL_BOUNDS=y<br />
<br />
# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.<br />
CONFIG_KFENCE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.<br />
CONFIG_EFI_DISABLE_PCI_DMA=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_SUPPORT=y<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Enable feeding RNG entropy from TPM, if available.<br />
CONFIG_HW_RANDOM_TPM=y<br />
<br />
# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even<br />
# malicious sources should not cause problems.<br />
CONFIG_RANDOM_TRUST_BOOTLOADER=y<br />
CONFIG_RANDOM_TRUST_CPU=y<br />
<br />
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).<br />
CONFIG_SCHED_CORE=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and<br />
# minimizes stale data in registers). (Since v5.15)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Wipe RAM at reboot via EFI.<br />
# For more details, see:<br />
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/<br />
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058<br />
CONFIG_RESET_ATTACK_MITIGATION=y<br />
<br />
# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk<br />
CONFIG_STATIC_USERMODEHELPER=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
# CONFIG_STACKLEAK_METRICS is not set<br />
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
# CONFIG_X86_VSYSCALL_EMULATION is not set0<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional (32-bit) attack surface, unless you really need them.<br />
# CONFIG_COMPAT is not set<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_X86_X32_ABI is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
CONFIG_INTEL_IOMMU_SVM=y<br />
CONFIG_AMD_IOMMU=y<br />
CONFIG_AMD_IOMMU_V2=y<br />
<br />
# Straight-Line-Speculation<br />
CONFIG_SLS=y<br />
<br />
# Enable Control Flow Integrity (since v6.1)<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Remove arm32 support to reduce syscall attack surface.<br />
# CONFIG_COMPAT is not set<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
# Software Shadow Stack or PAC<br />
CONFIG_SHADOW_CALL_STACK=y<br />
<br />
# Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can<br />
# turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.<br />
CONFIG_ARM64_PTR_AUTH=y<br />
CONFIG_ARM64_PTR_AUTH_KERNEL=y<br />
<br />
# Available in ARMv8.5 and later.<br />
CONFIG_ARM64_BTI=y<br />
CONFIG_ARM64_BTI_KERNEL=y<br />
CONFIG_ARM64_MTE=y<br />
CONFIG_KASAN_HW_TAGS=y<br />
CONFIG_ARM64_E0PD=y<br />
<br />
# Available in ARMv8.7 and later.<br />
CONFIG_ARM64_EPAN=y<br />
<br />
# Enable Control Flow Integrity<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
# Make sure CONFIG_HARDENED_USERCOPY stays enabled.<br />
hardened_usercopy=1<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Randomize page allocator (for when CONFIG_SHUFFLE_PAGE_ALLOCATOR isn't already enabled).<br />
page_alloc.shuffle=1<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
# Mitigates all known CPU vulnerabilities, disabling SMT *if needed*.<br />
mitigations=auto,nosmt<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
# Make sure COMPAT_VDSO stays disabled<br />
vdso32=0<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.)<br />
kernel.kptr_restrict = 1<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Avoid non-ancestor ptrace access to running processes and their credentials.<br />
kernel.yama.ptrace_scope = 1<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD).<br />
dev.tty.ldisc_autoload = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4071Kernel Self Protection Project/Recommended Settings2023-09-30T22:45:16Z<p>KeesCook: /* kernel command line options */</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_DEBUG_VIRTUAL=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Make sure line disciplines can't be autoloaded (since v5.1).<br />
# CONFIG_LDISC_AUTOLOAD is not set<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Provide userspace with Landlock MAC interface.<br />
# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.<br />
CONFIG_SECURITY_LANDLOCK=y<br />
<br />
# Make sure SELinux cannot be disabled trivially.<br />
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set<br />
# CONFIG_SECURITY_SELINUX_DEVELOP is not set<br />
# CONFIG_SECURITY_WRITABLE_HOOKS is not set<br />
<br />
# Enable "lockdown" LSM for bright line between the root user and kernel memory.<br />
CONFIG_SECURITY_LOCKDOWN_LSM=y<br />
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y<br />
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.<br />
CONFIG_UBSAN=y<br />
CONFIG_UBSAN_TRAP=y<br />
CONFIG_UBSAN_BOUNDS=y<br />
CONFIG_UBSAN_SANITIZE_ALL=y<br />
# CONFIG_UBSAN_SHIFT is not set<br />
# CONFIG_UBSAN_DIV_ZERO is not set<br />
# CONFIG_UBSAN_UNREACHABLE is not set<br />
# CONFIG_UBSAN_BOOL is not set<br />
# CONFIG_UBSAN_ENUM is not set<br />
# CONFIG_UBSAN_ALIGNMENT is not set<br />
# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:<br />
CONFIG_UBSAN_LOCAL_BOUNDS=y<br />
<br />
# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.<br />
CONFIG_KFENCE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.<br />
CONFIG_EFI_DISABLE_PCI_DMA=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_SUPPORT=y<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Enable feeding RNG entropy from TPM, if available.<br />
CONFIG_HW_RANDOM_TPM=y<br />
<br />
# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even<br />
# malicious sources should not cause problems.<br />
CONFIG_RANDOM_TRUST_BOOTLOADER=y<br />
CONFIG_RANDOM_TRUST_CPU=y<br />
<br />
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).<br />
CONFIG_SCHED_CORE=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and<br />
# minimizes stale data in registers). (Since v5.15)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Wipe RAM at reboot via EFI.<br />
# For more details, see:<br />
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/<br />
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058<br />
CONFIG_RESET_ATTACK_MITIGATION=y<br />
<br />
# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk<br />
CONFIG_STATIC_USERMODEHELPER=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
# CONFIG_STACKLEAK_METRICS is not set<br />
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
# CONFIG_X86_VSYSCALL_EMULATION is not set0<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional (32-bit) attack surface, unless you really need them.<br />
# CONFIG_COMPAT is not set<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_X86_X32_ABI is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
CONFIG_INTEL_IOMMU_SVM=y<br />
CONFIG_AMD_IOMMU=y<br />
CONFIG_AMD_IOMMU_V2=y<br />
<br />
# Straight-Line-Speculation<br />
CONFIG_SLS=y<br />
<br />
# Enable Control Flow Integrity (since v6.1)<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Remove arm32 support to reduce syscall attack surface.<br />
# CONFIG_COMPAT is not set<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
# Software Shadow Stack or PAC<br />
CONFIG_SHADOW_CALL_STACK=y<br />
<br />
# Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can<br />
# turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.<br />
CONFIG_ARM64_PTR_AUTH=y<br />
CONFIG_ARM64_PTR_AUTH_KERNEL=y<br />
<br />
# Available in ARMv8.5 and later.<br />
CONFIG_ARM64_BTI=y<br />
CONFIG_ARM64_BTI_KERNEL=y<br />
CONFIG_ARM64_MTE=y<br />
CONFIG_KASAN_HW_TAGS=y<br />
CONFIG_ARM64_E0PD=y<br />
<br />
# Available in ARMv8.7 and later.<br />
CONFIG_ARM64_EPAN=y<br />
<br />
# Enable Control Flow Integrity<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Randomize page allocator (for when CONFIG_SHUFFLE_PAGE_ALLOCATOR isn't already enabled).<br />
page_alloc.shuffle=1<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
# Mitigates all known CPU vulnerabilities, disabling SMT *if needed*.<br />
mitigations=auto,nosmt<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.)<br />
kernel.kptr_restrict = 1<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Avoid non-ancestor ptrace access to running processes and their credentials.<br />
kernel.yama.ptrace_scope = 1<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD).<br />
dev.tty.ldisc_autoload = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4070Kernel Self Protection Project/Recommended Settings2023-09-30T22:44:47Z<p>KeesCook: /* kernel command line options */ From Alexander Popov: enable page shuffling in case CONFIG is unset.</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_DEBUG_VIRTUAL=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Make sure line disciplines can't be autoloaded (since v5.1).<br />
# CONFIG_LDISC_AUTOLOAD is not set<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Provide userspace with Landlock MAC interface.<br />
# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.<br />
CONFIG_SECURITY_LANDLOCK=y<br />
<br />
# Make sure SELinux cannot be disabled trivially.<br />
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set<br />
# CONFIG_SECURITY_SELINUX_DEVELOP is not set<br />
# CONFIG_SECURITY_WRITABLE_HOOKS is not set<br />
<br />
# Enable "lockdown" LSM for bright line between the root user and kernel memory.<br />
CONFIG_SECURITY_LOCKDOWN_LSM=y<br />
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y<br />
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.<br />
CONFIG_UBSAN=y<br />
CONFIG_UBSAN_TRAP=y<br />
CONFIG_UBSAN_BOUNDS=y<br />
CONFIG_UBSAN_SANITIZE_ALL=y<br />
# CONFIG_UBSAN_SHIFT is not set<br />
# CONFIG_UBSAN_DIV_ZERO is not set<br />
# CONFIG_UBSAN_UNREACHABLE is not set<br />
# CONFIG_UBSAN_BOOL is not set<br />
# CONFIG_UBSAN_ENUM is not set<br />
# CONFIG_UBSAN_ALIGNMENT is not set<br />
# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:<br />
CONFIG_UBSAN_LOCAL_BOUNDS=y<br />
<br />
# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.<br />
CONFIG_KFENCE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.<br />
CONFIG_EFI_DISABLE_PCI_DMA=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_SUPPORT=y<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Enable feeding RNG entropy from TPM, if available.<br />
CONFIG_HW_RANDOM_TPM=y<br />
<br />
# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even<br />
# malicious sources should not cause problems.<br />
CONFIG_RANDOM_TRUST_BOOTLOADER=y<br />
CONFIG_RANDOM_TRUST_CPU=y<br />
<br />
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).<br />
CONFIG_SCHED_CORE=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and<br />
# minimizes stale data in registers). (Since v5.15)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Wipe RAM at reboot via EFI.<br />
# For more details, see:<br />
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/<br />
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058<br />
CONFIG_RESET_ATTACK_MITIGATION=y<br />
<br />
# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk<br />
CONFIG_STATIC_USERMODEHELPER=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
# CONFIG_STACKLEAK_METRICS is not set<br />
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
# CONFIG_X86_VSYSCALL_EMULATION is not set0<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional (32-bit) attack surface, unless you really need them.<br />
# CONFIG_COMPAT is not set<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_X86_X32_ABI is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
CONFIG_INTEL_IOMMU_SVM=y<br />
CONFIG_AMD_IOMMU=y<br />
CONFIG_AMD_IOMMU_V2=y<br />
<br />
# Straight-Line-Speculation<br />
CONFIG_SLS=y<br />
<br />
# Enable Control Flow Integrity (since v6.1)<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Remove arm32 support to reduce syscall attack surface.<br />
# CONFIG_COMPAT is not set<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
# Software Shadow Stack or PAC<br />
CONFIG_SHADOW_CALL_STACK=y<br />
<br />
# Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can<br />
# turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.<br />
CONFIG_ARM64_PTR_AUTH=y<br />
CONFIG_ARM64_PTR_AUTH_KERNEL=y<br />
<br />
# Available in ARMv8.5 and later.<br />
CONFIG_ARM64_BTI=y<br />
CONFIG_ARM64_BTI_KERNEL=y<br />
CONFIG_ARM64_MTE=y<br />
CONFIG_KASAN_HW_TAGS=y<br />
CONFIG_ARM64_E0PD=y<br />
<br />
# Available in ARMv8.7 and later.<br />
CONFIG_ARM64_EPAN=y<br />
<br />
# Enable Control Flow Integrity<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Randomize page allocator (for when CONFIG_PAGE_SUFFLE isn't already enabled).<br />
page_alloc.shuffle=1<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
# Mitigates all known CPU vulnerabilities, disabling SMT *if needed*.<br />
mitigations=auto,nosmt<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.)<br />
kernel.kptr_restrict = 1<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Avoid non-ancestor ptrace access to running processes and their credentials.<br />
kernel.yama.ptrace_scope = 1<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD).<br />
dev.tty.ldisc_autoload = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4069Kernel Self Protection Project/Recommended Settings2023-09-30T22:42:21Z<p>KeesCook: /* kernel command line options */ From Alexander Popov: disable smt when needed</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_DEBUG_VIRTUAL=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Make sure line disciplines can't be autoloaded (since v5.1).<br />
# CONFIG_LDISC_AUTOLOAD is not set<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Provide userspace with Landlock MAC interface.<br />
# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.<br />
CONFIG_SECURITY_LANDLOCK=y<br />
<br />
# Make sure SELinux cannot be disabled trivially.<br />
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set<br />
# CONFIG_SECURITY_SELINUX_DEVELOP is not set<br />
# CONFIG_SECURITY_WRITABLE_HOOKS is not set<br />
<br />
# Enable "lockdown" LSM for bright line between the root user and kernel memory.<br />
CONFIG_SECURITY_LOCKDOWN_LSM=y<br />
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y<br />
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.<br />
CONFIG_UBSAN=y<br />
CONFIG_UBSAN_TRAP=y<br />
CONFIG_UBSAN_BOUNDS=y<br />
CONFIG_UBSAN_SANITIZE_ALL=y<br />
# CONFIG_UBSAN_SHIFT is not set<br />
# CONFIG_UBSAN_DIV_ZERO is not set<br />
# CONFIG_UBSAN_UNREACHABLE is not set<br />
# CONFIG_UBSAN_BOOL is not set<br />
# CONFIG_UBSAN_ENUM is not set<br />
# CONFIG_UBSAN_ALIGNMENT is not set<br />
# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:<br />
CONFIG_UBSAN_LOCAL_BOUNDS=y<br />
<br />
# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.<br />
CONFIG_KFENCE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.<br />
CONFIG_EFI_DISABLE_PCI_DMA=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_SUPPORT=y<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Enable feeding RNG entropy from TPM, if available.<br />
CONFIG_HW_RANDOM_TPM=y<br />
<br />
# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even<br />
# malicious sources should not cause problems.<br />
CONFIG_RANDOM_TRUST_BOOTLOADER=y<br />
CONFIG_RANDOM_TRUST_CPU=y<br />
<br />
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).<br />
CONFIG_SCHED_CORE=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and<br />
# minimizes stale data in registers). (Since v5.15)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Wipe RAM at reboot via EFI.<br />
# For more details, see:<br />
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/<br />
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058<br />
CONFIG_RESET_ATTACK_MITIGATION=y<br />
<br />
# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk<br />
CONFIG_STATIC_USERMODEHELPER=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
# CONFIG_STACKLEAK_METRICS is not set<br />
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
# CONFIG_X86_VSYSCALL_EMULATION is not set0<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional (32-bit) attack surface, unless you really need them.<br />
# CONFIG_COMPAT is not set<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_X86_X32_ABI is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
CONFIG_INTEL_IOMMU_SVM=y<br />
CONFIG_AMD_IOMMU=y<br />
CONFIG_AMD_IOMMU_V2=y<br />
<br />
# Straight-Line-Speculation<br />
CONFIG_SLS=y<br />
<br />
# Enable Control Flow Integrity (since v6.1)<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Remove arm32 support to reduce syscall attack surface.<br />
# CONFIG_COMPAT is not set<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
# Software Shadow Stack or PAC<br />
CONFIG_SHADOW_CALL_STACK=y<br />
<br />
# Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can<br />
# turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.<br />
CONFIG_ARM64_PTR_AUTH=y<br />
CONFIG_ARM64_PTR_AUTH_KERNEL=y<br />
<br />
# Available in ARMv8.5 and later.<br />
CONFIG_ARM64_BTI=y<br />
CONFIG_ARM64_BTI_KERNEL=y<br />
CONFIG_ARM64_MTE=y<br />
CONFIG_KASAN_HW_TAGS=y<br />
CONFIG_ARM64_E0PD=y<br />
<br />
# Available in ARMv8.7 and later.<br />
CONFIG_ARM64_EPAN=y<br />
<br />
# Enable Control Flow Integrity<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
# Mitigates all known CPU vulnerabilities, disabling SMT *if needed*.<br />
mitigations=auto,nosmt<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.)<br />
kernel.kptr_restrict = 1<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Avoid non-ancestor ptrace access to running processes and their credentials.<br />
kernel.yama.ptrace_scope = 1<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD).<br />
dev.tty.ldisc_autoload = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4068Kernel Self Protection Project/Recommended Settings2023-09-30T22:38:10Z<p>KeesCook: /* x86_64 */ compile out vsyscall by default</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_DEBUG_VIRTUAL=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Make sure line disciplines can't be autoloaded (since v5.1).<br />
# CONFIG_LDISC_AUTOLOAD is not set<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Provide userspace with Landlock MAC interface.<br />
# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.<br />
CONFIG_SECURITY_LANDLOCK=y<br />
<br />
# Make sure SELinux cannot be disabled trivially.<br />
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set<br />
# CONFIG_SECURITY_SELINUX_DEVELOP is not set<br />
# CONFIG_SECURITY_WRITABLE_HOOKS is not set<br />
<br />
# Enable "lockdown" LSM for bright line between the root user and kernel memory.<br />
CONFIG_SECURITY_LOCKDOWN_LSM=y<br />
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y<br />
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.<br />
CONFIG_UBSAN=y<br />
CONFIG_UBSAN_TRAP=y<br />
CONFIG_UBSAN_BOUNDS=y<br />
CONFIG_UBSAN_SANITIZE_ALL=y<br />
# CONFIG_UBSAN_SHIFT is not set<br />
# CONFIG_UBSAN_DIV_ZERO is not set<br />
# CONFIG_UBSAN_UNREACHABLE is not set<br />
# CONFIG_UBSAN_BOOL is not set<br />
# CONFIG_UBSAN_ENUM is not set<br />
# CONFIG_UBSAN_ALIGNMENT is not set<br />
# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:<br />
CONFIG_UBSAN_LOCAL_BOUNDS=y<br />
<br />
# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.<br />
CONFIG_KFENCE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.<br />
CONFIG_EFI_DISABLE_PCI_DMA=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_SUPPORT=y<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Enable feeding RNG entropy from TPM, if available.<br />
CONFIG_HW_RANDOM_TPM=y<br />
<br />
# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even<br />
# malicious sources should not cause problems.<br />
CONFIG_RANDOM_TRUST_BOOTLOADER=y<br />
CONFIG_RANDOM_TRUST_CPU=y<br />
<br />
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).<br />
CONFIG_SCHED_CORE=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and<br />
# minimizes stale data in registers). (Since v5.15)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Wipe RAM at reboot via EFI.<br />
# For more details, see:<br />
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/<br />
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058<br />
CONFIG_RESET_ATTACK_MITIGATION=y<br />
<br />
# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk<br />
CONFIG_STATIC_USERMODEHELPER=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
# CONFIG_STACKLEAK_METRICS is not set<br />
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
# CONFIG_X86_VSYSCALL_EMULATION is not set0<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional (32-bit) attack surface, unless you really need them.<br />
# CONFIG_COMPAT is not set<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_X86_X32_ABI is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
CONFIG_INTEL_IOMMU_SVM=y<br />
CONFIG_AMD_IOMMU=y<br />
CONFIG_AMD_IOMMU_V2=y<br />
<br />
# Straight-Line-Speculation<br />
CONFIG_SLS=y<br />
<br />
# Enable Control Flow Integrity (since v6.1)<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Remove arm32 support to reduce syscall attack surface.<br />
# CONFIG_COMPAT is not set<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
# Software Shadow Stack or PAC<br />
CONFIG_SHADOW_CALL_STACK=y<br />
<br />
# Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can<br />
# turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.<br />
CONFIG_ARM64_PTR_AUTH=y<br />
CONFIG_ARM64_PTR_AUTH_KERNEL=y<br />
<br />
# Available in ARMv8.5 and later.<br />
CONFIG_ARM64_BTI=y<br />
CONFIG_ARM64_BTI_KERNEL=y<br />
CONFIG_ARM64_MTE=y<br />
CONFIG_KASAN_HW_TAGS=y<br />
CONFIG_ARM64_E0PD=y<br />
<br />
# Available in ARMv8.7 and later.<br />
CONFIG_ARM64_EPAN=y<br />
<br />
# Enable Control Flow Integrity<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.)<br />
kernel.kptr_restrict = 1<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Avoid non-ancestor ptrace access to running processes and their credentials.<br />
kernel.yama.ptrace_scope = 1<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD).<br />
dev.tty.ldisc_autoload = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Get_Involved&diff=4067Kernel Self Protection Project/Get Involved2023-02-10T00:31:25Z<p>KeesCook: add TZ to calendar link</p>
<hr />
<div>Want to get involved in the [[Kernel Self Protection Project]]? Here's how:<br />
<br />
= Join the conversations =<br />
<br />
* Subscribe to the [http://vger.kernel.org/vger-lists.html#linux-hardening '''upstream''' Linux kernel hardening mailing list], <code>'''linux'''-hardening@vger.kernel.org</code>, where development, maintenance, and administrivia happen. (And visit the [https://lore.kernel.org/linux-hardening/ list archive].)<br />
* Come to the every-2-weeks status update meeting. See the [https://calendar.google.com/calendar/u/0/embed?src=47005f8f50f21da6133d7239f3cb93d1624d2e1949963ea75dd86d5f2d5721e0@group.calendar.google.com&ctz=America/Los_Angeles calendar] for details.<br />
* Join the <code>#linux-hardening</code> IRC channel on [https://libera.chat/ Libera.Chat].<br />
* Optionally subscribe to the [https://www.openwall.com/lists/kernel-hardening/ '''general''' Linux kernel hardening mailing list], <code>'''kernel'''-hardening@lists.openwall.com</code>, where new hardening topics and summaries of completed work are discussed. (And visit the [https://lore.kernel.org/kernel-hardening/ list archive].)<br />
** Note: when sending to <code>kernel-hardening@lists.openwall.com</code>, please also CC <code>linux-hardening@vger.kernel.org</code> too.<br />
<br />
= Introduce Yourself =<br />
<br />
Send an email to the lists to introduce yourself!<br />
<br />
* What topics are you interested in?<br />
* What do you want to learn about?<br />
* What experience do you have with security, the kernel, programming, or anything else you think is important.<br />
<br />
= Pick something to work on =<br />
<br />
Pick something from the [https://github.com/KSPP/linux/issues issue tracker] (or add a new one), coordinate on the mailing lists, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [https://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers.<br />
<br />
= Contribute patches =<br />
<br />
Please send new topics and patch series to both [http://vger.kernel.org/vger-lists.html#linux-hardening linux-hardening@vger.kernel.org] and [https://www.openwall.com/lists/kernel-hardening kernel-hardening@lists.openwall.com] for the widest audience possible.<br />
<br />
When contributing patches for the Linux kernel, be sure to follow the Linux kernel [https://www.kernel.org/doc/html/latest/process/coding-style.html Coding Style Guide] and read about [https://www.kernel.org/doc/html/latest/process/submitting-patches.html Submitting Patches]. Even if you're only sending your patches to the mailing lists for some early review, it's best to get as much of the coding style and submission semantics correct to avoid reviewers needing to recommend changes in those areas.<br />
<br />
== grsecurity and other non-upstream patch sources ==<br />
<br />
As with any other Free Software project, it is particularly important that if you're working on upstreaming work from other projects, be sure your patches are giving credit to the original authors, that licenses are compatible, and that copyright notices are retained, etc.<br />
<br />
In the case of new files, or other places where a copyright notice would be expected to be added, be sure to retain all copyright notices from the other project. This may require some examination of commit history. For example, [https://github.com/linux-scraping/linux-grsecurity/blob/grsec-test/grsecurity/Makefile#L3 grsecurity's copyright notice from their most recent public patch] does not include PaX Team's copyright notice, which is only listed in the patch for GCC plugins. For grsecurity copyright, when more specific details are not easy to find, the following could be used:<br />
<br />
Copyright (C) 2001-2017 PaX Team, Bradley Spengler, Open Source Security Inc.<br />
<br />
Additionally, grsecurity has asked that contributors include this in commit messages for non-trivial code ported from grsecurity:<br />
<br />
$CODE is {verbatim,modified} from Brad Spengler/PaX Team's code in the last<br />
public patch of grsecurity/PaX based on my understanding of the code. Changes<br />
or omissions from the original code are mine and don't reflect the original<br />
grsecurity/PaX code.</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Get_Involved&diff=4066Kernel Self Protection Project/Get Involved2023-01-25T19:46:30Z<p>KeesCook: </p>
<hr />
<div>Want to get involved in the [[Kernel Self Protection Project]]? Here's how:<br />
<br />
= Join the conversations =<br />
<br />
* Subscribe to the [http://vger.kernel.org/vger-lists.html#linux-hardening '''upstream''' Linux kernel hardening mailing list], <code>'''linux'''-hardening@vger.kernel.org</code>, where development, maintenance, and administrivia happen. (And visit the [https://lore.kernel.org/linux-hardening/ list archive].)<br />
* Come to the every-2-weeks status update meeting. See the [https://calendar.google.com/calendar/embed?src=47005f8f50f21da6133d7239f3cb93d1624d2e1949963ea75dd86d5f2d5721e0%40group.calendar.google.com calendar] for details.<br />
* Join the <code>#linux-hardening</code> IRC channel on [https://libera.chat/ Libera.Chat].<br />
* Optionally subscribe to the [https://www.openwall.com/lists/kernel-hardening/ '''general''' Linux kernel hardening mailing list], <code>'''kernel'''-hardening@lists.openwall.com</code>, where new hardening topics and summaries of completed work are discussed. (And visit the [https://lore.kernel.org/kernel-hardening/ list archive].)<br />
** Note: when sending to <code>kernel-hardening@lists.openwall.com</code>, please also CC <code>linux-hardening@vger.kernel.org</code> too.<br />
<br />
= Introduce Yourself =<br />
<br />
Send an email to the lists to introduce yourself!<br />
<br />
* What topics are you interested in?<br />
* What do you want to learn about?<br />
* What experience do you have with security, the kernel, programming, or anything else you think is important.<br />
<br />
= Pick something to work on =<br />
<br />
Pick something from the [https://github.com/KSPP/linux/issues issue tracker] (or add a new one), coordinate on the mailing lists, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [https://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers.<br />
<br />
= Contribute patches =<br />
<br />
Please send new topics and patch series to both [http://vger.kernel.org/vger-lists.html#linux-hardening linux-hardening@vger.kernel.org] and [https://www.openwall.com/lists/kernel-hardening kernel-hardening@lists.openwall.com] for the widest audience possible.<br />
<br />
When contributing patches for the Linux kernel, be sure to follow the Linux kernel [https://www.kernel.org/doc/html/latest/process/coding-style.html Coding Style Guide] and read about [https://www.kernel.org/doc/html/latest/process/submitting-patches.html Submitting Patches]. Even if you're only sending your patches to the mailing lists for some early review, it's best to get as much of the coding style and submission semantics correct to avoid reviewers needing to recommend changes in those areas.<br />
<br />
== grsecurity and other non-upstream patch sources ==<br />
<br />
As with any other Free Software project, it is particularly important that if you're working on upstreaming work from other projects, be sure your patches are giving credit to the original authors, that licenses are compatible, and that copyright notices are retained, etc.<br />
<br />
In the case of new files, or other places where a copyright notice would be expected to be added, be sure to retain all copyright notices from the other project. This may require some examination of commit history. For example, [https://github.com/linux-scraping/linux-grsecurity/blob/grsec-test/grsecurity/Makefile#L3 grsecurity's copyright notice from their most recent public patch] does not include PaX Team's copyright notice, which is only listed in the patch for GCC plugins. For grsecurity copyright, when more specific details are not easy to find, the following could be used:<br />
<br />
Copyright (C) 2001-2017 PaX Team, Bradley Spengler, Open Source Security Inc.<br />
<br />
Additionally, grsecurity has asked that contributors include this in commit messages for non-trivial code ported from grsecurity:<br />
<br />
$CODE is {verbatim,modified} from Brad Spengler/PaX Team's code in the last<br />
public patch of grsecurity/PaX based on my understanding of the code. Changes<br />
or omissions from the original code are mine and don't reflect the original<br />
grsecurity/PaX code.</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Get_Involved&diff=4065Kernel Self Protection Project/Get Involved2023-01-25T19:45:15Z<p>KeesCook: add calendar</p>
<hr />
<div>Want to get involved in the [[Kernel Self Protection Project]]? Here's how:<br />
<br />
= Join the conversations =<br />
<br />
* Subscribe to the [http://vger.kernel.org/vger-lists.html#linux-hardening '''upstream''' Linux kernel hardening mailing list], <code>'''linux'''-hardening@vger.kernel.org</code>, where development, maintenance, and administrivia happen. (And visit the [https://lore.kernel.org/linux-hardening/ list archive].)<br />
* Subscribe to the [https://www.openwall.com/lists/kernel-hardening/ '''general''' Linux kernel hardening mailing list], <code>'''kernel'''-hardening@lists.openwall.com</code>, where new hardening topics and summaries of completed work are discussed. (And visit the [https://lore.kernel.org/kernel-hardening/ list archive].)<br />
** Note: when sending to <code>kernel-hardening@lists.openwall.com</code>, please also CC <code>linux-hardening@vger.kernel.org</code> too.<br />
* (Optional) Join the <code>#linux-hardening</code> IRC channel on [https://libera.chat/ Libera.Chat].<br />
* Come to the every-2-weeks status update meeting. See the [https://calendar.google.com/calendar/embed?src=47005f8f50f21da6133d7239f3cb93d1624d2e1949963ea75dd86d5f2d5721e0%40group.calendar.google.com calendar] for details.<br />
<br />
= Introduce Yourself =<br />
<br />
Send an email to the lists to introduce yourself!<br />
<br />
* What topics are you interested in?<br />
* What do you want to learn about?<br />
* What experience do you have with security, the kernel, programming, or anything else you think is important.<br />
<br />
= Pick something to work on =<br />
<br />
Pick something from the [https://github.com/KSPP/linux/issues issue tracker] (or add a new one), coordinate on the mailing lists, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [https://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers.<br />
<br />
= Contribute patches =<br />
<br />
Please send new topics and patch series to both [http://vger.kernel.org/vger-lists.html#linux-hardening linux-hardening@vger.kernel.org] and [https://www.openwall.com/lists/kernel-hardening kernel-hardening@lists.openwall.com] for the widest audience possible.<br />
<br />
When contributing patches for the Linux kernel, be sure to follow the Linux kernel [https://www.kernel.org/doc/html/latest/process/coding-style.html Coding Style Guide] and read about [https://www.kernel.org/doc/html/latest/process/submitting-patches.html Submitting Patches]. Even if you're only sending your patches to the mailing lists for some early review, it's best to get as much of the coding style and submission semantics correct to avoid reviewers needing to recommend changes in those areas.<br />
<br />
== grsecurity and other non-upstream patch sources ==<br />
<br />
As with any other Free Software project, it is particularly important that if you're working on upstreaming work from other projects, be sure your patches are giving credit to the original authors, that licenses are compatible, and that copyright notices are retained, etc.<br />
<br />
In the case of new files, or other places where a copyright notice would be expected to be added, be sure to retain all copyright notices from the other project. This may require some examination of commit history. For example, [https://github.com/linux-scraping/linux-grsecurity/blob/grsec-test/grsecurity/Makefile#L3 grsecurity's copyright notice from their most recent public patch] does not include PaX Team's copyright notice, which is only listed in the patch for GCC plugins. For grsecurity copyright, when more specific details are not easy to find, the following could be used:<br />
<br />
Copyright (C) 2001-2017 PaX Team, Bradley Spengler, Open Source Security Inc.<br />
<br />
Additionally, grsecurity has asked that contributors include this in commit messages for non-trivial code ported from grsecurity:<br />
<br />
$CODE is {verbatim,modified} from Brad Spengler/PaX Team's code in the last<br />
public patch of grsecurity/PaX based on my understanding of the code. Changes<br />
or omissions from the original code are mine and don't reflect the original<br />
grsecurity/PaX code.</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4064Kernel Self Protection Project/Recommended Settings2022-11-01T22:50:37Z<p>KeesCook: /* x86_64 */</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_DEBUG_VIRTUAL=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Make sure line disciplines can't be autoloaded (since v5.1).<br />
# CONFIG_LDISC_AUTOLOAD is not set<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Provide userspace with Landlock MAC interface.<br />
# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.<br />
CONFIG_SECURITY_LANDLOCK=y<br />
<br />
# Make sure SELinux cannot be disabled trivially.<br />
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set<br />
# CONFIG_SECURITY_SELINUX_DEVELOP is not set<br />
# CONFIG_SECURITY_WRITABLE_HOOKS is not set<br />
<br />
# Enable "lockdown" LSM for bright line between the root user and kernel memory.<br />
CONFIG_SECURITY_LOCKDOWN_LSM=y<br />
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y<br />
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.<br />
CONFIG_UBSAN=y<br />
CONFIG_UBSAN_TRAP=y<br />
CONFIG_UBSAN_BOUNDS=y<br />
CONFIG_UBSAN_SANITIZE_ALL=y<br />
# CONFIG_UBSAN_SHIFT is not set<br />
# CONFIG_UBSAN_DIV_ZERO is not set<br />
# CONFIG_UBSAN_UNREACHABLE is not set<br />
# CONFIG_UBSAN_BOOL is not set<br />
# CONFIG_UBSAN_ENUM is not set<br />
# CONFIG_UBSAN_ALIGNMENT is not set<br />
# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:<br />
CONFIG_UBSAN_LOCAL_BOUNDS=y<br />
<br />
# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.<br />
CONFIG_KFENCE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.<br />
CONFIG_EFI_DISABLE_PCI_DMA=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_SUPPORT=y<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Enable feeding RNG entropy from TPM, if available.<br />
CONFIG_HW_RANDOM_TPM=y<br />
<br />
# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even<br />
# malicious sources should not cause problems.<br />
CONFIG_RANDOM_TRUST_BOOTLOADER=y<br />
CONFIG_RANDOM_TRUST_CPU=y<br />
<br />
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).<br />
CONFIG_SCHED_CORE=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and<br />
# minimizes stale data in registers). (Since v5.15)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Wipe RAM at reboot via EFI.<br />
# For more details, see:<br />
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/<br />
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058<br />
CONFIG_RESET_ATTACK_MITIGATION=y<br />
<br />
# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk<br />
CONFIG_STATIC_USERMODEHELPER=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
# CONFIG_STACKLEAK_METRICS is not set<br />
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional (32-bit) attack surface, unless you really need them.<br />
# CONFIG_COMPAT is not set<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_X86_X32_ABI is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
CONFIG_INTEL_IOMMU_SVM=y<br />
CONFIG_AMD_IOMMU=y<br />
CONFIG_AMD_IOMMU_V2=y<br />
<br />
# Straight-Line-Speculation<br />
CONFIG_SLS=y<br />
<br />
# Enable Control Flow Integrity (since v6.1)<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Remove arm32 support to reduce syscall attack surface.<br />
# CONFIG_COMPAT is not set<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
# Software Shadow Stack or PAC<br />
CONFIG_SHADOW_CALL_STACK=y<br />
<br />
# Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can<br />
# turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.<br />
CONFIG_ARM64_PTR_AUTH=y<br />
CONFIG_ARM64_PTR_AUTH_KERNEL=y<br />
<br />
# Available in ARMv8.5 and later.<br />
CONFIG_ARM64_BTI=y<br />
CONFIG_ARM64_BTI_KERNEL=y<br />
CONFIG_ARM64_MTE=y<br />
CONFIG_KASAN_HW_TAGS=y<br />
CONFIG_ARM64_E0PD=y<br />
<br />
# Available in ARMv8.7 and later.<br />
CONFIG_ARM64_EPAN=y<br />
<br />
# Enable Control Flow Integrity<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.)<br />
kernel.kptr_restrict = 1<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Avoid non-ancestor ptrace access to running processes and their credentials.<br />
kernel.yama.ptrace_scope = 1<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD).<br />
dev.tty.ldisc_autoload = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4063Kernel Self Protection Project/Recommended Settings2022-11-01T22:50:15Z<p>KeesCook: /* arm64 */</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_DEBUG_VIRTUAL=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Make sure line disciplines can't be autoloaded (since v5.1).<br />
# CONFIG_LDISC_AUTOLOAD is not set<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Provide userspace with Landlock MAC interface.<br />
# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.<br />
CONFIG_SECURITY_LANDLOCK=y<br />
<br />
# Make sure SELinux cannot be disabled trivially.<br />
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set<br />
# CONFIG_SECURITY_SELINUX_DEVELOP is not set<br />
# CONFIG_SECURITY_WRITABLE_HOOKS is not set<br />
<br />
# Enable "lockdown" LSM for bright line between the root user and kernel memory.<br />
CONFIG_SECURITY_LOCKDOWN_LSM=y<br />
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y<br />
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.<br />
CONFIG_UBSAN=y<br />
CONFIG_UBSAN_TRAP=y<br />
CONFIG_UBSAN_BOUNDS=y<br />
CONFIG_UBSAN_SANITIZE_ALL=y<br />
# CONFIG_UBSAN_SHIFT is not set<br />
# CONFIG_UBSAN_DIV_ZERO is not set<br />
# CONFIG_UBSAN_UNREACHABLE is not set<br />
# CONFIG_UBSAN_BOOL is not set<br />
# CONFIG_UBSAN_ENUM is not set<br />
# CONFIG_UBSAN_ALIGNMENT is not set<br />
# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:<br />
CONFIG_UBSAN_LOCAL_BOUNDS=y<br />
<br />
# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.<br />
CONFIG_KFENCE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.<br />
CONFIG_EFI_DISABLE_PCI_DMA=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_SUPPORT=y<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Enable feeding RNG entropy from TPM, if available.<br />
CONFIG_HW_RANDOM_TPM=y<br />
<br />
# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even<br />
# malicious sources should not cause problems.<br />
CONFIG_RANDOM_TRUST_BOOTLOADER=y<br />
CONFIG_RANDOM_TRUST_CPU=y<br />
<br />
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).<br />
CONFIG_SCHED_CORE=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and<br />
# minimizes stale data in registers). (Since v5.15)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Wipe RAM at reboot via EFI.<br />
# For more details, see:<br />
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/<br />
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058<br />
CONFIG_RESET_ATTACK_MITIGATION=y<br />
<br />
# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk<br />
CONFIG_STATIC_USERMODEHELPER=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
# CONFIG_STACKLEAK_METRICS is not set<br />
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional attack surface, unless you really need them.<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_X86_X32_ABI is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
CONFIG_INTEL_IOMMU_SVM=y<br />
CONFIG_AMD_IOMMU=y<br />
CONFIG_AMD_IOMMU_V2=y<br />
<br />
# Straight-Line-Speculation<br />
CONFIG_SLS=y<br />
<br />
# Enable Control Flow Integrity (since v6.1)<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Remove arm32 support to reduce syscall attack surface.<br />
# CONFIG_COMPAT is not set<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
# Software Shadow Stack or PAC<br />
CONFIG_SHADOW_CALL_STACK=y<br />
<br />
# Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can<br />
# turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.<br />
CONFIG_ARM64_PTR_AUTH=y<br />
CONFIG_ARM64_PTR_AUTH_KERNEL=y<br />
<br />
# Available in ARMv8.5 and later.<br />
CONFIG_ARM64_BTI=y<br />
CONFIG_ARM64_BTI_KERNEL=y<br />
CONFIG_ARM64_MTE=y<br />
CONFIG_KASAN_HW_TAGS=y<br />
CONFIG_ARM64_E0PD=y<br />
<br />
# Available in ARMv8.7 and later.<br />
CONFIG_ARM64_EPAN=y<br />
<br />
# Enable Control Flow Integrity<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.)<br />
kernel.kptr_restrict = 1<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Avoid non-ancestor ptrace access to running processes and their credentials.<br />
kernel.yama.ptrace_scope = 1<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD).<br />
dev.tty.ldisc_autoload = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4062Kernel Self Protection Project/Recommended Settings2022-11-01T22:48:40Z<p>KeesCook: /* x86_64 */</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_DEBUG_VIRTUAL=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Make sure line disciplines can't be autoloaded (since v5.1).<br />
# CONFIG_LDISC_AUTOLOAD is not set<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Provide userspace with Landlock MAC interface.<br />
# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.<br />
CONFIG_SECURITY_LANDLOCK=y<br />
<br />
# Make sure SELinux cannot be disabled trivially.<br />
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set<br />
# CONFIG_SECURITY_SELINUX_DEVELOP is not set<br />
# CONFIG_SECURITY_WRITABLE_HOOKS is not set<br />
<br />
# Enable "lockdown" LSM for bright line between the root user and kernel memory.<br />
CONFIG_SECURITY_LOCKDOWN_LSM=y<br />
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y<br />
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.<br />
CONFIG_UBSAN=y<br />
CONFIG_UBSAN_TRAP=y<br />
CONFIG_UBSAN_BOUNDS=y<br />
CONFIG_UBSAN_SANITIZE_ALL=y<br />
# CONFIG_UBSAN_SHIFT is not set<br />
# CONFIG_UBSAN_DIV_ZERO is not set<br />
# CONFIG_UBSAN_UNREACHABLE is not set<br />
# CONFIG_UBSAN_BOOL is not set<br />
# CONFIG_UBSAN_ENUM is not set<br />
# CONFIG_UBSAN_ALIGNMENT is not set<br />
# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:<br />
CONFIG_UBSAN_LOCAL_BOUNDS=y<br />
<br />
# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.<br />
CONFIG_KFENCE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.<br />
CONFIG_EFI_DISABLE_PCI_DMA=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_SUPPORT=y<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Enable feeding RNG entropy from TPM, if available.<br />
CONFIG_HW_RANDOM_TPM=y<br />
<br />
# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even<br />
# malicious sources should not cause problems.<br />
CONFIG_RANDOM_TRUST_BOOTLOADER=y<br />
CONFIG_RANDOM_TRUST_CPU=y<br />
<br />
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).<br />
CONFIG_SCHED_CORE=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and<br />
# minimizes stale data in registers). (Since v5.15)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Wipe RAM at reboot via EFI.<br />
# For more details, see:<br />
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/<br />
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058<br />
CONFIG_RESET_ATTACK_MITIGATION=y<br />
<br />
# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk<br />
CONFIG_STATIC_USERMODEHELPER=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
# CONFIG_STACKLEAK_METRICS is not set<br />
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional attack surface, unless you really need them.<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_X86_X32_ABI is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
CONFIG_INTEL_IOMMU_SVM=y<br />
CONFIG_AMD_IOMMU=y<br />
CONFIG_AMD_IOMMU_V2=y<br />
<br />
# Straight-Line-Speculation<br />
CONFIG_SLS=y<br />
<br />
# Enable Control Flow Integrity (since v6.1)<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
# Software Shadow Stack or PAC<br />
CONFIG_SHADOW_CALL_STACK=y<br />
<br />
# Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can<br />
# turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.<br />
CONFIG_ARM64_PTR_AUTH=y<br />
CONFIG_ARM64_PTR_AUTH_KERNEL=y<br />
<br />
# Available in ARMv8.5 and later.<br />
CONFIG_ARM64_BTI=y<br />
CONFIG_ARM64_BTI_KERNEL=y<br />
CONFIG_ARM64_MTE=y<br />
CONFIG_KASAN_HW_TAGS=y<br />
CONFIG_ARM64_E0PD=y<br />
<br />
# Available in ARMv8.7 and later.<br />
CONFIG_ARM64_EPAN=y<br />
<br />
# Enable Control Flow Integrity<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.)<br />
kernel.kptr_restrict = 1<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Avoid non-ancestor ptrace access to running processes and their credentials.<br />
kernel.yama.ptrace_scope = 1<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD).<br />
dev.tty.ldisc_autoload = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project&diff=4061Kernel Self Protection Project2022-10-28T16:50:48Z<p>KeesCook: /* Principles */</p>
<hr />
<div>= Mission Statement =<br />
<br />
This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely].<br />
<br />
These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation.<br />
<br />
= Principles =<br />
A short list of things to keep in mind when designing self-protection features:<br />
<br />
* Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results.<br />
* Upstream development is evolutionary, not revolutionary, which means it can sometimes [https://ieeexplore.ieee.org/abstract/document/6624016 take time] for features to become fully realized.<br />
* Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws.<br />
* Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks).<br />
<br />
= Details =<br />
<br />
Specific details on the project:<br />
<br />
* [[Kernel Self Protection Project/Get Involved|Get Involved]]<br />
* [[Kernel Self Protection Project/Work|Areas of Work Needed]]<br />
* [[Kernel Self Protection Project/Recommended_Settings|Recommended Kernel Settings]]<br />
* [[Kernel Self Protection Project/Patch_Tracking|Patch Tracking]]<br />
<br />
= Documentation =<br />
<br />
For kernel protections already in upstream (or under active development) that have specific documentation:<br />
<br />
* [https://www.kernel.org/doc/html/latest/security/self-protection.html Self-Protection Guidelines]<br />
* [[Kernel_Protections/refcount_t|refcount_t]] Kernel reference counter overflow protection<br />
* [https://samsung.github.io/kspp-study/ Analysis on Kernel Self-Protection: Understanding Security and Performance Implication] ([https://github.com/Samsung/kspp-study github])</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4060Kernel Self Protection Project/Recommended Settings2022-10-15T03:17:58Z<p>KeesCook: /* sysctls */</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_DEBUG_VIRTUAL=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Make sure line disciplines can't be autoloaded (since v5.1).<br />
# CONFIG_LDISC_AUTOLOAD is not set<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Provide userspace with Landlock MAC interface.<br />
# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.<br />
CONFIG_SECURITY_LANDLOCK=y<br />
<br />
# Make sure SELinux cannot be disabled trivially.<br />
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set<br />
# CONFIG_SECURITY_SELINUX_DEVELOP is not set<br />
# CONFIG_SECURITY_WRITABLE_HOOKS is not set<br />
<br />
# Enable "lockdown" LSM for bright line between the root user and kernel memory.<br />
CONFIG_SECURITY_LOCKDOWN_LSM=y<br />
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y<br />
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.<br />
CONFIG_UBSAN=y<br />
CONFIG_UBSAN_TRAP=y<br />
CONFIG_UBSAN_BOUNDS=y<br />
CONFIG_UBSAN_SANITIZE_ALL=y<br />
# CONFIG_UBSAN_SHIFT is not set<br />
# CONFIG_UBSAN_DIV_ZERO is not set<br />
# CONFIG_UBSAN_UNREACHABLE is not set<br />
# CONFIG_UBSAN_BOOL is not set<br />
# CONFIG_UBSAN_ENUM is not set<br />
# CONFIG_UBSAN_ALIGNMENT is not set<br />
# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:<br />
CONFIG_UBSAN_LOCAL_BOUNDS=y<br />
<br />
# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.<br />
CONFIG_KFENCE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.<br />
CONFIG_EFI_DISABLE_PCI_DMA=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_SUPPORT=y<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Enable feeding RNG entropy from TPM, if available.<br />
CONFIG_HW_RANDOM_TPM=y<br />
<br />
# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even<br />
# malicious sources should not cause problems.<br />
CONFIG_RANDOM_TRUST_BOOTLOADER=y<br />
CONFIG_RANDOM_TRUST_CPU=y<br />
<br />
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).<br />
CONFIG_SCHED_CORE=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and<br />
# minimizes stale data in registers). (Since v5.15)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Wipe RAM at reboot via EFI.<br />
# For more details, see:<br />
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/<br />
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058<br />
CONFIG_RESET_ATTACK_MITIGATION=y<br />
<br />
# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk<br />
CONFIG_STATIC_USERMODEHELPER=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
# CONFIG_STACKLEAK_METRICS is not set<br />
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional attack surface, unless you really need them.<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
CONFIG_INTEL_IOMMU_SVM=y<br />
CONFIG_AMD_IOMMU=y<br />
CONFIG_AMD_IOMMU_V2=y<br />
<br />
# Straight-Line-Speculation<br />
CONFIG_SLS=y<br />
<br />
# Enable Control Flow Integrity (since v6.1)<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
# Software Shadow Stack or PAC<br />
CONFIG_SHADOW_CALL_STACK=y<br />
<br />
# Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can<br />
# turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.<br />
CONFIG_ARM64_PTR_AUTH=y<br />
CONFIG_ARM64_PTR_AUTH_KERNEL=y<br />
<br />
# Available in ARMv8.5 and later.<br />
CONFIG_ARM64_BTI=y<br />
CONFIG_ARM64_BTI_KERNEL=y<br />
CONFIG_ARM64_MTE=y<br />
CONFIG_KASAN_HW_TAGS=y<br />
CONFIG_ARM64_E0PD=y<br />
<br />
# Available in ARMv8.7 and later.<br />
CONFIG_ARM64_EPAN=y<br />
<br />
# Enable Control Flow Integrity<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.)<br />
kernel.kptr_restrict = 1<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Avoid non-ancestor ptrace access to running processes and their credentials.<br />
kernel.yama.ptrace_scope = 1<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Disable tty line discipline autoloading (see CONFIG_LDISC_AUTOLOAD).<br />
dev.tty.ldisc_autoload = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4059Kernel Self Protection Project/Recommended Settings2022-10-15T03:16:58Z<p>KeesCook: /* CONFIGs */</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_DEBUG_VIRTUAL=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Make sure line disciplines can't be autoloaded (since v5.1).<br />
# CONFIG_LDISC_AUTOLOAD is not set<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Provide userspace with Landlock MAC interface.<br />
# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.<br />
CONFIG_SECURITY_LANDLOCK=y<br />
<br />
# Make sure SELinux cannot be disabled trivially.<br />
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set<br />
# CONFIG_SECURITY_SELINUX_DEVELOP is not set<br />
# CONFIG_SECURITY_WRITABLE_HOOKS is not set<br />
<br />
# Enable "lockdown" LSM for bright line between the root user and kernel memory.<br />
CONFIG_SECURITY_LOCKDOWN_LSM=y<br />
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y<br />
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.<br />
CONFIG_UBSAN=y<br />
CONFIG_UBSAN_TRAP=y<br />
CONFIG_UBSAN_BOUNDS=y<br />
CONFIG_UBSAN_SANITIZE_ALL=y<br />
# CONFIG_UBSAN_SHIFT is not set<br />
# CONFIG_UBSAN_DIV_ZERO is not set<br />
# CONFIG_UBSAN_UNREACHABLE is not set<br />
# CONFIG_UBSAN_BOOL is not set<br />
# CONFIG_UBSAN_ENUM is not set<br />
# CONFIG_UBSAN_ALIGNMENT is not set<br />
# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:<br />
CONFIG_UBSAN_LOCAL_BOUNDS=y<br />
<br />
# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.<br />
CONFIG_KFENCE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.<br />
CONFIG_EFI_DISABLE_PCI_DMA=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_SUPPORT=y<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Enable feeding RNG entropy from TPM, if available.<br />
CONFIG_HW_RANDOM_TPM=y<br />
<br />
# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even<br />
# malicious sources should not cause problems.<br />
CONFIG_RANDOM_TRUST_BOOTLOADER=y<br />
CONFIG_RANDOM_TRUST_CPU=y<br />
<br />
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).<br />
CONFIG_SCHED_CORE=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and<br />
# minimizes stale data in registers). (Since v5.15)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Wipe RAM at reboot via EFI.<br />
# For more details, see:<br />
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/<br />
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058<br />
CONFIG_RESET_ATTACK_MITIGATION=y<br />
<br />
# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk<br />
CONFIG_STATIC_USERMODEHELPER=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
# CONFIG_STACKLEAK_METRICS is not set<br />
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional attack surface, unless you really need them.<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
CONFIG_INTEL_IOMMU_SVM=y<br />
CONFIG_AMD_IOMMU=y<br />
CONFIG_AMD_IOMMU_V2=y<br />
<br />
# Straight-Line-Speculation<br />
CONFIG_SLS=y<br />
<br />
# Enable Control Flow Integrity (since v6.1)<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
# Software Shadow Stack or PAC<br />
CONFIG_SHADOW_CALL_STACK=y<br />
<br />
# Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can<br />
# turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.<br />
CONFIG_ARM64_PTR_AUTH=y<br />
CONFIG_ARM64_PTR_AUTH_KERNEL=y<br />
<br />
# Available in ARMv8.5 and later.<br />
CONFIG_ARM64_BTI=y<br />
CONFIG_ARM64_BTI_KERNEL=y<br />
CONFIG_ARM64_MTE=y<br />
CONFIG_KASAN_HW_TAGS=y<br />
CONFIG_ARM64_E0PD=y<br />
<br />
# Available in ARMv8.7 and later.<br />
CONFIG_ARM64_EPAN=y<br />
<br />
# Enable Control Flow Integrity<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.)<br />
kernel.kptr_restrict = 1<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Avoid non-ancestor ptrace access to running processes and their credentials.<br />
kernel.yama.ptrace_scope = 1<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4058Kernel Self Protection Project/Recommended Settings2022-10-14T02:25:55Z<p>KeesCook: /* x86_32 */ iommu</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_DEBUG_VIRTUAL=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Provide userspace with Landlock MAC interface.<br />
# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.<br />
CONFIG_SECURITY_LANDLOCK=y<br />
<br />
# Make sure SELinux cannot be disabled trivially.<br />
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set<br />
# CONFIG_SECURITY_SELINUX_DEVELOP is not set<br />
# CONFIG_SECURITY_WRITABLE_HOOKS is not set<br />
<br />
# Enable "lockdown" LSM for bright line between the root user and kernel memory.<br />
CONFIG_SECURITY_LOCKDOWN_LSM=y<br />
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y<br />
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.<br />
CONFIG_UBSAN=y<br />
CONFIG_UBSAN_TRAP=y<br />
CONFIG_UBSAN_BOUNDS=y<br />
CONFIG_UBSAN_SANITIZE_ALL=y<br />
# CONFIG_UBSAN_SHIFT is not set<br />
# CONFIG_UBSAN_DIV_ZERO is not set<br />
# CONFIG_UBSAN_UNREACHABLE is not set<br />
# CONFIG_UBSAN_BOOL is not set<br />
# CONFIG_UBSAN_ENUM is not set<br />
# CONFIG_UBSAN_ALIGNMENT is not set<br />
# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:<br />
CONFIG_UBSAN_LOCAL_BOUNDS=y<br />
<br />
# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.<br />
CONFIG_KFENCE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.<br />
CONFIG_EFI_DISABLE_PCI_DMA=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_SUPPORT=y<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Enable feeding RNG entropy from TPM, if available.<br />
CONFIG_HW_RANDOM_TPM=y<br />
<br />
# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even<br />
# malicious sources should not cause problems.<br />
CONFIG_RANDOM_TRUST_BOOTLOADER=y<br />
CONFIG_RANDOM_TRUST_CPU=y<br />
<br />
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).<br />
CONFIG_SCHED_CORE=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and<br />
# minimizes stale data in registers). (Since v5.15)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Wipe RAM at reboot via EFI.<br />
# For more details, see:<br />
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/<br />
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058<br />
CONFIG_RESET_ATTACK_MITIGATION=y<br />
<br />
# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk<br />
CONFIG_STATIC_USERMODEHELPER=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
# CONFIG_STACKLEAK_METRICS is not set<br />
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional attack surface, unless you really need them.<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
CONFIG_INTEL_IOMMU_SVM=y<br />
CONFIG_AMD_IOMMU=y<br />
CONFIG_AMD_IOMMU_V2=y<br />
<br />
# Straight-Line-Speculation<br />
CONFIG_SLS=y<br />
<br />
# Enable Control Flow Integrity (since v6.1)<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
# Software Shadow Stack or PAC<br />
CONFIG_SHADOW_CALL_STACK=y<br />
<br />
# Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can<br />
# turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.<br />
CONFIG_ARM64_PTR_AUTH=y<br />
CONFIG_ARM64_PTR_AUTH_KERNEL=y<br />
<br />
# Available in ARMv8.5 and later.<br />
CONFIG_ARM64_BTI=y<br />
CONFIG_ARM64_BTI_KERNEL=y<br />
CONFIG_ARM64_MTE=y<br />
CONFIG_KASAN_HW_TAGS=y<br />
CONFIG_ARM64_E0PD=y<br />
<br />
# Available in ARMv8.7 and later.<br />
CONFIG_ARM64_EPAN=y<br />
<br />
# Enable Control Flow Integrity<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.)<br />
kernel.kptr_restrict = 1<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Avoid non-ancestor ptrace access to running processes and their credentials.<br />
kernel.yama.ptrace_scope = 1<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4057Kernel Self Protection Project/Recommended Settings2022-10-13T15:17:18Z<p>KeesCook: /* CONFIGs */</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_DEBUG_VIRTUAL=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Provide userspace with Landlock MAC interface.<br />
# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.<br />
CONFIG_SECURITY_LANDLOCK=y<br />
<br />
# Make sure SELinux cannot be disabled trivially.<br />
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set<br />
# CONFIG_SECURITY_SELINUX_DEVELOP is not set<br />
# CONFIG_SECURITY_WRITABLE_HOOKS is not set<br />
<br />
# Enable "lockdown" LSM for bright line between the root user and kernel memory.<br />
CONFIG_SECURITY_LOCKDOWN_LSM=y<br />
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y<br />
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.<br />
CONFIG_UBSAN=y<br />
CONFIG_UBSAN_TRAP=y<br />
CONFIG_UBSAN_BOUNDS=y<br />
CONFIG_UBSAN_SANITIZE_ALL=y<br />
# CONFIG_UBSAN_SHIFT is not set<br />
# CONFIG_UBSAN_DIV_ZERO is not set<br />
# CONFIG_UBSAN_UNREACHABLE is not set<br />
# CONFIG_UBSAN_BOOL is not set<br />
# CONFIG_UBSAN_ENUM is not set<br />
# CONFIG_UBSAN_ALIGNMENT is not set<br />
# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:<br />
CONFIG_UBSAN_LOCAL_BOUNDS=y<br />
<br />
# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.<br />
CONFIG_KFENCE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.<br />
CONFIG_EFI_DISABLE_PCI_DMA=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_SUPPORT=y<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Enable feeding RNG entropy from TPM, if available.<br />
CONFIG_HW_RANDOM_TPM=y<br />
<br />
# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even<br />
# malicious sources should not cause problems.<br />
CONFIG_RANDOM_TRUST_BOOTLOADER=y<br />
CONFIG_RANDOM_TRUST_CPU=y<br />
<br />
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).<br />
CONFIG_SCHED_CORE=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and<br />
# minimizes stale data in registers). (Since v5.15)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Wipe RAM at reboot via EFI.<br />
# For more details, see:<br />
# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/<br />
# https://bugzilla.redhat.com/show_bug.cgi?id=1532058<br />
CONFIG_RESET_ATTACK_MITIGATION=y<br />
<br />
# This needs userspace support, and will break "regular" distros. See: https://github.com/tych0/huldufolk<br />
CONFIG_STATIC_USERMODEHELPER=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
# CONFIG_STACKLEAK_METRICS is not set<br />
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional attack surface, unless you really need them.<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
CONFIG_INTEL_IOMMU_SVM=y<br />
CONFIG_AMD_IOMMU=y<br />
CONFIG_AMD_IOMMU_V2=y<br />
<br />
# Straight-Line-Speculation<br />
CONFIG_SLS=y<br />
<br />
# Enable Control Flow Integrity (since v6.1)<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
# Software Shadow Stack or PAC<br />
CONFIG_SHADOW_CALL_STACK=y<br />
<br />
# Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can<br />
# turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.<br />
CONFIG_ARM64_PTR_AUTH=y<br />
CONFIG_ARM64_PTR_AUTH_KERNEL=y<br />
<br />
# Available in ARMv8.5 and later.<br />
CONFIG_ARM64_BTI=y<br />
CONFIG_ARM64_BTI_KERNEL=y<br />
CONFIG_ARM64_MTE=y<br />
CONFIG_KASAN_HW_TAGS=y<br />
CONFIG_ARM64_E0PD=y<br />
<br />
# Available in ARMv8.7 and later.<br />
CONFIG_ARM64_EPAN=y<br />
<br />
# Enable Control Flow Integrity<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.)<br />
kernel.kptr_restrict = 1<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Avoid non-ancestor ptrace access to running processes and their credentials.<br />
kernel.yama.ptrace_scope = 1<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4056Kernel Self Protection Project/Recommended Settings2022-10-13T14:49:30Z<p>KeesCook: /* x86_64 */ CFI</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Provide userspace with Landlock MAC interface.<br />
# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.<br />
CONFIG_SECURITY_LANDLOCK=y<br />
<br />
# Make sure SELinux cannot be disabled trivially.<br />
# SECURITY_SELINUX_BOOTPARAM is not set<br />
# SECURITY_SELINUX_DEVELOP is not set<br />
# CONFIG_SECURITY_WRITABLE_HOOKS is not set<br />
<br />
# Enable "lockdown" LSM for bright line between the root user and kernel memory.<br />
CONFIG_SECURITY_LOCKDOWN_LSM=y<br />
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y<br />
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.<br />
CONFIG_UBSAN=y<br />
CONFIG_UBSAN_TRAP=y<br />
CONFIG_UBSAN_BOUNDS=y<br />
CONFIG_UBSAN_SANITIZE_ALL=y<br />
# CONFIG_UBSAN_SHIFT is not set<br />
# CONFIG_UBSAN_DIV_ZERO is not set<br />
# CONFIG_UBSAN_UNREACHABLE is not set<br />
# CONFIG_UBSAN_BOOL is not set<br />
# CONFIG_UBSAN_ENUM is not set<br />
# CONFIG_UBSAN_ALIGNMENT is not set<br />
# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:<br />
CONFIG_UBSAN_LOCAL_BOUNDS=y<br />
<br />
# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.<br />
CONFIG_KFENCE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.<br />
CONFIG_EFI_DISABLE_PCI_DMA=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_SUPPORT=y<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Enable feeding RNG entropy from TPM, if available.<br />
CONFIG_HW_RANDOM_TPM=y<br />
<br />
# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even<br />
# malicious sources should not cause problems.<br />
CONFIG_RANDOM_TRUST_BOOTLOADER=y<br />
CONFIG_RANDOM_TRUST_CPU=y<br />
<br />
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).<br />
CONFIG_SCHED_CORE=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and<br />
# minimizes stale data in registers). (Since v5.15)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Wipe RAM at reboot via EFI.<br />
CONFIG_RESET_ATTACK_MITIGATION=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
# CONFIG_STACKLEAK_METRICS is not set<br />
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional attack surface, unless you really need them.<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
CONFIG_INTEL_IOMMU_SVM=y<br />
CONFIG_AMD_IOMMU=y<br />
CONFIG_AMD_IOMMU_V2=y<br />
<br />
# Straight-Line-Speculation<br />
CONFIG_SLS=y<br />
<br />
# Enable Control Flow Integrity (since v6.1)<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
# Software Shadow Stack or PAC<br />
CONFIG_SHADOW_CALL_STACK=y<br />
<br />
# Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can<br />
# turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.<br />
CONFIG_ARM64_PTR_AUTH=y<br />
CONFIG_ARM64_PTR_AUTH_KERNEL=y<br />
<br />
# Available in ARMv8.5 and later.<br />
CONFIG_ARM64_BTI=y<br />
CONFIG_ARM64_BTI_KERNEL=y<br />
CONFIG_ARM64_MTE=y<br />
CONFIG_KASAN_HW_TAGS=y<br />
CONFIG_ARM64_E0PD=y<br />
<br />
# Available in ARMv8.7 and later.<br />
CONFIG_ARM64_EPAN=y<br />
<br />
# Enable Control Flow Integrity<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.)<br />
kernel.kptr_restrict = 1<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Avoid non-ancestor ptrace access to running processes and their credentials.<br />
kernel.yama.ptrace_scope = 1<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4055Kernel Self Protection Project/Recommended Settings2022-10-11T20:12:06Z<p>KeesCook: /* CONFIGs */</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Provide userspace with Landlock MAC interface.<br />
# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.<br />
CONFIG_SECURITY_LANDLOCK=y<br />
<br />
# Make sure SELinux cannot be disabled trivially.<br />
# SECURITY_SELINUX_BOOTPARAM is not set<br />
# SECURITY_SELINUX_DEVELOP is not set<br />
# CONFIG_SECURITY_WRITABLE_HOOKS is not set<br />
<br />
# Enable "lockdown" LSM for bright line between the root user and kernel memory.<br />
CONFIG_SECURITY_LOCKDOWN_LSM=y<br />
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y<br />
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.<br />
CONFIG_UBSAN=y<br />
CONFIG_UBSAN_TRAP=y<br />
CONFIG_UBSAN_BOUNDS=y<br />
CONFIG_UBSAN_SANITIZE_ALL=y<br />
# CONFIG_UBSAN_SHIFT is not set<br />
# CONFIG_UBSAN_DIV_ZERO is not set<br />
# CONFIG_UBSAN_UNREACHABLE is not set<br />
# CONFIG_UBSAN_BOOL is not set<br />
# CONFIG_UBSAN_ENUM is not set<br />
# CONFIG_UBSAN_ALIGNMENT is not set<br />
# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:<br />
CONFIG_UBSAN_LOCAL_BOUNDS=y<br />
<br />
# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.<br />
CONFIG_KFENCE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.<br />
CONFIG_EFI_DISABLE_PCI_DMA=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_SUPPORT=y<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Enable feeding RNG entropy from TPM, if available.<br />
CONFIG_HW_RANDOM_TPM=y<br />
<br />
# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even<br />
# malicious sources should not cause problems.<br />
CONFIG_RANDOM_TRUST_BOOTLOADER=y<br />
CONFIG_RANDOM_TRUST_CPU=y<br />
<br />
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).<br />
CONFIG_SCHED_CORE=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and<br />
# minimizes stale data in registers). (Since v5.15)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Wipe RAM at reboot via EFI.<br />
CONFIG_RESET_ATTACK_MITIGATION=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
# CONFIG_STACKLEAK_METRICS is not set<br />
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional attack surface, unless you really need them.<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
CONFIG_INTEL_IOMMU_SVM=y<br />
CONFIG_AMD_IOMMU=y<br />
CONFIG_AMD_IOMMU_V2=y<br />
<br />
# Straight-Line-Speculation<br />
CONFIG_SLS=y<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
# Software Shadow Stack or PAC<br />
CONFIG_SHADOW_CALL_STACK=y<br />
<br />
# Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can<br />
# turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.<br />
CONFIG_ARM64_PTR_AUTH=y<br />
CONFIG_ARM64_PTR_AUTH_KERNEL=y<br />
<br />
# Available in ARMv8.5 and later.<br />
CONFIG_ARM64_BTI=y<br />
CONFIG_ARM64_BTI_KERNEL=y<br />
CONFIG_ARM64_MTE=y<br />
CONFIG_KASAN_HW_TAGS=y<br />
CONFIG_ARM64_E0PD=y<br />
<br />
# Available in ARMv8.7 and later.<br />
CONFIG_ARM64_EPAN=y<br />
<br />
# Enable Control Flow Integrity<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.)<br />
kernel.kptr_restrict = 1<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Avoid non-ancestor ptrace access to running processes and their credentials.<br />
kernel.yama.ptrace_scope = 1<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4054Kernel Self Protection Project/Recommended Settings2022-10-10T03:00:57Z<p>KeesCook: /* CONFIGs */ Alexander recommendation</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Provide userspace with Landlock MAC interface.<br />
# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.<br />
CONFIG_SECURITY_LANDLOCK=y<br />
<br />
# Make sure SELinux cannot be disabled trivially.<br />
# SECURITY_SELINUX_BOOTPARAM is not set<br />
# SECURITY_SELINUX_DEVELOP is not set<br />
# CONFIG_SECURITY_WRITABLE_HOOKS is not set<br />
<br />
# Enable "lockdown" LSM for bright line between the root user and kernel memory.<br />
CONFIG_SECURITY_LOCKDOWN_LSM=y<br />
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y<br />
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.<br />
CONFIG_UBSAN=y<br />
CONFIG_UBSAN_TRAP=y<br />
CONFIG_UBSAN_BOUNDS=y<br />
CONFIG_UBSAN_SANITIZE_ALL=y<br />
# CONFIG_UBSAN_SHIFT is not set<br />
# CONFIG_UBSAN_DIV_ZERO is not set<br />
# CONFIG_UBSAN_UNREACHABLE is not set<br />
# CONFIG_UBSAN_BOOL is not set<br />
# CONFIG_UBSAN_ENUM is not set<br />
# CONFIG_UBSAN_ALIGNMENT is not set<br />
# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:<br />
CONFIG_UBSAN_LOCAL_BOUNDS=y<br />
<br />
# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.<br />
CONFIG_KFENCE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.<br />
CONFIG_EFI_DISABLE_PCI_DMA=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_SUPPORT=y<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Enable feeding RNG entropy from TPM, if available.<br />
CONFIG_HW_RANDOM_TPM=y<br />
<br />
# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even<br />
# malicious sources should not cause problems.<br />
CONFIG_RANDOM_TRUST_BOOTLOADER=y<br />
CONFIG_RANDOM_TRUST_CPU=y<br />
<br />
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).<br />
CONFIG_SCHED_CORE=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Wipe RAM at reboot via EFI.<br />
CONFIG_RESET_ATTACK_MITIGATION=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
# CONFIG_STACKLEAK_METRICS is not set<br />
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional attack surface, unless you really need them.<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
CONFIG_INTEL_IOMMU_SVM=y<br />
CONFIG_AMD_IOMMU=y<br />
CONFIG_AMD_IOMMU_V2=y<br />
<br />
# Straight-Line-Speculation<br />
CONFIG_SLS=y<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
# Software Shadow Stack or PAC<br />
CONFIG_SHADOW_CALL_STACK=y<br />
<br />
# Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can<br />
# turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.<br />
CONFIG_ARM64_PTR_AUTH=y<br />
CONFIG_ARM64_PTR_AUTH_KERNEL=y<br />
<br />
# Available in ARMv8.5 and later.<br />
CONFIG_ARM64_BTI=y<br />
CONFIG_ARM64_BTI_KERNEL=y<br />
CONFIG_ARM64_MTE=y<br />
CONFIG_KASAN_HW_TAGS=y<br />
CONFIG_ARM64_E0PD=y<br />
<br />
# Available in ARMv8.7 and later.<br />
CONFIG_ARM64_EPAN=y<br />
<br />
# Enable Control Flow Integrity<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.)<br />
kernel.kptr_restrict = 1<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Avoid non-ancestor ptrace access to running processes and their credentials.<br />
kernel.yama.ptrace_scope = 1<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4053Kernel Self Protection Project/Recommended Settings2022-10-10T02:58:17Z<p>KeesCook: /* x86_64 */</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Provide userspace with Landlock MAC interface.<br />
# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.<br />
CONFIG_SECURITY_LANDLOCK=y<br />
<br />
# Make sure SELinux cannot be disabled trivially.<br />
# SECURITY_SELINUX_BOOTPARAM is not set<br />
# SECURITY_SELINUX_DEVELOP is not set<br />
# CONFIG_SECURITY_WRITABLE_HOOKS is not set<br />
<br />
# Enable "lockdown" LSM for bright line between the root user and kernel memory.<br />
CONFIG_SECURITY_LOCKDOWN_LSM=y<br />
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y<br />
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.<br />
CONFIG_UBSAN=y<br />
CONFIG_UBSAN_TRAP=y<br />
CONFIG_UBSAN_BOUNDS=y<br />
CONFIG_UBSAN_SANITIZE_ALL=y<br />
# CONFIG_UBSAN_SHIFT is not set<br />
# CONFIG_UBSAN_DIV_ZERO is not set<br />
# CONFIG_UBSAN_UNREACHABLE is not set<br />
# CONFIG_UBSAN_BOOL is not set<br />
# CONFIG_UBSAN_ENUM is not set<br />
# CONFIG_UBSAN_ALIGNMENT is not set<br />
# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:<br />
CONFIG_UBSAN_LOCAL_BOUNDS=y<br />
<br />
# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.<br />
CONFIG_KFENCE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.<br />
CONFIG_EFI_DISABLE_PCI_DMA=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_SUPPORT=y<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Enable feeding RNG entropy from TPM, if available.<br />
CONFIG_HW_RANDOM_TPM=y<br />
<br />
# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even<br />
# malicious sources should not cause problems.<br />
CONFIG_RANDOM_TRUST_BOOTLOADER=y<br />
CONFIG_RANDOM_TRUST_CPU=y<br />
<br />
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).<br />
CONFIG_SCHED_CORE=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
# CONFIG_STACKLEAK_METRICS is not set<br />
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional attack surface, unless you really need them.<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
CONFIG_INTEL_IOMMU_SVM=y<br />
CONFIG_AMD_IOMMU=y<br />
CONFIG_AMD_IOMMU_V2=y<br />
<br />
# Straight-Line-Speculation<br />
CONFIG_SLS=y<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
# Software Shadow Stack or PAC<br />
CONFIG_SHADOW_CALL_STACK=y<br />
<br />
# Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can<br />
# turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.<br />
CONFIG_ARM64_PTR_AUTH=y<br />
CONFIG_ARM64_PTR_AUTH_KERNEL=y<br />
<br />
# Available in ARMv8.5 and later.<br />
CONFIG_ARM64_BTI=y<br />
CONFIG_ARM64_BTI_KERNEL=y<br />
CONFIG_ARM64_MTE=y<br />
CONFIG_KASAN_HW_TAGS=y<br />
CONFIG_ARM64_E0PD=y<br />
<br />
# Available in ARMv8.7 and later.<br />
CONFIG_ARM64_EPAN=y<br />
<br />
# Enable Control Flow Integrity<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.)<br />
kernel.kptr_restrict = 1<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Avoid non-ancestor ptrace access to running processes and their credentials.<br />
kernel.yama.ptrace_scope = 1<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4052Kernel Self Protection Project/Recommended Settings2022-10-10T02:57:35Z<p>KeesCook: /* arm64 */ arm64 CFI and things, thanks to Alexander for the ping</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Provide userspace with Landlock MAC interface.<br />
# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.<br />
CONFIG_SECURITY_LANDLOCK=y<br />
<br />
# Make sure SELinux cannot be disabled trivially.<br />
# SECURITY_SELINUX_BOOTPARAM is not set<br />
# SECURITY_SELINUX_DEVELOP is not set<br />
# CONFIG_SECURITY_WRITABLE_HOOKS is not set<br />
<br />
# Enable "lockdown" LSM for bright line between the root user and kernel memory.<br />
CONFIG_SECURITY_LOCKDOWN_LSM=y<br />
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y<br />
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.<br />
CONFIG_UBSAN=y<br />
CONFIG_UBSAN_TRAP=y<br />
CONFIG_UBSAN_BOUNDS=y<br />
CONFIG_UBSAN_SANITIZE_ALL=y<br />
# CONFIG_UBSAN_SHIFT is not set<br />
# CONFIG_UBSAN_DIV_ZERO is not set<br />
# CONFIG_UBSAN_UNREACHABLE is not set<br />
# CONFIG_UBSAN_BOOL is not set<br />
# CONFIG_UBSAN_ENUM is not set<br />
# CONFIG_UBSAN_ALIGNMENT is not set<br />
# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:<br />
CONFIG_UBSAN_LOCAL_BOUNDS=y<br />
<br />
# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.<br />
CONFIG_KFENCE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.<br />
CONFIG_EFI_DISABLE_PCI_DMA=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_SUPPORT=y<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Enable feeding RNG entropy from TPM, if available.<br />
CONFIG_HW_RANDOM_TPM=y<br />
<br />
# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even<br />
# malicious sources should not cause problems.<br />
CONFIG_RANDOM_TRUST_BOOTLOADER=y<br />
CONFIG_RANDOM_TRUST_CPU=y<br />
<br />
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).<br />
CONFIG_SCHED_CORE=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
# CONFIG_STACKLEAK_METRICS is not set<br />
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional attack surface, unless you really need them.<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
CONFIG_INTEL_IOMMU_SVM=y<br />
CONFIG_AMD_IOMMU=y<br />
CONFIG_AMD_IOMMU_V2=y<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
# Software Shadow Stack or PAC<br />
CONFIG_SHADOW_CALL_STACK=y<br />
<br />
# Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can<br />
# turn off CONFIG_STACKPROTECTOR_STRONG with this enabled.<br />
CONFIG_ARM64_PTR_AUTH=y<br />
CONFIG_ARM64_PTR_AUTH_KERNEL=y<br />
<br />
# Available in ARMv8.5 and later.<br />
CONFIG_ARM64_BTI=y<br />
CONFIG_ARM64_BTI_KERNEL=y<br />
CONFIG_ARM64_MTE=y<br />
CONFIG_KASAN_HW_TAGS=y<br />
CONFIG_ARM64_E0PD=y<br />
<br />
# Available in ARMv8.7 and later.<br />
CONFIG_ARM64_EPAN=y<br />
<br />
# Enable Control Flow Integrity<br />
CONFIG_CFI_CLANG=y<br />
# CONFIG_CFI_PERMISSIVE is not set<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.)<br />
kernel.kptr_restrict = 1<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Avoid non-ancestor ptrace access to running processes and their credentials.<br />
kernel.yama.ptrace_scope = 1<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4051Kernel Self Protection Project/Recommended Settings2022-10-10T02:41:23Z<p>KeesCook: /* CONFIGs */ next chunk from Alexander. RNG trust source setting are my recommendation, though.</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Provide userspace with Landlock MAC interface.<br />
# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.<br />
CONFIG_SECURITY_LANDLOCK=y<br />
<br />
# Make sure SELinux cannot be disabled trivially.<br />
# SECURITY_SELINUX_BOOTPARAM is not set<br />
# SECURITY_SELINUX_DEVELOP is not set<br />
# CONFIG_SECURITY_WRITABLE_HOOKS is not set<br />
<br />
# Enable "lockdown" LSM for bright line between the root user and kernel memory.<br />
CONFIG_SECURITY_LOCKDOWN_LSM=y<br />
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y<br />
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.<br />
CONFIG_UBSAN=y<br />
CONFIG_UBSAN_TRAP=y<br />
CONFIG_UBSAN_BOUNDS=y<br />
CONFIG_UBSAN_SANITIZE_ALL=y<br />
# CONFIG_UBSAN_SHIFT is not set<br />
# CONFIG_UBSAN_DIV_ZERO is not set<br />
# CONFIG_UBSAN_UNREACHABLE is not set<br />
# CONFIG_UBSAN_BOOL is not set<br />
# CONFIG_UBSAN_ENUM is not set<br />
# CONFIG_UBSAN_ALIGNMENT is not set<br />
# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:<br />
CONFIG_UBSAN_LOCAL_BOUNDS=y<br />
<br />
# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.<br />
CONFIG_KFENCE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Disable DMA between EFI hand-off and the kernel's IOMMU setup.<br />
CONFIG_EFI_DISABLE_PCI_DMA=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_SUPPORT=y<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Enable feeding RNG entropy from TPM, if available.<br />
CONFIG_HW_RANDOM_TPM=y<br />
<br />
# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even<br />
# malicious sources should not cause problems.<br />
CONFIG_RANDOM_TRUST_BOOTLOADER=y<br />
CONFIG_RANDOM_TRUST_CPU=y<br />
<br />
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).<br />
CONFIG_SCHED_CORE=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
# CONFIG_STACKLEAK_METRICS is not set<br />
# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional attack surface, unless you really need them.<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
# Enable chip-specific IOMMU support. <br />
CONFIG_INTEL_IOMMU=y<br />
CONFIG_INTEL_IOMMU_DEFAULT_ON=y<br />
CONFIG_INTEL_IOMMU_SVM=y<br />
CONFIG_AMD_IOMMU=y<br />
CONFIG_AMD_IOMMU_V2=y<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.)<br />
kernel.kptr_restrict = 1<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Avoid non-ancestor ptrace access to running processes and their credentials.<br />
kernel.yama.ptrace_scope = 1<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4050Kernel Self Protection Project/Recommended Settings2022-10-10T02:29:14Z<p>KeesCook: /* CONFIGs */ add settings for recent kernels, thanks to Alexander Popov for the prodding and specific suggestions.</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Provide userspace with Landlock MAC interface.<br />
# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.<br />
CONFIG_SECURITY_LANDLOCK=y<br />
<br />
# Make sure SELinux cannot be disabled trivially.<br />
# SECURITY_SELINUX_BOOTPARAM is not set<br />
# SECURITY_SELINUX_DEVELOP is not set<br />
# CONFIG_SECURITY_WRITABLE_HOOKS is not set<br />
<br />
# Enable "lockdown" LSM for bright line between the root user and kernel memory.<br />
CONFIG_SECURITY_LOCKDOWN_LSM=y<br />
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y<br />
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled.<br />
CONFIG_UBSAN=y<br />
CONFIG_UBSAN_TRAP=y<br />
CONFIG_UBSAN_BOUNDS=y<br />
CONFIG_UBSAN_SANITIZE_ALL=y<br />
# CONFIG_UBSAN_SHIFT is not set<br />
# CONFIG_UBSAN_DIV_ZERO is not set<br />
# CONFIG_UBSAN_UNREACHABLE is not set<br />
# CONFIG_UBSAN_BOOL is not set<br />
# CONFIG_UBSAN_ENUM is not set<br />
# CONFIG_UBSAN_ALIGNMENT is not set<br />
# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set:<br />
CONFIG_UBSAN_LOCAL_BOUNDS=y<br />
<br />
# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead.<br />
CONFIG_KFENCE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).<br />
CONFIG_SCHED_CORE=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional attack surface, unless you really need them.<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.)<br />
kernel.kptr_restrict = 1<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Avoid non-ancestor ptrace access to running processes and their credentials.<br />
kernel.yama.ptrace_scope = 1<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4049Kernel Self Protection Project/Recommended Settings2022-08-19T21:56:51Z<p>KeesCook: /* CONFIGs */ add note about Landlock thanks to Mickaël Salaün</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Provide userspace with Landlock MAC interface.<br />
# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list.<br />
CONFIG_SECURITY_LANDLOCK=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Enable sampling-based overflow detection. This is similar to KASAN coverage, but with almost zero runtime overhead.<br />
CONFIG_KFENCE=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).<br />
CONFIG_SCHED_CORE=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional attack surface, unless you really need them.<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.)<br />
kernel.kptr_restrict = 1<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Avoid non-ancestor ptrace access to running processes and their credentials.<br />
kernel.yama.ptrace_scope = 1<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project&diff=4048Kernel Self Protection Project2022-05-08T08:18:31Z<p>KeesCook: /* Documentation */ add Samsung analysis</p>
<hr />
<div>= Mission Statement =<br />
<br />
This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely].<br />
<br />
These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation.<br />
<br />
= Principles =<br />
A short list of things to keep in mind when designing self-protection features:<br />
<br />
* Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results.<br />
* Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized.<br />
* Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws.<br />
* Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks).<br />
<br />
= Details =<br />
<br />
Specific details on the project:<br />
<br />
* [[Kernel Self Protection Project/Get Involved|Get Involved]]<br />
* [[Kernel Self Protection Project/Work|Areas of Work Needed]]<br />
* [[Kernel Self Protection Project/Recommended_Settings|Recommended Kernel Settings]]<br />
* [[Kernel Self Protection Project/Patch_Tracking|Patch Tracking]]<br />
<br />
= Documentation =<br />
<br />
For kernel protections already in upstream (or under active development) that have specific documentation:<br />
<br />
* [https://www.kernel.org/doc/html/latest/security/self-protection.html Self-Protection Guidelines]<br />
* [[Kernel_Protections/refcount_t|refcount_t]] Kernel reference counter overflow protection<br />
* [https://samsung.github.io/kspp-study/ Analysis on Kernel Self-Protection: Understanding Security and Performance Implication] ([https://github.com/Samsung/kspp-study github])</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4047Kernel Self Protection Project/Recommended Settings2022-03-30T22:03:25Z<p>KeesCook: /* CONFIGs */ CONFIG_SCHED_CORE</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Enable sampling-based overflow detection. This is similar to KASAN coverage, but with almost zero runtime overhead.<br />
CONFIG_KFENCE=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE).<br />
CONFIG_SCHED_CORE=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional attack surface, unless you really need them.<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.)<br />
kernel.kptr_restrict = 1<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Avoid non-ancestor ptrace access to running processes and their credentials.<br />
kernel.yama.ptrace_scope = 1<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4046Kernel Self Protection Project/Recommended Settings2022-03-30T21:57:22Z<p>KeesCook: /* CONFIGs */ add kfence</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Enable sampling-based overflow detection. This is similar to KASAN coverage, but with almost zero runtime overhead.<br />
CONFIG_KFENCE=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional attack surface, unless you really need them.<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.)<br />
kernel.kptr_restrict = 1<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Avoid non-ancestor ptrace access to running processes and their credentials.<br />
kernel.yama.ptrace_scope = 1<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4045Kernel Self Protection Project/Recommended Settings2022-03-30T21:55:51Z<p>KeesCook: move randomized kstack to all archs, since it's only missing on arm. fix name of trivial-auto-var-init feature enablement</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang and GCC 12+ builds only. For earlier GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL_ZERO=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional attack surface, unless you really need them.<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.)<br />
kernel.kptr_restrict = 1<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Avoid non-ancestor ptrace access to running processes and their credentials.<br />
kernel.yama.ptrace_scope = 1<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4044Kernel Self Protection Project/Recommended Settings2022-03-30T21:52:29Z<p>KeesCook: Ah, koffset_default was already there. Add iommu default boot param too.</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional attack surface, unless you really need them.<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (see CONFIG_IOMMU_DEFAULT_DMA_STRICT=y above).<br />
iommu.passthrough=0 iommu.strict=1<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.)<br />
kernel.kptr_restrict = 1<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Avoid non-ancestor ptrace access to running processes and their credentials.<br />
kernel.yama.ptrace_scope = 1<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4043Kernel Self Protection Project/Recommended Settings2022-03-30T21:49:51Z<p>KeesCook: /* CONFIGs */</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Enable kernel stack offset randomization by default (or set "randomize_kstack_offset=y" at boot)<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional attack surface, unless you really need them.<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.)<br />
kernel.kptr_restrict = 1<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Avoid non-ancestor ptrace access to running processes and their credentials.<br />
kernel.yama.ptrace_scope = 1<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4042Kernel Self Protection Project/Recommended Settings2022-03-30T21:49:33Z<p>KeesCook: /* CONFIGs */ add various bits noted as missing by Peter Böhm</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Do not ignore compile-time warnings (since v5.15)<br />
CONFIG_WERROR=y<br />
<br />
# Enable kernel stack offset randomization by default (or set "randomize_kstack_offset=y" at boot)<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot)<br />
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y<br />
<br />
# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers)<br />
CONFIG_ZERO_CALL_USED_REGS=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional attack surface, unless you really need them.<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Randomize kernel stack offset on syscall entry (since v5.13).<br />
# See CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT above.<br />
randomize_kstack_offset=on<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.)<br />
kernel.kptr_restrict = 1<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Avoid non-ancestor ptrace access to running processes and their credentials.<br />
kernel.yama.ptrace_scope = 1<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Patch_Tracking&diff=4041Kernel Self Protection Project/Patch Tracking2022-03-24T23:39:24Z<p>KeesCook: /* Process */ fix "in next" link</p>
<hr />
<div>= Overview =<br />
The primary place where [[Kernel_Self_Protection_Project|KSPP]] patches are tracked is through our [https://patchwork.kernel.org/project/linux-hardening/list/ patchwork instance]. This helps collect Reviewed-by, Acked-by, Tested-by, etc, tags in a single place to see status.<br />
<br />
= Process =<br />
<br />
The overview list shows patches that need some kind of work to move through the tracking process:<br />
<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/ Action Needed]: Needs work from someone from the linux-hardening patchwork team.<br />
<br />
The specific "state machine" we use follows this path:<br />
<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=1&q=&archive=&delegate= New]: No activity yet.<br />
** Move to "Under Review" (possibly with a delegate assigned to do the review).<br />
** Move to "Superseded" if a newer version of the same patch has been sent (the patchwork-bot usually does this automatically).<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=2&q=&archive=&delegate= Under Review]: Reviewers need to give feedback on the patch.<br />
** Move to "Changes Requested" if a new version of the patch is needed after review feedback.<br />
** Move to "Needs ACK" if another subsystem is expected to take the patch into their tree.<br />
** Move to "Handled Elsewhere" if a non-linux-hardening tree says they are applying the patch.<br />
** Move to "Queued" if a linux-hardening tree applies the patch.<br />
** Move to "Superseded" if a newer version of the same patch has been sent (the patchwork-bot usually does this automatically).<br />
** Move to "In Next" if the patch appears in linux-next (the patchwork-bot usually does this automatically).<br />
** In rare cases, a patch can be moved to "Rejected", but that is uncommon, as normally review feedback is expected to be acted on.<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=13&q=&archive=&delegate= Queued]: Going via a linux-hardening tree, but not yet in linux-next.<br />
** Move to "In Next" once a patch appears in linux-next (the patchwork-bot usually does this automatically).<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=15&q=&archive=&delegate= Needs ACK]: Going via another tree, but not yet reviewed by maintainer.<br />
** Move to "Handled Elsewhere" once other tree maintainer says they are applying the patch.<br />
** Move to "In Next" once a patch appears in linux-next (the patchwork-bot usually does this automatically).<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=17&q=&archive=&delegate= Handled Elsewhere]: Going via another tree, but not yet in linux-next.<br />
** Move to "In Next" once a patch appears in linux-next (the patchwork-bot usually does this automatically).<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=19&q=&archive=&delegate= In Next]: In linux-next, but not yet in Linus's tree.<br />
** Move to "Mainlined" once a patch appears in Linus's tree (the patchwork-bot usually does this automatically).<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=11&q=&archive=&delegate= Mainlined]: Done! In Linus's tree.</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project&diff=4040Kernel Self Protection Project2022-02-14T20:29:50Z<p>KeesCook: /* Documentation */</p>
<hr />
<div>= Mission Statement =<br />
<br />
This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely].<br />
<br />
These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation.<br />
<br />
= Principles =<br />
A short list of things to keep in mind when designing self-protection features:<br />
<br />
* Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results.<br />
* Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized.<br />
* Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws.<br />
* Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks).<br />
<br />
= Details =<br />
<br />
Specific details on the project:<br />
<br />
* [[Kernel Self Protection Project/Get Involved|Get Involved]]<br />
* [[Kernel Self Protection Project/Work|Areas of Work Needed]]<br />
* [[Kernel Self Protection Project/Recommended_Settings|Recommended Kernel Settings]]<br />
* [[Kernel Self Protection Project/Patch_Tracking|Patch Tracking]]<br />
<br />
= Documentation =<br />
<br />
For kernel protections already in upstream (or under active development) that have specific documentation:<br />
<br />
* [https://www.kernel.org/doc/html/latest/security/self-protection.html Self-Protection Guidelines]<br />
* [[Kernel_Protections/refcount_t|refcount_t]] Kernel reference counter overflow protection</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project&diff=4039Kernel Self Protection Project2022-02-14T20:28:34Z<p>KeesCook: /* Details */ don't make these sections of their own, just a list so the Contents links aren't confusing.</p>
<hr />
<div>= Mission Statement =<br />
<br />
This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely].<br />
<br />
These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation.<br />
<br />
= Principles =<br />
A short list of things to keep in mind when designing self-protection features:<br />
<br />
* Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results.<br />
* Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized.<br />
* Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws.<br />
* Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks).<br />
<br />
= Details =<br />
<br />
Specific details on the project:<br />
<br />
* [[Kernel Self Protection Project/Get Involved|Get Involved]]<br />
* [[Kernel Self Protection Project/Work|Areas of Work Needed]]<br />
* [[Kernel Self Protection Project/Recommended_Settings|Recommended Kernel Settings]]<br />
* [[Kernel Self Protection Project/Patch_Tracking|Patch Tracking]]<br />
<br />
= Documentation =<br />
<br />
For kernel protections already in upstream (or under active development) that have specific documentation:<br />
<br />
==== [https://www.kernel.org/doc/html/latest/security/self-protection.html Self-Protection Guidelines] ====<br />
==== [[Kernel_Protections/refcount_t|refcount_t]] ====<br />
: Kernel reference counter overflow protection</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Patch_Tracking&diff=4037Kernel Self Protection Project/Patch Tracking2021-10-26T22:50:58Z<p>KeesCook: /* Process */ adjust process for "Needs ACK"</p>
<hr />
<div>= Overview =<br />
The primary place where [[Kernel_Self_Protection_Project|KSPP]] patches are tracked is through our [https://patchwork.kernel.org/project/linux-hardening/list/ patchwork instance]. This helps collect Reviewed-by, Acked-by, Tested-by, etc, tags in a single place to see status.<br />
<br />
= Process =<br />
<br />
The overview list shows patches that need some kind of work to move through the tracking process:<br />
<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/ Action Needed]: Needs work from someone from the linux-hardening patchwork team.<br />
<br />
The specific "state machine" we use follows this path:<br />
<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=1&q=&archive=&delegate= New]: No activity yet.<br />
** Move to "Under Review" (possibly with a delegate assigned to do the review).<br />
** Move to "Superseded" if a newer version of the same patch has been sent (the patchwork-bot usually does this automatically).<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=2&q=&archive=&delegate= Under Review]: Reviewers need to give feedback on the patch.<br />
** Move to "Changes Requested" if a new version of the patch is needed after review feedback.<br />
** Move to "Needs ACK" if another subsystem is expected to take the patch into their tree.<br />
** Move to "Handled Elsewhere" if a non-linux-hardening tree says they are applying the patch.<br />
** Move to "Queued" if a linux-hardening tree applies the patch.<br />
** Move to "Superseded" if a newer version of the same patch has been sent (the patchwork-bot usually does this automatically).<br />
** Move to "In Next" if the patch appears in linux-next (the patchwork-bot usually does this automatically).<br />
** In rare cases, a patch can be moved to "Rejected", but that is uncommon, as normally review feedback is expected to be acted on.<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=13&q=&archive=&delegate= Queued]: Going via a linux-hardening tree, but not yet in linux-next.<br />
** Move to "In Next" once a patch appears in linux-next (the patchwork-bot usually does this automatically).<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=15&q=&archive=&delegate= Needs ACK]: Going via another tree, but not yet reviewed by maintainer.<br />
** Move to "Handled Elsewhere" once other tree maintainer says they are applying the patch.<br />
** Move to "In Next" once a patch appears in linux-next (the patchwork-bot usually does this automatically).<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=17&q=&archive=&delegate= Handled Elsewhere]: Going via another tree, but not yet in linux-next.<br />
** Move to "In Next" once a patch appears in linux-next (the patchwork-bot usually does this automatically).<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=8&q=&archive=&delegate= In Next]: In linux-next, but not yet in Linus's tree.<br />
** Move to "Mainlined" once a patch appears in Linus's tree (the patchwork-bot usually does this automatically).<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=11&q=&archive=&delegate= Mainlined]: Done! In Linus's tree.</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Patch_Tracking&diff=4036Kernel Self Protection Project/Patch Tracking2021-10-21T15:20:32Z<p>KeesCook: swap "Awaiting Upstream" for "In Next"</p>
<hr />
<div>= Overview =<br />
The primary place where [[Kernel_Self_Protection_Project|KSPP]] patches are tracked is through our [https://patchwork.kernel.org/project/linux-hardening/list/ patchwork instance]. This helps collect Reviewed-by, Acked-by, Tested-by, etc, tags in a single place to see status.<br />
<br />
= Process =<br />
<br />
The overview list shows patches that need some kind of work to move through the tracking process:<br />
<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/ Action Needed]: Needs work from someone from the linux-hardening patchwork team.<br />
<br />
The specific "state machine" we use follows this path:<br />
<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=1&q=&archive=&delegate= New]: No activity yet.<br />
** Move to "Under Review" (possibly with a delegate assigned to do the review).<br />
** Move to "Superseded" if a newer version of the same patch has been sent (the patchwork-bot usually does this automatically).<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=2&q=&archive=&delegate= Under Review]: Reviewers need to give feedback on the patch.<br />
** Move to "Changes Requested" if a new version of the patch is needed after review feedback.<br />
** Move to "Handled Elsewhere" if a non-linux-hardening tree says they are applying the patch.<br />
** Move to "Queued" if a linux-hardening tree applies the patch.<br />
** Move to "Superseded" if a newer version of the same patch has been sent (the patchwork-bot usually does this automatically).<br />
** In rare cases, a patch can be moved to "Rejected", but that is uncommon, as normally review feedback is expected to be acted on.<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=17&q=&archive=&delegate= Handled Elsewhere]: Going via another tree, but not yet in linux-next.<br />
** Move to "In Next" once a patch appears in linux-next (the patchwork-bot usually does this automatically).<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=13&q=&archive=&delegate= Queued]: Going via a linux-hardening tree, but not yet in linux-next.<br />
** Move to "In Next" once a patch appears in linux-next (the patchwork-bot usually does this automatically).<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=8&q=&archive=&delegate= In Next]: In linux-next, but not yet in Linus's tree.<br />
** Move to "Mainlined" once a patch appears in Linus's tree (the patchwork-bot usually does this automatically).<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=11&q=&archive=&delegate= Mainlined]: Done! In Linus's tree.</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Patch_Tracking&diff=4035Kernel Self Protection Project/Patch Tracking2021-10-20T22:11:40Z<p>KeesCook: fix formatting</p>
<hr />
<div>= Overview =<br />
The primary place where [[Kernel_Self_Protection_Project|KSPP]] patches are tracked is through our [https://patchwork.kernel.org/project/linux-hardening/list/ patchwork instance]. This helps collect Reviewed-by, Acked-by, Tested-by, etc, tags in a single place to see status.<br />
<br />
= Process =<br />
<br />
The overview list shows patches that need some kind of work to move through the tracking process:<br />
<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/ Action Needed]: Needs work from someone from the linux-hardening patchwork team.<br />
<br />
The specific "state machine" we use follows this path:<br />
<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=1&q=&archive=&delegate= New]: No activity yet.<br />
** Move to "Under Review" (possibly with a delegate assigned to do the review).<br />
** Move to "Superseded" if a newer version of the same patch has been sent (the patchwork-bot usually does this automatically).<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=2&q=&archive=&delegate= Under Review]: Reviewers need to give feedback on the patch.<br />
** Move to "Changes Requested" if a new version of the patch is needed after review feedback.<br />
** Move to "Handled Elsewhere" if a non-linux-hardening tree says they are applying the patch.<br />
** Move to "Queued" if a linux-hardening tree applies the patch.<br />
** Move to "Superseded" if a newer version of the same patch has been sent (the patchwork-bot usually does this automatically).<br />
** In rare cases, a patch can be moved to "Rejected", but that is uncommon, as normally review feedback is expected to be acted on.<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=17&q=&archive=&delegate= Handled Elsewhere]: Going via another tree, but not yet in linux-next.<br />
** Move to "Awaiting Upstream" once a patch appears in linux-next (the patchwork-bot usually does this automatically).<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=13&q=&archive=&delegate= Queued]: Going via a linux-hardening tree, but not yet in linux-next.<br />
** Move to "Awaiting Upstream" once a patch appears in linux-next (the patchwork-bot usually does this automatically).<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=8&q=&archive=&delegate= Awaiting Upstream]: In linux-next, but not yet in Linus's tree.<br />
** Move to "Mainlined" once a patch appears in Linus's tree (the patchwork-bot usually does this automatically).<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=11&q=&archive=&delegate= Mainlined]: Done! In Linus's tree.</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Patch_Tracking&diff=4034Kernel Self Protection Project/Patch Tracking2021-10-20T22:07:59Z<p>KeesCook: process overview</p>
<hr />
<div>= Overview =<br />
The primary place where patches are tracked is through our [https://patchwork.kernel.org/project/linux-hardening/list/|patchwork instance]. This helps collect Reviewed-by, Acked-by, Tested-by, etc, tags in a single place to see status.<br />
<br />
= Process =<br />
<br />
The overview list shows patches that need some kind of work to move through the tracking process:<br />
<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/|Action Needed]: Needs work from someone from the linux-hardening patchwork team.<br />
<br />
The specific "state machine" we use follows this path:<br />
<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=1&q=&archive=&delegate=|New]: No activity yet.<br />
* Move to "Under Review" (possibly with a delegate assigned to do the review).<br />
* Move to "Superseded" if a newer version of the same patch has been sent (the patchwork-bot usually does this automatically).<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=2&q=&archive=&delegate=|Under Review]: Reviewers need to give feedback on the patch.<br />
* Move to "Changes Requested" if a new version of the patch is needed after review feedback.<br />
* Move to "Handled Elsewhere" if a non-linux-hardening tree says they are applying the patch.<br />
* Move to "Queued" if a linux-hardening tree applies the patch.<br />
* Move to "Superseded" if a newer version of the same patch has been sent (the patchwork-bot usually does this automatically).<br />
* In rare cases, a patch can be moved to "Rejected", but that is uncommon, as normally review feedback is expected to be acted on.<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=17&q=&archive=&delegate=|Handled Elsewhere]: Going via another tree, but not yet in linux-next.<br />
* Move to "Awaiting Upstream" once a patch appears in linux-next (the patchwork-bot usually does this automatically).<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=13&q=&archive=&delegate=|Queued]: Going via a linux-hardening tree, but not yet in linux-next.<br />
* Move to "Awaiting Upstream" once a patch appears in linux-next (the patchwork-bot usually does this automatically).<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=8&q=&archive=&delegate=|Awaiting Upstream]: In linux-next, but not yet in Linus's tree.<br />
* Move to "Mainlined" once a patch appears in Linus's tree (the patchwork-bot usually does this automatically).<br />
* [https://patchwork.kernel.org/project/linux-hardening/list/?series=&submitter=&state=11&q=&archive=&delegate=|Mainlined]: Done! In Linus's tree.</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project&diff=4033Kernel Self Protection Project2021-10-20T21:27:57Z<p>KeesCook: /* Details */</p>
<hr />
<div>= Mission Statement =<br />
<br />
This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely].<br />
<br />
These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation.<br />
<br />
= Principles =<br />
A short list of things to keep in mind when designing self-protection features:<br />
<br />
* Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results.<br />
* Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized.<br />
* Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws.<br />
* Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks).<br />
<br />
= Details =<br />
<br />
Specific details on the project:<br />
<br />
==== [[Kernel Self Protection Project/Get Involved|Get Involved]] ====<br />
==== [[Kernel Self Protection Project/Work|Areas of Work Needed]] ====<br />
==== [[Kernel Self Protection Project/Recommended_Settings|Recommended Kernel Settings]] ====<br />
==== [[Kernel Self Protection Project/Patch_Tracking|Patch Tracking]] ====<br />
<br />
= Documentation =<br />
<br />
For kernel protections already in upstream (or under active development) that have specific documentation:<br />
<br />
==== [https://www.kernel.org/doc/html/latest/security/self-protection.html Self-Protection Guidelines] ====<br />
==== [[Kernel_Protections/refcount_t|refcount_t]] ====<br />
: Kernel reference counter overflow protection</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project&diff=4032Kernel Self Protection Project2021-10-20T21:27:42Z<p>KeesCook: /* Details */ adding a link to patch tracking process</p>
<hr />
<div>= Mission Statement =<br />
<br />
This project starts with the premise that [https://lwn.net/Articles/410606/ kernel bugs have a very long lifetime], and that the kernel must be designed in ways to protect against these flaws. We must think of [http://lwn.net/Articles/662219/ security beyond fixing bugs]. As a community, we already find and fix individual bugs via static checkers (compiler flags, [http://smatch.sourceforge.net/ smatch], [http://coccinelle.lip6.fr/ coccinelle], [https://scan.coverity.com/projects/linux?tab=overview coverity]) and dynamic checkers (kernel configs, [http://codemonkey.org.uk/projects/trinity/ trinity], [https://www.kernel.org/doc/Documentation/kasan.txt KASan]). Those efforts are important and on-going, but if we want to protect our [http://www.techspot.com/news/57228-google-shows-off-new-version-of-android-announces-1-billion-active-monthly-users.html billion Android phones], our [http://www.zdnet.com/article/2014-the-year-of-the-linux-car/ cars], the [https://training.linuxfoundation.org/why-our-linux-training/training-reviews/linux-foundation-training-prepares-the-international-space-station-for-linux-migration International Space Station], and everything else running Linux, we must get proactive defensive technologies built into the upstream Linux kernel. We need the kernel to [http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf fail safely, instead of just running safely].<br />
<br />
These kinds of protections have existed for years in the [https://pax.grsecurity.net/ PaX] and [https://grsecurity.net/features.php grsecurity] [https://github.com/linux-scraping/linux-grsecurity patches], and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation.<br />
<br />
= Principles =<br />
A short list of things to keep in mind when designing self-protection features:<br />
<br />
* Patience and an open mind will be needed. We're all trying to make Linux better, so let's stay focused on the results.<br />
* Upstream development is evolutionary, not revolutionary, which means it can sometimes take time for features to become fully realized.<br />
* Features will be more than finding bugs, and should be active at run-time to catch previously unknown flaws.<br />
* Features will not be developer-"opt-in". When a feature is enabled at build time, it should work for all code built into the kernel (which has the side-effect of also covering out-of-tree code, like in vendor forks).<br />
<br />
= Details =<br />
<br />
Specific details on the project:<br />
<br />
==== [[Kernel Self Protection Project/Get Involved|Get Involved]] ====<br />
==== [[Kernel Self Protection Project/Work|Areas of Work Needed]] ====<br />
==== [[Kernel Self Protection Project/Recommended_Settings|Recommended Kernel Settings]] ====<br />
==== [[Kernel Self Protection Project/Work|Patch Tracking]] ====<br />
<br />
= Documentation =<br />
<br />
For kernel protections already in upstream (or under active development) that have specific documentation:<br />
<br />
==== [https://www.kernel.org/doc/html/latest/security/self-protection.html Self-Protection Guidelines] ====<br />
==== [[Kernel_Protections/refcount_t|refcount_t]] ====<br />
: Kernel reference counter overflow protection</div>KeesCookhttps://kernsec.org/wiki/index.php?title=KSPP&diff=4029KSPP2021-08-12T18:10:42Z<p>KeesCook: add shortened redirect page</p>
<hr />
<div>#REDIRECT [[Kernel Self Protection Project]]</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Get_Involved&diff=4028Kernel Self Protection Project/Get Involved2021-05-27T05:35:58Z<p>KeesCook: ditch freenode</p>
<hr />
<div>Want to get involved in the [[Kernel Self Protection Project]]? Here's how:<br />
<br />
= Join the conversations =<br />
<br />
* Subscribe to the [http://vger.kernel.org/vger-lists.html#linux-hardening '''upstream''' Linux kernel hardening mailing list], <code>'''linux'''-hardening@vger.kernel.org</code>, where development, maintenance, and administrivia happen. (And visit the [https://lore.kernel.org/linux-hardening/ list archive].)<br />
* Subscribe to the [https://www.openwall.com/lists/kernel-hardening/ '''general''' Linux kernel hardening mailing list], <code>'''kernel'''-hardening@lists.openwall.com</code>, where new hardening topics and summaries of completed work are discussed. (And visit the [https://lore.kernel.org/kernel-hardening/ list archive].)<br />
** Note: when sending to <code>kernel-hardening@lists.openwall.com</code>, please also CC <code>linux-hardening@vger.kernel.org</code> too.<br />
* (Optional) Join the <code>#linux-hardening</code> IRC channel on [https://libera.chat/ Libera.Chat].<br />
<br />
= Introduce Yourself =<br />
<br />
Send an email to the lists to introduce yourself!<br />
<br />
* What topics are you interested in?<br />
* What do you want to learn about?<br />
* What experience do you have with security, the kernel, programming, or anything else you think is important.<br />
<br />
= Pick something to work on =<br />
<br />
Pick something from the [https://github.com/KSPP/linux/issues issue tracker] (or add a new one), coordinate on the mailing lists, and get started. If your employer is brave enough to understand how critical this work is, they'll pay you to work on it. If not, the [https://www.linuxfoundation.org/ Linux Foundation]'s [https://www.coreinfrastructure.org/faq Core Infrastructure Initiative] is in a great position to fund specific work proposals. We need kernel developers, compiler developers, testers, backporters, a documentation writers.<br />
<br />
= Contribute patches =<br />
<br />
Please send new topics and patch series to both [http://vger.kernel.org/vger-lists.html#linux-hardening linux-hardening@vger.kernel.org] and [https://www.openwall.com/lists/kernel-hardening kernel-hardening@lists.openwall.com] for the widest audience possible.<br />
<br />
When contributing patches for the Linux kernel, be sure to follow the Linux kernel [https://www.kernel.org/doc/html/latest/process/coding-style.html Coding Style Guide] and read about [https://www.kernel.org/doc/html/latest/process/submitting-patches.html Submitting Patches]. Even if you're only sending your patches to the mailing lists for some early review, it's best to get as much of the coding style and submission semantics correct to avoid reviewers needing to recommend changes in those areas.<br />
<br />
== grsecurity and other non-upstream patch sources ==<br />
<br />
As with any other Free Software project, it is particularly important that if you're working on upstreaming work from other projects, be sure your patches are giving credit to the original authors, that licenses are compatible, and that copyright notices are retained, etc.<br />
<br />
In the case of new files, or other places where a copyright notice would be expected to be added, be sure to retain all copyright notices from the other project. This may require some examination of commit history. For example, [https://github.com/linux-scraping/linux-grsecurity/blob/grsec-test/grsecurity/Makefile#L3 grsecurity's copyright notice from their most recent public patch] does not include PaX Team's copyright notice, which is only listed in the patch for GCC plugins. For grsecurity copyright, when more specific details are not easy to find, the following could be used:<br />
<br />
Copyright (C) 2001-2017 PaX Team, Bradley Spengler, Open Source Security Inc.<br />
<br />
Additionally, grsecurity has asked that contributors include this in commit messages for non-trivial code ported from grsecurity:<br />
<br />
$CODE is {verbatim,modified} from Brad Spengler/PaX Team's code in the last<br />
public patch of grsecurity/PaX based on my understanding of the code. Changes<br />
or omissions from the original code are mine and don't reflect the original<br />
grsecurity/PaX code.</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4027Kernel Self Protection Project/Recommended Settings2021-04-05T23:14:26Z<p>KeesCook: /* x86_32 */</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional attack surface, unless you really need them.<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.)<br />
kernel.kptr_restrict = 1<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Avoid non-ancestor ptrace access to running processes and their credentials.<br />
kernel.yama.ptrace_scope = 1<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2</div>KeesCookhttps://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&diff=4026Kernel Self Protection Project/Recommended Settings2021-04-05T23:14:07Z<p>KeesCook: /* x86_64 */</p>
<hr />
<div>Sometimes people ask the [[Kernel Self Protection Project]] what a secure set of build CONFIGs and runtime settings are. This is a brain-dump of the various options for a particularly paranoid system.<br />
<br />
Another place to find recommended kernel hardening settings is via the "[https://github.com/a13xp0p0v/kconfig-hardened-check/ kconfig-hardened-check]" tool maintained by Alexander Popov.<br />
<br />
<br />
= CONFIGs =<br />
<br />
# Report BUG() conditions and kill the offending process.<br />
CONFIG_BUG=y<br />
<br />
# Make sure kernel page tables have safe permissions.<br />
CONFIG_DEBUG_KERNEL=y (prior to v4.11, needed to select CONFIG_DEBUG_RODATA below)<br />
CONFIG_DEBUG_RODATA=y (prior to v4.11)<br />
CONFIG_STRICT_KERNEL_RWX=y (since v4.11)<br />
<br />
# Report any dangerous memory permissions (not available on all archs).<br />
CONFIG_DEBUG_WX=y<br />
<br />
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.<br />
# Prior to v4.18, these are:<br />
# CONFIG_CC_STACKPROTECTOR=y<br />
# CONFIG_CC_STACKPROTECTOR_STRONG=y<br />
CONFIG_STACKPROTECTOR=y<br />
CONFIG_STACKPROTECTOR_STRONG=y<br />
<br />
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)<br />
# CONFIG_DEVMEM is not set<br />
CONFIG_STRICT_DEVMEM=y<br />
CONFIG_IO_STRICT_DEVMEM=y<br />
<br />
# Provides some protections against SYN flooding.<br />
CONFIG_SYN_COOKIES=y<br />
<br />
# Perform additional validation of various commonly targeted structures.<br />
CONFIG_DEBUG_CREDENTIALS=y<br />
CONFIG_DEBUG_NOTIFIERS=y<br />
CONFIG_DEBUG_LIST=y<br />
CONFIG_DEBUG_SG=y<br />
CONFIG_BUG_ON_DATA_CORRUPTION=y<br />
CONFIG_SCHED_STACK_END_CHECK=y<br />
<br />
# Provide userspace with seccomp BPF API for syscall attack surface reduction.<br />
CONFIG_SECCOMP=y<br />
CONFIG_SECCOMP_FILTER=y<br />
<br />
# Provide userspace with ptrace ancestry protections.<br />
CONFIG_SECURITY=y<br />
CONFIG_SECURITY_YAMA=y<br />
<br />
# Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.)<br />
CONFIG_HARDENED_USERCOPY=y<br />
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set<br />
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set<br />
<br />
# Randomize allocator freelists, harden metadata.<br />
CONFIG_SLAB_FREELIST_RANDOM=y<br />
CONFIG_SLAB_FREELIST_HARDENED=y<br />
<br />
# Randomize high-order page allocation freelist.<br />
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y<br />
<br />
# Allow allocator validation checking to be enabled (see "slub_debug=P" below).<br />
CONFIG_SLUB_DEBUG=y<br />
<br />
# Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).<br />
# (If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)<br />
CONFIG_PAGE_POISONING=y<br />
CONFIG_PAGE_POISONING_NO_SANITY=y<br />
CONFIG_PAGE_POISONING_ZERO=y<br />
<br />
# Wipe slab and page allocations (since v5.3)<br />
# Instead of "slub_debug=P" and "page_poison=1", a single place can control memory allocation wiping now.<br />
# The init_on_free is only needed if there is concern about minimizing stale data lifetime.<br />
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y<br />
CONFIG_INIT_ON_FREE_DEFAULT_ON=y<br />
<br />
# Initialize all stack variables on function entry. (Clang builds only. For GCC, see CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y below)<br />
CONFIG_INIT_STACK_ALL=y<br />
<br />
# Adds guard pages to kernel stacks (not all architectures support this yet).<br />
CONFIG_VMAP_STACK=y<br />
<br />
# Perform extensive checks on reference counting.<br />
CONFIG_REFCOUNT_FULL=y<br />
<br />
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.<br />
CONFIG_FORTIFY_SOURCE=y<br />
<br />
# Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1)<br />
CONFIG_SECURITY_DMESG_RESTRICT=y<br />
<br />
# Dangerous; enabling this allows direct physical memory writing.<br />
# CONFIG_ACPI_CUSTOM_METHOD is not set<br />
<br />
# Dangerous; enabling this disables brk ASLR.<br />
# CONFIG_COMPAT_BRK is not set<br />
<br />
# Dangerous; enabling this allows direct kernel memory writing.<br />
# CONFIG_DEVKMEM is not set<br />
<br />
# Dangerous; exposes kernel text image layout.<br />
# CONFIG_PROC_KCORE is not set<br />
<br />
# Dangerous; enabling this disables VDSO ASLR.<br />
# CONFIG_COMPAT_VDSO is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_KEXEC is not set<br />
<br />
# Dangerous; enabling this allows replacement of running kernel.<br />
# CONFIG_HIBERNATION is not set<br />
<br />
# Prior to v4.1, assists heap memory attacks; best to keep interface disabled.<br />
# CONFIG_INET_DIAG is not set<br />
<br />
# Easily confused by misconfigured userspace, keep off.<br />
# CONFIG_BINFMT_MISC is not set<br />
<br />
# Use the modern PTY interface (devpts) only.<br />
# CONFIG_LEGACY_PTYS is not set<br />
<br />
# If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.<br />
# CONFIG_SECURITY_SELINUX_DISABLE is not set<br />
<br />
# Reboot devices immediately if kernel experiences an Oops.<br />
CONFIG_PANIC_ON_OOPS=y<br />
CONFIG_PANIC_TIMEOUT=-1<br />
<br />
# Keep root from altering kernel memory via loadable modules.<br />
# CONFIG_MODULES is not set<br />
<br />
# But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.<br />
CONFIG_DEBUG_SET_MODULE_RONX=y (prior to v4.11)<br />
CONFIG_STRICT_MODULE_RWX=y (since v4.11)<br />
CONFIG_MODULE_SIG=y<br />
CONFIG_MODULE_SIG_FORCE=y<br />
CONFIG_MODULE_SIG_ALL=y<br />
CONFIG_MODULE_SIG_SHA512=y<br />
CONFIG_MODULE_SIG_HASH="sha512"<br />
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"<br />
<br />
== GCC plugins ==<br />
<br />
# Enable GCC Plugins<br />
CONFIG_GCC_PLUGINS=y<br />
<br />
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.<br />
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y<br />
<br />
# Force all structures to be initialized before they are passed to other functions.<br />
# When building with GCC:<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK=y<br />
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y<br />
<br />
# Wipe stack contents on syscall exit (reduces stale data lifetime in stack)<br />
CONFIG_GCC_PLUGIN_STACKLEAK=y<br />
<br />
# Randomize the layout of system structures. This may have dramatic performance impact, so<br />
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y<br />
CONFIG_GCC_PLUGIN_RANDSTRUCT=y<br />
<br />
== x86_64 ==<br />
<br />
# Full 64-bit means PAE and NX bit.<br />
CONFIG_X86_64=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Disable Model-Specific Register writes.<br />
# CONFIG_X86_MSR is not set<br />
<br />
# Randomize position of kernel and memory.<br />
CONFIG_RANDOMIZE_BASE=y<br />
CONFIG_RANDOMIZE_MEMORY=y<br />
<br />
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.<br />
CONFIG_LEGACY_VSYSCALL_NONE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Remove additional attack surface, unless you really need them.<br />
# CONFIG_IA32_EMULATION is not set<br />
# CONFIG_X86_X32 is not set<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm64 ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# Randomize position of kernel (requires UEFI RNG or bootloader support for /chosen/kaslr-seed DT property).<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Make sure PAN emulation is enabled.<br />
CONFIG_ARM64_SW_TTBR0_PAN=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_UNMAP_KERNEL_AT_EL0=y<br />
<br />
== x86_32 ==<br />
<br />
# On 32-bit kernels, require PAE for NX bit support.<br />
# CONFIG_M486 is not set<br />
# CONFIG_HIGHMEM4G is not set<br />
CONFIG_HIGHMEM64G=y<br />
CONFIG_X86_PAE=y<br />
<br />
# Disallow allocating the first 64k of memory.<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536<br />
<br />
# Randomize position of kernel.<br />
CONFIG_RANDOMIZE_BASE=y<br />
<br />
# Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels.<br />
CONFIG_PAGE_TABLE_ISOLATION=y<br />
<br />
# Don't allow for 16-bit program emulation and associated LDT tricks.<br />
# CONFIG_MODIFY_LDT_SYSCALL is not set<br />
<br />
== arm ==<br />
<br />
# Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader).<br />
CONFIG_DEFAULT_MMAP_MIN_ADDR=32768<br />
<br />
# For maximal userspace memory area (and maximum ASLR).<br />
CONFIG_VMSPLIT_3G=y<br />
<br />
# If building an old out-of-tree Qualcomm kernel, this is similar to CONFIG_STRICT_KERNEL_RWX.<br />
CONFIG_STRICT_MEMORY_RWX=y<br />
<br />
# Make sure PXN/PAN emulation is enabled.<br />
CONFIG_CPU_SW_DOMAIN_PAN=y<br />
<br />
# Dangerous; old interfaces and needless additional attack surface.<br />
# CONFIG_OABI_COMPAT is not set<br />
<br />
= kernel command line options =<br />
<br />
<br />
# Wipe slab and page allocations (Since v5.3; supersedes "slub_debug=P" and "page_poison=1" below)<br />
# See CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y and CONFIG_INIT_ON_FREE_DEFAULT_ON=y above.<br />
init_on_alloc=1<br />
init_on_free=1<br />
<br />
# Disable slab merging (makes many heap overflow attacks more difficult).<br />
slab_nomerge<br />
<br />
# Always enable Kernel Page Table Isolation, even if the CPU claims it is safe from Meltdown.<br />
pti=on<br />
<br />
# To prevent against L1TF, at the cost of losing hyper threading ('''slow''').<br />
nosmt<br />
<br />
# Enable SLUB redzoning and sanity checking ('''slow'''; requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=ZF<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable slub/slab allocator free poisoning (requires CONFIG_SLUB_DEBUG=y above).<br />
slub_debug=P<br />
<br />
# (Before v5.3 without "init_on_free=1") Enable buddy allocator free poisoning (requires CONFIG_PAGE_POISONING=y above).<br />
page_poison=1<br />
<br />
== x86_64 ==<br />
<br />
# Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.<br />
# (Same as CONFIG_LEGACY_VSYSCALL_NONE=y above.)<br />
vsyscall=none<br />
<br />
= sysctls =<br />
<br />
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). (There is [https://lore.kernel.org/lkml/20101217164431.08f3e730.akpm@linux-foundation.org/ no CONFIG] for the changing the initial value.)<br />
kernel.kptr_restrict = 1<br />
<br />
# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT).<br />
kernel.dmesg_restrict = 1<br />
<br />
# Block non-uid-0 profiling (needs [https://patchwork.kernel.org/patch/9249919/ distro patch], otherwise this is the same as "= 2")<br />
kernel.perf_event_paranoid = 3<br />
<br />
# Turn off kexec, even if it's built in.<br />
kernel.kexec_load_disabled = 1<br />
<br />
# Avoid non-ancestor ptrace access to running processes and their credentials.<br />
kernel.yama.ptrace_scope = 1<br />
<br />
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.<br />
user.max_user_namespaces = 0<br />
<br />
# Turn off unprivileged eBPF access.<br />
kernel.unprivileged_bpf_disabled = 1<br />
<br />
# Turn on BPF JIT hardening, if the JIT is enabled.<br />
net.core.bpf_jit_harden = 2</div>KeesCook