search

KSPP / linux

Linux kernel source tree (Kernel Self Protection Project)
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
Other
80 stars 5 forks source link

Some fixes for the KSPP documentation #362

Closed a13xp0p0v closed 2 weeks ago

a13xp0p0v commented 3 weeks ago

Hello!

Let me offer some fixes for the KSPP Recommended Settings:

  1. The / symbol should be changed to . in these sysctls (maybe it's a typo): 
    kernel/warn_limit = 1
kernel/oops_limit = 1
  2. The kernel.disable_modules sysctl should be changed kernel.modules_disabled (maybe it's a typo)
  3. Some mitigations now have new names: 
    CONFIG_MITIGATION_PAGE_TABLE_ISOLATION
CONFIG_MITIGATION_SLS
CONFIG_RANDSTRUCT_FULL
CONFIG_RANDSTRUCT_PERFORMANCE
  4. Disabling CONFIG_IOMMU_DEFAULT_PASSTHROUGH can be added as an alternative of iommu.passthrough=0

Thanks a lot! Best regards, Alexander

kees commented 2 weeks ago

Thanks for the report!

I've fixed the typos in 1) and 2).

I've updated the MITIGATION names in 3. Since RANDSTRUCT is available in Clang too, I've updated the location of that mitigation out of the GCC plugins section and updated the configs.

I've added CONFIG_IOMMU_DEFAULT_PASSTHROUGH disabling.

Thanks again!

a13xp0p0v commented 2 weeks ago

@kees, there is one extra CONFIG_PAGE_TABLE_ISOLATION for the x86_32, which should be fixed.

Thanks!

a13xp0p0v commented 2 weeks ago

Ah, there is one extra aspect.

The CONFIG_PAGE_POISONING* recommendations should be updated. CONFIG_PAGE_POISONING_ZERO was removed in v5.11. Starting from v5.11, CONFIG_PAGE_POISONING unconditionally checks the 0xAA poison pattern on allocation. That brings higher performance penalty and maybe not necessary for kernel self protection.

What about recommending CONFIG_INIT_ON_FREE_DEFAULT_ON (introduced in v5.3) or CONFIG_PAGE_POISONING_ZERO for older kernels?