diff options
| -rw-r--r-- | nixos/modules/profiles/hardened.nix | 9 | ||||
| -rw-r--r-- | pkgs/os-specific/linux/kernel/hardened/config.nix | 39 |
2 files changed, 42 insertions, 6 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 74dc2cb1b9aa4..b85a2ac7e69d2 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -39,14 +39,17 @@ with lib; security.apparmor.killUnconfinedConfinables = mkDefault true; boot.kernelParams = [ - # Slab/slub sanity checks, redzoning, and poisoning - "slub_debug=FZP" + # Don't merge slabs + "slab_nomerge" - # Overwrite free'd memory + # Overwrite free'd pages "page_poison=1" # Enable page allocator randomization "page_alloc.shuffle=1" + + # Disable debugfs + "debugfs=off" ]; boot.blacklistedKernelModules = [ diff --git a/pkgs/os-specific/linux/kernel/hardened/config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix index 7aa9c51173526..ea49966f46dd0 100644 --- a/pkgs/os-specific/linux/kernel/hardened/config.nix +++ b/pkgs/os-specific/linux/kernel/hardened/config.nix @@ -39,21 +39,33 @@ assert (versionAtLeast version "4.9"); DEBUG_PI_LIST = whenOlder "5.2" yes; # doesn't BUG() DEBUG_PLIST = whenAtLeast "5.2" yes; DEBUG_SG = yes; + DEBUG_VIRTUAL = yes; SCHED_STACK_END_CHECK = yes; REFCOUNT_FULL = whenOlder "5.4.208" yes; + # tell EFI to wipe memory during reset + # https://lwn.net/Articles/730006/ + RESET_ATTACK_MITIGATION = yes; + + # restricts loading of line disciplines via TIOCSETD ioctl to CAP_SYS_MODULE + CONFIG_LDISC_AUTOLOAD = option no; + # Randomize page allocator when page_alloc.shuffle=1 SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes; - # Allow enabling slub/slab free poisoning with slub_debug=P - SLUB_DEBUG = yes; - # Wipe higher-level memory allocations on free() with page_poison=1 PAGE_POISONING = yes; PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes; PAGE_POISONING_ZERO = whenOlder "5.11" yes; + # Enable init_on_alloc and init_on_free by default + INIT_ON_ALLOC_DEFAULT_ON = yes; + INIT_ON_FREE_DEFAULT_ON = yes; + + # Wipe all caller-used registers on exit from a function + ZERO_CALL_USED_REGS = yes; + # Enable the SafeSetId LSM SECURITY_SAFESETID = whenAtLeast "5.1" yes; @@ -70,6 +82,16 @@ assert (versionAtLeast version "4.9"); GCC_PLUGIN_RANDSTRUCT = whenOlder "5.19" yes; # A port of the PaX randstruct plugin GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenOlder "5.19" yes; + # Runtime undefined behaviour checks + # https://www.kernel.org/doc/html/latest/dev-tools/ubsan.html + # https://developers.redhat.com/blog/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan + UBSAN = yes; + UBSAN_TRAP = yes; + UBSAN_BOUNDS = yes; + UBSAN_SANITIZE_ALL = yes; + UBSAN_LOCAL_BOUNDS = option yes; # clang only + CFI_CLANG = option yes; # clang only Control Flow Integrity since 6.1 + # Same as GCC_PLUGIN_RANDSTRUCT*, but has been renamed to `RANDSTRUCT*` in 5.19. RANDSTRUCT = whenAtLeast "5.19" yes; RANDSTRUCT_PERFORMANCE = whenAtLeast "5.19" yes; @@ -97,4 +119,15 @@ assert (versionAtLeast version "4.9"); # CONFIG_DEVMEM=n causes these to not exist anymore. STRICT_DEVMEM = option no; IO_STRICT_DEVMEM = option no; + + # stricter IOMMU TLB invalidation + IOMMU_DEFAULT_DMA_STRICT = option yes; + IOMMU_DEFAULT_DMA_LAZY = option no; + + # not needed for less than a decade old glibc versions + LEGACY_VSYSCALL_NONE = yes; + + # Straight-Line-Speculation + # https://lwn.net/Articles/877845/ + SLS = option yes; } |