kconfig-hardened-check
kconfig-hardened-check copied to clipboard
a13xp0p0v
A tool for checking the security hardening options of the Linux kernel
This is a first quick pass over the codebase. If having better typing is something desirable, I'll do another more comprehensive one. Having typing makes it easier to understand what's...
There is a collection of kconfigs which are automatically updated in https://github.com/oracle/kconfigs/tree/main/out It looks possible to do the integration with the project instead to tracking distro configs in this project.
Hello, i would like to discuss the idea of implementing a separation between server and desktop. There is separation between arch and show output. - -m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail} -...
Hello, Looks like big change for naming schemes Merged by Torvalds for 6.9 Many options will be renamed, for example: ``` x86/bugs: Rename CONFIG_RETHUNK => CONFIG_MITIGATION_RETHUNK x86/bugs: Rename CONFIG_CPU_SRSO =>...
Hello, please consider these new options Intel's hardware vulnurability for Atom cores; Register File Data Sampling. https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00898.html Merged by Torvalds Kconfig ``` +config MITIGATION_RFDS + bool "RFDS Mitigation" + depends...
Consider adding `CONFIG_X86_USER_SHADOW_STACK` kconfig option to enable support for userspace shadow stack on capable hardware. This is in addition to the kconfig option for enabling kernel IBT that's already implemented....
Hello @a13xp0p0v I have two suggestions for [kernel-hardening-checker](https://github.com/a13xp0p0v/kernel-hardening-checker) 1) It's a matter of fact that enable all suggested security features impact on perfomance and I have verified this by myself,...
CONFIG_VMLINUX_MAP generates a system.map file, which contains debugging symbols, and other information that may leak information about the kernel. It is automatically generated with the kernel, and it is delivered...
Consider disabling IO_uring access using sysctl tunable apart from the `CONFIG_IO_URING` kconfig option that's already implemented. More information here: [https://www.phoronix.com/news/Google-Restricting-IO_uring](https://www.phoronix.com/news/Google-Restricting-IO_uring) [https://www.phoronix.com/news/Linux-6.6-sysctl-IO_uring](https://www.phoronix.com/news/Linux-6.6-sysctl-IO_uring)