kees
commented
3 months ago Hi! Thanks for the recommendations. I've finally managed to port all of the wiki over to github pages, so the recommended settings are now here:
https://kspp.github.io/Recommended_Settings
From there it should now be possible to do edits and suggest PRs, etc. Wheee. Do you want to take a stab at being the first PR?
a13xp0p0v
Hello!
1) There is one extra
CONFIG_PAGE_TABLE_ISOLATIONfor thex86_32, which should be changed to the newCONFIG_MITIGATION_PAGE_TABLE_ISOLATION.2) The
CONFIG_PAGE_POISONING*recommendations should be updated. Starting from v5.11,CONFIG_PAGE_POISONINGunconditionally checks the0xAApoison pattern on allocation. That brings higher performance penalty and maybe not necessary for kernel self protection. What about recommendingCONFIG_INIT_ON_FREE_DEFAULT_ON(introduced in v5.3) for new kernels orCONFIG_PAGE_POISONING_ZERO(removed in v5.11) for older kernels?3) There is a
kfence.sample_intervalboot parameter. It should not be zero, similarly toCONFIG_KFENCE_SAMPLE_INTERVAL, which is recommended by the KSPP.4)
CONFIG_COMPAT_VDSOdisabled ASLR of vDSO only onX86_64andX86_32. On ARM64 this option has different meaning. So this recommendation should be moved to arch-specific part.Thanks!