I would like to improve our KSPP settings in .../distro/Kconfig: 1. We have an old option forgotten: CONFIG_HARDENED_USERCOPY=y 2. Since 2022-03-30 KSPP recommends 6 new options, we should set also: # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y # Enable sampling-based overflow detection. This is similar to KASAN coverage, but with almost zero runtime overhead. CONFIG_KFENCE=y # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) CONFIG_IOMMU_DEFAULT_DMA_STRICT=y # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y # Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers) CONFIG_ZERO_CALL_USED_REGS=y 3. Since 5.15 DVKMEM doesnt exists anymore, so we dont need to check if it is unset and can cut !DEVKMEM => Depends on: GENTOO_LINUX [=y] && [...] && !DEVKMEM [=n] && [...] Reproducible: Always Steps to Reproduce: It is not updated in 5.15.36 Actual Results: Old settings Expected Results: New settings
Everything is in except for CONFIG_WERROR=y which gyakovlev in #gentoo-hardened suggested could cause issues with some architectures.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=e6616502ad6e34b980112d4828cf526fdfbf0635 commit e6616502ad6e34b980112d4828cf526fdfbf0635 Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2022-05-11 17:25:52 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2022-05-11 17:25:52 +0000 Update Gentoo Hardened patchset based on KSPP thanks to Peter Bo Bug: https://bugs.gentoo.org/841488 Added: CONFIG_HARDENED_USERCOPY=y CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y CONFIG_KFENCE=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y CONFIG_SCHED_CORE=y CONFIG_ZERO_CALL_USED_REGS=y Signed-off-by: Mike Pagano <mpagano@gentoo.org> 4567_distro-Gentoo-Kconfig.patch | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b7bb70af4842e3e091c70631e4956023a91c946c commit b7bb70af4842e3e091c70631e4956023a91c946c Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2022-05-12 12:26:09 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2022-05-12 12:26:09 +0000 sys-kernel/gentoo-sources: add 5.17.7 and update to kspp patch Update Gentoo Hardened patchset based on KSPP thanks to Peter Bo Closes: https://bugs.gentoo.org/841488 Signed-off-by: Mike Pagano <mpagano@gentoo.org> sys-kernel/gentoo-sources/Manifest | 3 +++ .../gentoo-sources/gentoo-sources-5.17.7.ebuild | 28 ++++++++++++++++++++++ 2 files changed, 31 insertions(+) Additionally, it has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb485852c43843d7272940266f52468c6e0c5a93 commit bb485852c43843d7272940266f52468c6e0c5a93 Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2022-05-12 12:25:11 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2022-05-12 12:25:11 +0000 sys-kernel/gentoo-sources: add 5.15.39 and ksp update Update Gentoo Hardened patchset based on KSPP thanks to Peter Bo (Mike Pagano) Bug: https://bugs.gentoo.org/841488 Signed-off-by: Mike Pagano <mpagano@gentoo.org> sys-kernel/gentoo-sources/Manifest | 3 +++ .../gentoo-sources/gentoo-sources-5.15.39.ebuild | 28 ++++++++++++++++++++++ 2 files changed, 31 insertions(+)