Closed a13xp0p0v closed 2 weeks ago
Thanks for the report!
I've fixed the typos in 1) and 2).
I've updated the MITIGATION
names in 3. Since RANDSTRUCT
is available in Clang too, I've updated the location of that mitigation out of the GCC plugins section and updated the configs.
I've added CONFIG_IOMMU_DEFAULT_PASSTHROUGH disabling.
Thanks again!
@kees, there is one extra CONFIG_PAGE_TABLE_ISOLATION
for the x86_32
, which should be fixed.
Thanks!
Ah, there is one extra aspect.
The CONFIG_PAGE_POISONING*
recommendations should be updated.
CONFIG_PAGE_POISONING_ZERO
was removed in v5.11.
Starting from v5.11, CONFIG_PAGE_POISONING
unconditionally checks the 0xAA
poison pattern on allocation. That brings higher performance penalty and maybe not necessary for kernel self protection.
What about recommending CONFIG_INIT_ON_FREE_DEFAULT_ON
(introduced in v5.3) or CONFIG_PAGE_POISONING_ZERO
for older kernels?
Hello!
Let me offer some fixes for the KSPP Recommended Settings:
/
symbol should be changed to.
in these sysctls (maybe it's a typo):kernel.disable_modules
sysctl should be changedkernel.modules_disabled
(maybe it's a typo)CONFIG_IOMMU_DEFAULT_PASSTHROUGH
can be added as an alternative ofiommu.passthrough=0
Thanks a lot! Best regards, Alexander