From f05a3ccf1e4258ac5c9b36cdd2d4b0a3484be409 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sat, 25 Oct 2025 19:51:05 +0300 Subject: [PATCH 1/9] Improve the comments the CONFIG_LSM list --- Recommended_Settings.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Recommended_Settings.md b/Recommended_Settings.md index 5a515af..9fc415f 100644 --- a/Recommended_Settings.md +++ b/Recommended_Settings.md @@ -60,12 +60,12 @@ CONFIG_SECCOMP_FILTER=y # CONFIG_LDISC_AUTOLOAD is not set # Provide userspace with ptrace ancestry protections. -# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. +# Make sure that "yama" is also present in the CONFIG_LSM="yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y # Provide userspace with Landlock MAC interface. -# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. +# Make sure that "landlock" is also present in the CONFIG_LSM="landlock,..." list. CONFIG_SECURITY_LANDLOCK=y # Make sure SELinux cannot be disabled trivially. @@ -75,6 +75,7 @@ CONFIG_SECURITY_LANDLOCK=y # CONFIG_SECURITY_WRITABLE_HOOKS is not set # Enable "lockdown" LSM for bright line between the root user and kernel memory. +# Make sure that "lockdown" is also present in the CONFIG_LSM="lockdown,..." list. CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y From cae4c4061fe6097b476cf4c6b5844f506e6fcbf2 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sat, 25 Oct 2025 19:56:40 +0300 Subject: [PATCH 2/9] Add CONFIG_HARDENED_USERCOPY_DEFAULT_ON --- Recommended_Settings.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Recommended_Settings.md b/Recommended_Settings.md index 9fc415f..f90147a 100644 --- a/Recommended_Settings.md +++ b/Recommended_Settings.md @@ -82,6 +82,7 @@ CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y +CONFIG_HARDENED_USERCOPY_DEFAULT_ON=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set From ffce5da1823fc20ce1f93ec0046d3a0f529aad15 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sat, 25 Oct 2025 20:25:54 +0300 Subject: [PATCH 3/9] Add CONFIG_CFI_AUTO_DEFAULT --- Recommended_Settings.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Recommended_Settings.md b/Recommended_Settings.md index f90147a..b3b3ada 100644 --- a/Recommended_Settings.md +++ b/Recommended_Settings.md @@ -319,6 +319,9 @@ CONFIG_MITIGATION_SLS=y CONFIG_CFI_CLANG=y # CONFIG_CFI_PERMISSIVE is not set +# Use KCFI instead of FineIBT (see the "cfi" command line parameter below) +# CONFIG_CFI_AUTO_DEFAULT is not set + # Dangerous; enabling this disables vDSO ASLR on X86_64 and X86_32. # On ARM64 this option has different meaning. # CONFIG_COMPAT_VDSO is not set From c8f8daaea56378fa45a3afc228c45ae17eeee6d1 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sat, 25 Oct 2025 20:41:08 +0300 Subject: [PATCH 4/9] Update the STACKLEAK name --- Recommended_Settings.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/Recommended_Settings.md b/Recommended_Settings.md index b3b3ada..4ffd4d8 100644 --- a/Recommended_Settings.md +++ b/Recommended_Settings.md @@ -264,9 +264,12 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) -CONFIG_GCC_PLUGIN_STACKLEAK=y -# CONFIG_STACKLEAK_METRICS is not set -# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set +CONFIG_GCC_PLUGIN_STACKLEAK=y (prior to v6.17) +# CONFIG_STACKLEAK_METRICS is not set (prior to v6.17) +# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set (prior to v6.17) +CONFIG_KSTACK_ERASE=y (since v6.17) +# CONFIG_KSTACK_ERASE_METRICS is not set (since v6.17) +# CONFIG_KSTACK_ERASE_RUNTIME_DISABLE is not set (since v6.17) ``` ## x86_64 From 4ef038918cfab71dfb913d7b91bb67c770f32e1c Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sat, 25 Oct 2025 21:03:02 +0300 Subject: [PATCH 5/9] Update the name of CONFIG_DEBUG_WX on ARM It was renamed in the commit a90f0a02f139a13d3c26dd20644b50fc731f17da. --- Recommended_Settings.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Recommended_Settings.md b/Recommended_Settings.md index 4ffd4d8..f9ef1a2 100644 --- a/Recommended_Settings.md +++ b/Recommended_Settings.md @@ -422,6 +422,10 @@ CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set + +# Report any dangerous memory permissions +# (this feature is called CONFIG_DEBUG_WX on other archs). +CONFIG_ARM_DEBUG_WX=y ``` # kernel command line options From 80f9bca12142f0ce56582b32782f633ab6ea77f3 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sun, 26 Oct 2025 00:28:28 +0300 Subject: [PATCH 6/9] Mention that not all architectures support CONFIG_PAGE_TABLE_CHECK yet For example, arm and x86_32 don't support it. --- Recommended_Settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Recommended_Settings.md b/Recommended_Settings.md index f9ef1a2..c0894a5 100644 --- a/Recommended_Settings.md +++ b/Recommended_Settings.md @@ -98,7 +98,7 @@ CONFIG_RANDOM_KMALLOC_CACHES=y # the "page_alloc.shuffle=1" command line below). CONFIG_SHUFFLE_PAGE_ALLOCATOR=y -# Sanity check userspace page table mappings (since v5.17) +# Sanity check userspace page table mappings (since v5.17, not all architectures support this yet). CONFIG_PAGE_TABLE_CHECK=y CONFIG_PAGE_TABLE_CHECK_ENFORCED=y From 42d36e273419ff019b713aa329311eb111498f75 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sun, 26 Oct 2025 00:30:29 +0300 Subject: [PATCH 7/9] Mention that not all architectures support CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT yet For example, arm doesn't support it. --- Recommended_Settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Recommended_Settings.md b/Recommended_Settings.md index c0894a5..4e543cf 100644 --- a/Recommended_Settings.md +++ b/Recommended_Settings.md @@ -150,7 +150,7 @@ CONFIG_UBSAN_LOCAL_BOUNDS=y CONFIG_KFENCE=y CONFIG_KFENCE_SAMPLE_INTERVAL=100 -# Randomize kernel stack offset on syscall entry (since v5.13). +# Randomize kernel stack offset on syscall entry (since v5.13, not all architectures support this yet). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Do not ignore compile-time warnings (since v5.15) From f869713a2a5b0c28d0685714f285a5da935f1e31 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sun, 26 Oct 2025 00:33:01 +0300 Subject: [PATCH 8/9] Update the CONFIG_HIGHMEM64G recommendation The commit bbeb69ce301323e84f1677484eb8e4cd8fb1f9f8 in Linux v6.15 removed CONFIG_HIGHMEM64G support. --- Recommended_Settings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Recommended_Settings.md b/Recommended_Settings.md index 4e543cf..acad30e 100644 --- a/Recommended_Settings.md +++ b/Recommended_Settings.md @@ -377,9 +377,9 @@ CONFIG_CFI_CLANG=y ``` # On 32-bit kernels, require PAE for NX bit support. # CONFIG_M486 is not set -# CONFIG_HIGHMEM4G is not set -CONFIG_HIGHMEM64G=y CONFIG_X86_PAE=y +CONFIG_HIGHMEM64G=y (prior to v6.15) +CONFIG_HIGHMEM4G=y (since v6.15) # Disallow allocating the first 64k of memory. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 From f63dc8c9d88a89c5ee1bfbccfae5918837e01c47 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sun, 26 Oct 2025 01:06:16 +0300 Subject: [PATCH 9/9] Add CONFIG_UBSAN_INTEGER_WRAP Let's check it together with the old version CONFIG_UBSAN_SIGNED_WRAP. --- Recommended_Settings.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Recommended_Settings.md b/Recommended_Settings.md index acad30e..aeabf3f 100644 --- a/Recommended_Settings.md +++ b/Recommended_Settings.md @@ -140,6 +140,7 @@ CONFIG_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN_DIV_ZERO is not set # CONFIG_UBSAN_UNREACHABLE is not set # CONFIG_UBSAN_SIGNED_WRAP is not set +# CONFIG_UBSAN_INTEGER_WRAP is not set # CONFIG_UBSAN_BOOL is not set # CONFIG_UBSAN_ENUM is not set # CONFIG_UBSAN_ALIGNMENT is not set