Add the RESET_ATTACK_MITIGATION check according to the feature request #11

Let's check the RESET_ATTACK_MITIGATION option. The description of this security feature: https://lwn.net/Articles/730006/ It needs support from the userspace side: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a5c03c31af2291f13689d11760c0b59fb70c9a5a Improve the comments about the userspace support by the way.

Add the RESET_ATTACK_MITIGATION check according to the feature request #11
Let's check the RESET_ATTACK_MITIGATION option. The description of this security feature: https://lwn.net/Articles/730006/ It needs support from the userspace side: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a5c03c31af2291f13689d11760c0b59fb70c9a5a Improve the comments about the userspace support by the way.
257c011f · Alexander Popov · 26ae3b02 · 257c011f · 257c011f
Commit 257c011f authored Mar 04, 2019 by Alexander Popov
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 2 deletions

README.md README.md +1 -0

kconfig-hardened-check.py kconfig-hardened-check.py +3 -2

No files found.
--- a/README.md
+++ b/README.md
@@ -93,6 +93,7 @@ optional arguments:
  CONFIG_SECURITY_DMESG_RESTRICT         |      y      |    my    |  self_protection   ||     FAIL: "is not set"     
  CONFIG_STATIC_USERMODEHELPER           |      y      |    my    |  self_protection   ||     FAIL: "is not set"     
  CONFIG_SECURITY_LOADPIN                |      y      |    my    |  self_protection   ||     FAIL: "is not set"     
+  CONFIG_RESET_ATTACK_MITIGATION         |      y      |    my    |  self_protection   ||             OK             
  CONFIG_PAGE_POISONING_NO_SANITY        | is not set  |    my    |  self_protection   ||       OK: not found        
  CONFIG_PAGE_POISONING_ZERO             | is not set  |    my    |  self_protection   ||       OK: not found        
  CONFIG_SLAB_MERGE_DEFAULT              | is not set  |    my    |  self_protection   ||         FAIL: "y"          

--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -207,8 +207,9 @@ def construct_checklist(arch):
    checklist.append(OptCheck('LOCK_DOWN_KERNEL',                 'y', 'my', 'self_protection')) # remember about LOCK_DOWN_MANDATORY
    checklist.append(OptCheck('SLUB_DEBUG_ON',                    'y', 'my', 'self_protection'))
    checklist.append(OptCheck('SECURITY_DMESG_RESTRICT',          'y', 'my', 'self_protection'))
-    checklist.append(OptCheck('STATIC_USERMODEHELPER',            'y', 'my', 'self_protection')) # breaks systemd?
-    checklist.append(OptCheck('SECURITY_LOADPIN',                 'y', 'my', 'self_protection'))
+    checklist.append(OptCheck('STATIC_USERMODEHELPER',            'y', 'my', 'self_protection')) # needs userspace support (systemd)
+    checklist.append(OptCheck('SECURITY_LOADPIN',                 'y', 'my', 'self_protection')) # needs userspace support
+    checklist.append(OptCheck('RESET_ATTACK_MITIGATION',          'y', 'my', 'self_protection')) # needs userspace support (systemd)
    checklist.append(OptCheck('PAGE_POISONING_NO_SANITY',         'is not set', 'my', 'self_protection'))
    checklist.append(OptCheck('PAGE_POISONING_ZERO',              'is not set', 'my', 'self_protection'))
    checklist.append(OptCheck('SLAB_MERGE_DEFAULT',               'is not set', 'my', 'self_protection')) # slab_nomerge