-- This configuration file is licensed under the CC0 license. -- Do whatever you want with it. -- -- This is an example of how to use autokernel's capabilites for a hardening module. -- It is designed to harden many aspects of the kernel based on choices -- taken from several projects: -- -- - [KSSP](https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings) -- - [CLIP OS](https://docs.clip-os.org/clipos/kernel.html#configuration) -- - [kconfig-hardened-check](https://github.com/a13xp0p0v/kconfig-hardened-check) -- -- After including this module be sure to set MODULE_SIG_KEY "path/to/sigining_key.pem". -- In practice, this module should be modularized further. local cmdline = "" local function add_cmdline(opt) cmdline = cmdline .. " " .. opt end -- This unlocks extra configuration options we need EXPERT "y" -- Required for several options. At best place outside of this module. PCI "y" PCI_MSI "y" NET "y" INET "y" -- Don't allow direct access to physical memory. -- The /dev/mem device should not be required by any user application nowadays. DEVMEM "n" if MODULES:is "y" then -- Enforce strict memory mappings permissions for loadable kernel modules. if kernel_version >= ver("4.11") then STRICT_MODULE_RWX "y" else DEBUG_SET_MODULE_RONX "y" end -- But if MODULES is enabled, at least they should be signed with a per-build key. MODULE_SIG "y" MODULE_SIG_ALL "y" -- Set signature to SHA512 MODULE_SIG_SHA512 "y" -- Require signed modules MODULE_SIG_FORCE "y" end -- Dangerous; enabling this allows direct physical memory writing. ACPI_CUSTOM_METHOD "n" -- Dangerous; enabling this disables brk ASLR. COMPAT_BRK "n" -- Dangerous; enabling this allows direct kernel memory writing. if kernel_version <= ver("5.12") then DEVKMEM "n" end -- Dangerous; exposes kernel text image layout. PROC_KCORE "n" -- Dangerous; enabling this disables VDSO ASLR. COMPAT_VDSO "n" -- Dangerous; Disable the kexec() system call to prevent an already-root -- attacker from rebooting on an untrusted kernel. KEXEC "n" KEXEC_FILE "n" -- Dangerous; enabling this allows replacement of running kernel. HIBERNATION "n" -- We do not want our kernel to support miscellaneous binary classes. -- ELF binaries and interpreted scripts starting with a shebang are enough -- Also easily confused by misconfigured userspace, keep off. BINFMT_MISC "n" -- Also disable a.out/ECOFF format. (This is unrelated to a.out files -- generated by gcc and alike, which are ELF files) BINFMT_AOUT "n" -- Use the modern PTY interface (devpts) only. LEGACY_PTYS "n" -- The userfaultfd() system call adds attack surface and can make heap sprays easier. -- Note that the vm.unprivileged_userfaultfd sysctl can also be used to restrict the -- use of this system call to privileged users. if kernel_version >= ver("4.3") then USERFAULTFD "n" end -- Disable the uselib system call, which is not needed on systems with a modern libc USELIB "n" -- The /dev/port device should not be used anymore by userspace, -- and it could increase the kernel attack surface. DEVPORT "n" -- Enabling this feature can make cache side-channel attacks such -- as FLUSH+RELOAD much easier to carry out. KSM "n" -- Disable kprobes (allow callbacks on any kernel function) KPROBES "n" -- Symbols are only useful for debug and attack purposes. KALLSYMS "n" -- User namespaces can be useful for some use cases but even more -- to an attacker. Optional because required by systemd. --USER_NS "n" -- Do not export ZSMALLOC statistics ZSMALLOC_STAT "n" -- Do not track page owners. PAGE_OWNER "n" -- Disable exporting crashed kernel images through /proc/vmcore PROC_VMCORE "n" -- Disable debug_fs DEBUG_FS "n" -- Disable kernel live-patching LIVEPATCH "n" -- Do not automatically load any line discipline that is in a kernel module -- when an unprivileged user asks for it. if kernel_version >= ver("5.1") then LDISC_AUTOLOAD "n" end -- Disable exporting pagetable layout to prevent information leak. if kernel_version >= ver("5.6") then PTDUMP_DEBUGFS "n" else X86_PTDUMP "n" end -- Prevent potential further exploitation of a bug by immediately panicking the kernel. PANIC_ON_OOPS "y" -- Report BUG() conditions and kill the offending process. BUG "y" if kernel_version >= ver("4.19") then -- Do not credit entropy generated by the CPU manufacturer’s HWRNG -- nor provided by the bootloader, and included in Linux’s entropy pool. -- Fast and robust initialization of Linux’s CSPRNG is instead achieved -- thanks to the TPM’s HWRNG (see documentation of HW_RANDOM_TPM and the -- rng_core.default_quality command line parameter). RANDOM_TRUST_CPU "n" RANDOM_TRUST_BOOTLOADER "n" end -- Enable hardware random HW_RANDOM "y" HW_RANDOM_INTEL "y" HW_RANDOM_AMD "y" -- Enable Expose the TPM’s Random Number Generator (RNG) as a Hardware RNG (HWRNG) and -- expose the TPM’s Random Number Generator (RNG) as a Hardware RNG (HWRNG) -- device, allowing the kernel to collect randomness from it. See documentation -- of RANDOM_TRUST_CPU and the rng_core.default_quality command line parameter -- for supplementary information. TCG_TPM "y" HW_RANDOM_TPM "y" -- Increase trust in the TPM’s HWRNG to robustly and fastly initialize Linux’s CSPRNG -- by crediting half of the entropy it provides. add_cmdline "rng_core.default_quality=512" -- Enable the auditing infrastructure. AUDIT "y" -- Make sure kernel page tables have safe permissions. if kernel_version < ver("4.11") then DEBUG_RODATA "y" end -- This is useful even in a production kernel to enable further configuration options -- that have security benefits. DEBUG_KERNEL "y" -- Enable sanity checks in virtual to page code. DEBUG_VIRTUAL "y" -- Ensure kernel page tables have strict permissions. if kernel_version >= ver("4.11") and ARCH_OPTIONAL_KERNEL_RWX:is "y" then STRICT_KERNEL_RWX "y" end -- Check and report any dangerous memory mapping permissions, i.e., both writable and -- executable kernel pages. if kernel_version >= ver("4.4") then DEBUG_WX "y" end -- Use strong stack protector for best stack canary coverage. if kernel_version >= ver("4.18") then STACKPROTECTOR "y" STACKPROTECTOR_STRONG "y" else CC_STACKPROTECTOR_STRONG "y" end -- If you must have DEVMEM, at least enable STRICT mode if DEVMEM:is "y" then STRICT_DEVMEM "y" if kernel_version >= ver("4.5") then IO_STRICT_DEVMEM "y" end end -- Provides some protections against SYN flooding. SYN_COOKIES "y" -- Perform additional validation of various commonly targeted structures. DEBUG_CREDENTIALS "y" DEBUG_NOTIFIERS "y" DEBUG_LIST "y" DEBUG_SG "y" if kernel_version >= ver("4.10") then BUG_ON_DATA_CORRUPTION "y" end SCHED_STACK_END_CHECK "y" -- Provide userspace with seccomp BPF API for syscall attack surface reduction. SECCOMP "y" -- Enable us to choose different security modules. SECURITY "y" -- -- Enable SELinux for hosts that intend to leverage it in their security model. -- SECURITY_SELINUX "y" -- -- We do not need SELinux to be disableable by a boot parameter. -- SECURITY_SELINUX_BOOTPARAM "n" -- -- We do not want SELinux to be disabled. In addition, keeping this option off makes -- -- LSM structures such as security hooks read-only. -- SECURITY_SELINUX_DISABLE "n" -- -- For now, but should eventually be set to n. -- SECURITY_SELINUX_DEVELOP "y" -- Enables ptrace scope restrictions. SECURITY_YAMA "y" -- Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) if kernel_version >= ver("4.8") then -- Harden data copies between kernel and user spaces, preventing classes -- of heap overflow exploits and information leaks. HARDENED_USERCOPY "y" if kernel_version <= ver("5.18") then HARDENED_USERCOPY_PAGESPAN "n" -- Use strict whitelisting mode, i.e., do not WARN(). if kernel_version >= ver("4.16") then HARDENED_USERCOPY_FALLBACK "n" end end end -- Merging SLAB pages can make heap exploitation easier if kernel_version >= ver("4.13") then SLAB_MERGE_DEFAULT "n" end -- Randomize allocator freelists. if kernel_version >= ver("4.7") then SLAB_FREELIST_RANDOM "y" end -- Harden slab metadata. if kernel_version >= ver("4.14") then SLAB_FREELIST_HARDENED "y" end -- Randomize high-order page allocation freelist. -- Page allocator randomization is primarily a performance improvement for direct-mapped -- memory-side-cache utilization, but it does reduce the predictability of page allocations -- and thus complements SLAB_FREELIST_RANDOM. The page_alloc.shuffle=1 parameter needs to -- be added to the kernel command line. if kernel_version >= ver("5.2") then SHUFFLE_PAGE_ALLOCATOR "y" add_cmdline "page_alloc.shuffle=1" end if kernel_version >= ver("5.3") then -- Wipe slab and page allocations -- This replaces "slub_debug=P" and "page_poison=1" and can control all types -- of memory allocation and wiping now. The init_on_free is only needed if there -- is concern about minimizing stale data lifetime. INIT_ON_ALLOC_DEFAULT_ON "y" INIT_ON_FREE_DEFAULT_ON "y" else if kernel_version < ver("5.3") then -- Allow and enable allocator validation checking. SLUB_DEBUG "y" add_cmdline "slub_debug=P" end if kernel_version >= ver("4.6") then -- Wipe higher-level memory allocations when they are freed (needs "page_poison=1"). PAGE_POISONING "y" -- Enable buddy allocator free poisoning. add_cmdline "page_poison=1" -- If you can't afford even more performance penalty, set PAGE_POISONING_NO_SANITY=y -- This only works if HIBERNATION is disabled, as it selects PAGE_POISONING_NO_SANITY. if HIBERNATION:is "n" then PAGE_POISONING_NO_SANITY "n" end PAGE_POISONING_ZERO "y" end end -- Initialize all stack variables on function entry, with if kernel_version >= ver("5.9") then if CC_HAS_AUTO_VAR_INIT_PATTERN:is "y" then INIT_STACK_ALL_PATTERN "y" else INIT_STACK_ALL_ZERO "y" end elseif kernel_version >= ver("5.2") then if CC_HAS_AUTO_VAR_INIT:is "y" then INIT_STACK_ALL "y" end elseif kernel_version >= ver("5.2") and HAVE_GCC_PLUGINS:is "y" then -- Force all structures to be initialized before they are passed to other functions. -- When building with GCC: GCC_PLUGIN_STRUCTLEAK_BYREF_ALL "y" end -- Virtually-mapped stacks benefit from guard pages, -- thus making kernel stack overflows harder to exploit. if kernel_version >= ver("4.9") then VMAP_STACK "y" end -- Perform extensive checks on reference counting. (Unconditionally enabled since 5.5) if kernel_version >= ver("4.13") and kernel_version < ver("5.5") then REFCOUNT_FULL "y" end -- Check for memory copies that might overflow a structure in str*() and -- mem*() functions both at build-time and run-time. if kernel_version >= ver("4.13") then FORTIFY_SOURCE "y" end if kernel_version >= ver("4.8") and HAVE_GCC_PLUGINS:is "y" then -- Gather additional entropy at boot time for systems that may not have -- appropriate entropy sources. if kernel_version >= ver("4.9") then GCC_PLUGIN_LATENT_ENTROPY "y" end -- Wipe stack contents on syscall exit (reduces stale data lifetime in stack) if kernel_version >= ver("5.2") then GCC_PLUGIN_STACKLEAK "y" STACKLEAK_METRICS "n" STACKLEAK_RUNTIME_DISABLE "n" end end -- Needed to benefit from microcode updates and thus security fixes -- (e.g., additional Intel pseudo-MSRs to be used by the kernel as a -- mitigation for various speculative execution vulnerabilities). MICROCODE "y" -- Retpolines are needed to protect against Spectre v2. if kernel_version >= ver("4.15") then RETPOLINE "y" end -- Always enable spectre_v2 mitigation, even on CPUs that report they are -- not affected. This implies spectre_v2_user=on, which enables the mitigation -- against user space to user space task attacks (namely IBPB and STIBP when -- available and relevant). add_cmdline "spectre_v2=on" -- Always enable spectre_v4 mitigation add_cmdline "spec_store_bypass_disable=seccomp" -- Mitigations for the Microarchitectural Data Sampling (MDS) vulnerability -- on intel processors, and optionally allow disabling SMT (Simultaneous multithreading) -- to do so. add_cmdline "mds=full" -- If you want to disable hyperthreading, use this line instead. --add_cmdline "mds=full,nosmt" -- The IOMMU allows for protecting the system’s main memory from arbitrary -- accesses from devices (e.g., DMA attacks). Note that this is related to -- hardware features. IOMMU_SUPPORT "y" INTEL_IOMMU "y" if kernel_version >= ver("4.4") then INTEL_IOMMU_SVM "y" end INTEL_IOMMU_DEFAULT_ON "y" AMD_IOMMU "y" AMD_IOMMU_V2 "y" -- Always enable iommu add_cmdline "iommu=force" -- Prevent unprivileged users from gathering information from the kernel log -- buffer via dmesg(8). Note that this still can be overridden through the -- kernel.dmesg_restrict sysctl. SECURITY_DMESG_RESTRICT "y" if kernel_version >= ver("4.11") then -- This makes the kernel route all usermode helper calls to a single binary -- that cannot have its name changed. Without this, the kernel can be tricked -- into calling an attacker-controlled binary (e.g. to bypass SMAP, cf. -- exploitation of CVE-2016-8655). STATIC_USERMODEHELPER "y" -- Currently, we have no need for usermode helpers therefore we simply disable them. -- If you need them, this path will need to be set to a custom trusted binary in charge -- of filtering and choosing what real helpers should then be called. STATIC_USERMODEHELPER_PATH "" end -- In order to work properly, this mitigation requires userspace support -- that is not commonly configured. You can enable this yourself if you want -- provide the support on your system. if kernel_version >= ver("4.14") then RESET_ATTACK_MITIGATION "n" end -- This restricts loading modules from one file system only. Must be enabled via cmdline -- or SECURITY_LOADPIN_ENFORCE=y, which could be used if there is no initramfs. if kernel_version >= ver("4.7") then SECURITY_LOADPIN "y" end if kernel_version >= ver("5.4") then -- Basically, the lockdown LSM tries to strengthen the boundary between -- the superuser and the kernel. The integrity mode thus restricts access -- to features that would allow userland to modify the running kernel, and -- the confidentiality mode extends these restrictions to features that would -- allow userland to extract confidential information held inside the kernel. SECURITY_LOCKDOWN_LSM "y" SECURITY_LOCKDOWN_LSM_EARLY "y" LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY "y" end -- Use maximum number of randomized bits for the mmap base address on x86_64. if kernel_version >= ver("4.5") then ARCH_MMAP_RND_BITS(32) end -- The list of security modules to enable, in load order. if kernel_version >= ver("5.1") then LSM "lockdown,yama,loadpin,selinux" end if X86:is "y" then -- Disallow allocating the first 64k of memory. This should in particular -- be non-zero to prevent the exploitation of kernel NULL pointer bugs. DEFAULT_MMAP_MIN_ADDR(0x10000) if kernel_version >= ver("4.15") then -- Enable Kernel Page Table Isolation to remove an entire class of -- cache timing side-channels. PAGE_TABLE_ISOLATION "y" -- This force-enables KPTI even on CPUs claiming to be safe from Meltdown. add_cmdline "pti=on" end -- Don't allow for 16-bit program emulation and associated LDT tricks. if kernel_version >= ver("4.3") then MODIFY_LDT_SYSCALL "n" end -- Enable the RDRAND instruction to benefit from a secure hardware RNG if -- supported. See also RANDOM_TRUST_CPU. ARCH_RANDOM "y" -- Randomize position of kernel (requires UEFI RNG or bootloader support -- for /chosen/kaslr-seed DT property). RANDOMIZE_BASE "y" -- Machine Check Exceptions can report suspicious hardware errors, some of -- which may for instance, on systems with ECC memory, reveal an ongoing -- Rowhammer attack. X86_MCE "y" X86_MCE_INTEL "y" X86_MCE_AMD "y" -- Make the kernel panic on uncorrected Machine Check Errors. -- This could prevent an ongoing Rowhammer attack. add_cmdline "mce=0" -- Disable TSX to mitigate the TSX Asynchronous Abort (TAA) Intel CPU -- vulnerability. Same as commandline tsx=off. X86_INTEL_TSX_MODE_OFF "y" -- Disable /dev/cpu/*/{msr,cpuid} which would only present userspace -- with more attack surface. X86_MSR "n" X86_CPUID "n" -- Page Attribute Tables are the modern equivalents of MTRRs -- (Memory Type Range Registers) which can make speculative execution -- bugs a bit harder to exploit. X86_PAT "y" if kernel_version <= ver("5.18") then -- Enable Supervisor Mode Access Prevention to prevent -- ret2usr exploitation techniques. X86_SMAP "y" end -- Enable User Mode Instruction Prevention to prevent some instructions -- that unnecessarily expose information about the hardware state from -- being executed in user mode. if kernel_version >= ver("5.5") then X86_UMIP "y" elseif kernel_version >= ver("4.15") then X86_INTEL_UMIP "y" end end if X86_64:is "y" then if kernel_version >= ver("4.8") then RANDOMIZE_MEMORY "y" end -- The vsyscall table is not required anymore by libc and is a fixed-position -- potential source of ROP gadgets. if kernel_version >= ver("4.4") then LEGACY_VSYSCALL_NONE "y" end X86_VSYSCALL_EMULATION "n" -- Remove additional attack surface, unless you really need them. IA32_EMULATION "n" -- Disable native x32 ABI if kernel_version >= ver("5.18") then X86_X32_ABI "n" else X86_X32 "n" end elseif X86:is "y" then -- On 32-bit kernels, require PAE for NX bit support. M486 "n" HIGHMEM4G "n" HIGHMEM64G "y" X86_PAE "y" elseif os.getenv("ARCH") == "arm64" then -- Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). DEFAULT_MMAP_MIN_ADDR(0x8000) -- Make sure PAN emulation is enabled. if kernel_version >= ver("4.10") then ARM64_SW_TTBR0_PAN "y" end -- Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. if kernel_version >= ver("4.16") then UNMAP_KERNEL_AT_EL0 "y" end elseif os.getenv("ARCH") == "arm" then -- Disallow allocating the first 32k of memory (cannot be 64k due to ARM loader). DEFAULT_MMAP_MIN_ADDR(0x8000) -- For maximal userspace memory area (and maximum ASLR). VMSPLIT_3G "y" -- If building an old out-of-tree Qualcomm kernel, this is similar to STRICT_KERNEL_RWX. STRICT_MEMORY_RWX "y" -- Make sure PXN/PAN emulation is enabled. if kernel_version >= ver("4.3") then CPU_SW_DOMAIN_PAN "y" end -- Dangerous; old interfaces and needless additional attack surface. OABI_COMPAT "n" end -- set cmdline (in practice better return the cmdline and set this in your own config, -- so you can add more if required) CMDLINE(cmdline)