Skip to content

K
kernel-hardening-checker
Commit 5e9f4868 by Alexander Popov
Options

Introduce KconfigCheck class

parent 7ed482ba
Showing with 210 additions and 208 deletions
kconfig_hardened_check/__init__.py
...@@ -106,6 +106,8 @@ class OptCheck: ...@@ -106,6 +106,8 @@ class OptCheck:
return True return True
return False return False
class KconfigCheck(OptCheck):
def table_print(self, _mode, with_results): def table_print(self, _mode, with_results):
print('CONFIG_{:<38}|{:^13}|{:^10}|{:^20}'.format(self.name, self.expected, self.decision, self.reason), end='') print('CONFIG_{:<38}|{:^13}|{:^10}|{:^20}'.format(self.name, self.expected, self.decision, self.reason), end='')
if with_results: if with_results:
...@@ -162,7 +164,7 @@ class ComplexOptCheck: ...@@ -162,7 +164,7 @@ class ComplexOptCheck:
self.opts = opts self.opts = opts
if not self.opts: if not self.opts:
sys.exit('[!] ERROR: empty {} check'.format(self.__class__.__name__)) sys.exit('[!] ERROR: empty {} check'.format(self.__class__.__name__))
if not isinstance(opts[0], OptCheck): if not isinstance(opts[0], KconfigCheck):
sys.exit('[!] ERROR: invalid {} check: {}'.format(self.__class__.__name__, opts)) sys.exit('[!] ERROR: invalid {} check: {}'.format(self.__class__.__name__, opts))
self.result = None self.result = None
...@@ -286,316 +288,316 @@ def detect_version(fname): ...@@ -286,316 +288,316 @@ def detect_version(fname):
def construct_checklist(l, arch): def construct_checklist(l, arch):
# Calling the OptCheck class constructor: # Calling the KconfigCheck class constructor:
# OptCheck(reason, decision, name, expected) # KconfigCheck(reason, decision, name, expected)
modules_not_set = OptCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set') modules_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set')
devmem_not_set = OptCheck('cut_attack_surface', 'kspp', 'DEVMEM', 'is not set') # refers to LOCKDOWN devmem_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'DEVMEM', 'is not set') # refers to LOCKDOWN
# 'self_protection', 'defconfig' # 'self_protection', 'defconfig'
l += [OptCheck('self_protection', 'defconfig', 'BUG', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'BUG', 'y')]
l += [OptCheck('self_protection', 'defconfig', 'SLUB_DEBUG', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'SLUB_DEBUG', 'y')]
l += [OptCheck('self_protection', 'defconfig', 'GCC_PLUGINS', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'GCC_PLUGINS', 'y')]
l += [OR(OptCheck('self_protection', 'defconfig', 'STACKPROTECTOR_STRONG', 'y'), l += [OR(KconfigCheck('self_protection', 'defconfig', 'STACKPROTECTOR_STRONG', 'y'),
OptCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR_STRONG', 'y'))] KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR_STRONG', 'y'))]
l += [OR(OptCheck('self_protection', 'defconfig', 'STRICT_KERNEL_RWX', 'y'), l += [OR(KconfigCheck('self_protection', 'defconfig', 'STRICT_KERNEL_RWX', 'y'),
OptCheck('self_protection', 'defconfig', 'DEBUG_RODATA', 'y'))] # before v4.11 KconfigCheck('self_protection', 'defconfig', 'DEBUG_RODATA', 'y'))] # before v4.11
l += [OR(OptCheck('self_protection', 'defconfig', 'STRICT_MODULE_RWX', 'y'), l += [OR(KconfigCheck('self_protection', 'defconfig', 'STRICT_MODULE_RWX', 'y'),
OptCheck('self_protection', 'defconfig', 'DEBUG_SET_MODULE_RONX', 'y'), KconfigCheck('self_protection', 'defconfig', 'DEBUG_SET_MODULE_RONX', 'y'),
modules_not_set)] # DEBUG_SET_MODULE_RONX was before v4.11 modules_not_set)] # DEBUG_SET_MODULE_RONX was before v4.11
l += [OR(OptCheck('self_protection', 'defconfig', 'REFCOUNT_FULL', 'y'), l += [OR(KconfigCheck('self_protection', 'defconfig', 'REFCOUNT_FULL', 'y'),
VerCheck((5, 5)))] # REFCOUNT_FULL is enabled by default since v5.5 VerCheck((5, 5)))] # REFCOUNT_FULL is enabled by default since v5.5
iommu_support_is_set = OptCheck('self_protection', 'defconfig', 'IOMMU_SUPPORT', 'y') iommu_support_is_set = KconfigCheck('self_protection', 'defconfig', 'IOMMU_SUPPORT', 'y')
l += [iommu_support_is_set] # is needed for mitigating DMA attacks l += [iommu_support_is_set] # is needed for mitigating DMA attacks
if arch in ('X86_64', 'ARM64', 'X86_32'): if arch in ('X86_64', 'ARM64', 'X86_32'):
l += [OptCheck('self_protection', 'defconfig', 'RANDOMIZE_BASE', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'RANDOMIZE_BASE', 'y')]
l += [OptCheck('self_protection', 'defconfig', 'THREAD_INFO_IN_TASK', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'THREAD_INFO_IN_TASK', 'y')]
if arch in ('X86_64', 'ARM64'): if arch in ('X86_64', 'ARM64'):
l += [OptCheck('self_protection', 'defconfig', 'VMAP_STACK', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'VMAP_STACK', 'y')]
if arch in ('X86_64', 'X86_32'): if arch in ('X86_64', 'X86_32'):
l += [OptCheck('self_protection', 'defconfig', 'MICROCODE', 'y')] # is needed for mitigating CPU bugs l += [KconfigCheck('self_protection', 'defconfig', 'MICROCODE', 'y')] # is needed for mitigating CPU bugs
l += [OptCheck('self_protection', 'defconfig', 'RETPOLINE', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'RETPOLINE', 'y')]
l += [OptCheck('self_protection', 'defconfig', 'X86_SMAP', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'X86_SMAP', 'y')]
l += [OptCheck('self_protection', 'defconfig', 'SYN_COOKIES', 'y')] # another reason? l += [KconfigCheck('self_protection', 'defconfig', 'SYN_COOKIES', 'y')] # another reason?
l += [OR(OptCheck('self_protection', 'defconfig', 'X86_UMIP', 'y'), l += [OR(KconfigCheck('self_protection', 'defconfig', 'X86_UMIP', 'y'),
OptCheck('self_protection', 'defconfig', 'X86_INTEL_UMIP', 'y'))] KconfigCheck('self_protection', 'defconfig', 'X86_INTEL_UMIP', 'y'))]
if arch in ('ARM64', 'ARM'): if arch in ('ARM64', 'ARM'):
l += [OptCheck('self_protection', 'defconfig', 'STACKPROTECTOR_PER_TASK', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'STACKPROTECTOR_PER_TASK', 'y')]
if arch == 'X86_64': if arch == 'X86_64':
l += [OptCheck('self_protection', 'defconfig', 'PAGE_TABLE_ISOLATION', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'PAGE_TABLE_ISOLATION', 'y')]
l += [OptCheck('self_protection', 'defconfig', 'RANDOMIZE_MEMORY', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'RANDOMIZE_MEMORY', 'y')]
l += [AND(OptCheck('self_protection', 'defconfig', 'INTEL_IOMMU', 'y'), l += [AND(KconfigCheck('self_protection', 'defconfig', 'INTEL_IOMMU', 'y'),
iommu_support_is_set)] iommu_support_is_set)]
l += [AND(OptCheck('self_protection', 'defconfig', 'AMD_IOMMU', 'y'), l += [AND(KconfigCheck('self_protection', 'defconfig', 'AMD_IOMMU', 'y'),
iommu_support_is_set)] iommu_support_is_set)]
if arch == 'ARM64': if arch == 'ARM64':
l += [OptCheck('self_protection', 'defconfig', 'ARM64_PAN', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'ARM64_PAN', 'y')]
l += [OptCheck('self_protection', 'defconfig', 'ARM64_EPAN', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'ARM64_EPAN', 'y')]
l += [OptCheck('self_protection', 'defconfig', 'UNMAP_KERNEL_AT_EL0', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'UNMAP_KERNEL_AT_EL0', 'y')]
l += [OR(OptCheck('self_protection', 'defconfig', 'HARDEN_EL2_VECTORS', 'y'), l += [OR(KconfigCheck('self_protection', 'defconfig', 'HARDEN_EL2_VECTORS', 'y'),
AND(OptCheck('self_protection', 'defconfig', 'RANDOMIZE_BASE', 'y'), AND(KconfigCheck('self_protection', 'defconfig', 'RANDOMIZE_BASE', 'y'),
VerCheck((5, 9))))] # HARDEN_EL2_VECTORS was included in RANDOMIZE_BASE in v5.9 VerCheck((5, 9))))] # HARDEN_EL2_VECTORS was included in RANDOMIZE_BASE in v5.9
l += [OptCheck('self_protection', 'defconfig', 'RODATA_FULL_DEFAULT_ENABLED', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'RODATA_FULL_DEFAULT_ENABLED', 'y')]
l += [OptCheck('self_protection', 'defconfig', 'ARM64_PTR_AUTH_KERNEL', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'ARM64_PTR_AUTH_KERNEL', 'y')]
l += [OptCheck('self_protection', 'defconfig', 'ARM64_BTI_KERNEL', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'ARM64_BTI_KERNEL', 'y')]
l += [OR(OptCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y'), l += [OR(KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y'),
VerCheck((5, 10)))] # HARDEN_BRANCH_PREDICTOR is enabled by default since v5.10 VerCheck((5, 10)))] # HARDEN_BRANCH_PREDICTOR is enabled by default since v5.10
l += [OptCheck('self_protection', 'defconfig', 'ARM64_MTE', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'ARM64_MTE', 'y')]
if arch == 'ARM': if arch == 'ARM':
l += [OptCheck('self_protection', 'defconfig', 'CPU_SW_DOMAIN_PAN', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'CPU_SW_DOMAIN_PAN', 'y')]
l += [OptCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y')]
# 'self_protection', 'kspp' # 'self_protection', 'kspp'
l += [OptCheck('self_protection', 'kspp', 'SECURITY_DMESG_RESTRICT', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'SECURITY_DMESG_RESTRICT', 'y')]
l += [OptCheck('self_protection', 'kspp', 'BUG_ON_DATA_CORRUPTION', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'BUG_ON_DATA_CORRUPTION', 'y')]
l += [OptCheck('self_protection', 'kspp', 'DEBUG_WX', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_WX', 'y')]
l += [OptCheck('self_protection', 'kspp', 'SCHED_STACK_END_CHECK', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'SCHED_STACK_END_CHECK', 'y')]
l += [OptCheck('self_protection', 'kspp', 'SLAB_FREELIST_HARDENED', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'SLAB_FREELIST_HARDENED', 'y')]
l += [OptCheck('self_protection', 'kspp', 'SLAB_FREELIST_RANDOM', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'SLAB_FREELIST_RANDOM', 'y')]
l += [OptCheck('self_protection', 'kspp', 'SHUFFLE_PAGE_ALLOCATOR', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'SHUFFLE_PAGE_ALLOCATOR', 'y')]
l += [OptCheck('self_protection', 'kspp', 'FORTIFY_SOURCE', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'FORTIFY_SOURCE', 'y')]
l += [OptCheck('self_protection', 'kspp', 'DEBUG_LIST', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_LIST', 'y')]
l += [OptCheck('self_protection', 'kspp', 'DEBUG_SG', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_SG', 'y')]
l += [OptCheck('self_protection', 'kspp', 'DEBUG_CREDENTIALS', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_CREDENTIALS', 'y')]
l += [OptCheck('self_protection', 'kspp', 'DEBUG_NOTIFIERS', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_NOTIFIERS', 'y')]
l += [OptCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y')]
l += [OptCheck('self_protection', 'kspp', 'GCC_PLUGIN_LATENT_ENTROPY', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_LATENT_ENTROPY', 'y')]
randstruct_is_set = OptCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT', 'y') randstruct_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT', 'y')
l += [randstruct_is_set] l += [randstruct_is_set]
hardened_usercopy_is_set = OptCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y') hardened_usercopy_is_set = KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y')
l += [hardened_usercopy_is_set] l += [hardened_usercopy_is_set]
l += [AND(OptCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'), l += [AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'),
hardened_usercopy_is_set)] hardened_usercopy_is_set)]
l += [AND(OptCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_PAGESPAN', 'is not set'), l += [AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_PAGESPAN', 'is not set'),
hardened_usercopy_is_set)] hardened_usercopy_is_set)]
l += [OR(OptCheck('self_protection', 'kspp', 'MODULE_SIG', 'y'), l += [OR(KconfigCheck('self_protection', 'kspp', 'MODULE_SIG', 'y'),
modules_not_set)] modules_not_set)]
l += [OR(OptCheck('self_protection', 'kspp', 'MODULE_SIG_ALL', 'y'), l += [OR(KconfigCheck('self_protection', 'kspp', 'MODULE_SIG_ALL', 'y'),
modules_not_set)] modules_not_set)]
l += [OR(OptCheck('self_protection', 'kspp', 'MODULE_SIG_SHA512', 'y'), l += [OR(KconfigCheck('self_protection', 'kspp', 'MODULE_SIG_SHA512', 'y'),
modules_not_set)] modules_not_set)]
l += [OR(OptCheck('self_protection', 'kspp', 'MODULE_SIG_FORCE', 'y'), l += [OR(KconfigCheck('self_protection', 'kspp', 'MODULE_SIG_FORCE', 'y'),
modules_not_set)] # refers to LOCKDOWN modules_not_set)] # refers to LOCKDOWN
l += [OR(OptCheck('self_protection', 'kspp', 'INIT_STACK_ALL_ZERO', 'y'), l += [OR(KconfigCheck('self_protection', 'kspp', 'INIT_STACK_ALL_ZERO', 'y'),
OptCheck('self_protection', 'kspp', 'GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y'))] KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y'))]
l += [OR(OptCheck('self_protection', 'kspp', 'INIT_ON_FREE_DEFAULT_ON', 'y'), l += [OR(KconfigCheck('self_protection', 'kspp', 'INIT_ON_FREE_DEFAULT_ON', 'y'),
OptCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'))] KconfigCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'))]
# CONFIG_INIT_ON_FREE_DEFAULT_ON was added in v5.3. # CONFIG_INIT_ON_FREE_DEFAULT_ON was added in v5.3.
# CONFIG_PAGE_POISONING_ZERO was removed in v5.11. # CONFIG_PAGE_POISONING_ZERO was removed in v5.11.
# Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks # Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks
# the 0xAA poison pattern on allocation. # the 0xAA poison pattern on allocation.
# That brings higher performance penalty. # That brings higher performance penalty.
if arch in ('X86_64', 'ARM64', 'X86_32'): if arch in ('X86_64', 'ARM64', 'X86_32'):
stackleak_is_set = OptCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y') stackleak_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y')
l += [stackleak_is_set] l += [stackleak_is_set]
l += [OptCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y')]
if arch in ('X86_64', 'X86_32'): if arch in ('X86_64', 'X86_32'):
l += [OptCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '65536')] l += [KconfigCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '65536')]
if arch in ('ARM64', 'ARM'): if arch in ('ARM64', 'ARM'):
l += [OptCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '32768')] l += [KconfigCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '32768')]
l += [OptCheck('self_protection', 'kspp', 'SYN_COOKIES', 'y')] # another reason? l += [KconfigCheck('self_protection', 'kspp', 'SYN_COOKIES', 'y')] # another reason?
if arch == 'ARM64': if arch == 'ARM64':
l += [OptCheck('self_protection', 'kspp', 'ARM64_SW_TTBR0_PAN', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'ARM64_SW_TTBR0_PAN', 'y')]
if arch == 'X86_32': if arch == 'X86_32':
l += [OptCheck('self_protection', 'kspp', 'PAGE_TABLE_ISOLATION', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'PAGE_TABLE_ISOLATION', 'y')]
l += [OptCheck('self_protection', 'kspp', 'HIGHMEM64G', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'HIGHMEM64G', 'y')]
l += [OptCheck('self_protection', 'kspp', 'X86_PAE', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'X86_PAE', 'y')]
# 'self_protection', 'maintainer' # 'self_protection', 'maintainer'
ubsan_bounds_is_set = OptCheck('self_protection', 'maintainer', 'UBSAN_BOUNDS', 'y') # only array index bounds checking ubsan_bounds_is_set = KconfigCheck('self_protection', 'maintainer', 'UBSAN_BOUNDS', 'y') # only array index bounds checking
l += [ubsan_bounds_is_set] # recommended by Kees Cook in /issues/53 l += [ubsan_bounds_is_set] # recommended by Kees Cook in /issues/53
l += [AND(OptCheck('self_protection', 'maintainer', 'UBSAN_SANITIZE_ALL', 'y'), l += [AND(KconfigCheck('self_protection', 'maintainer', 'UBSAN_SANITIZE_ALL', 'y'),
ubsan_bounds_is_set)] # recommended by Kees Cook in /issues/53 ubsan_bounds_is_set)] # recommended by Kees Cook in /issues/53
l += [AND(OptCheck('self_protection', 'maintainer', 'UBSAN_TRAP', 'y'), l += [AND(KconfigCheck('self_protection', 'maintainer', 'UBSAN_TRAP', 'y'),
ubsan_bounds_is_set)] # recommended by Kees Cook in /issues/53 ubsan_bounds_is_set)] # recommended by Kees Cook in /issues/53
# 'self_protection', 'clipos' # 'self_protection', 'clipos'
l += [OptCheck('self_protection', 'clipos', 'DEBUG_VIRTUAL', 'y')] l += [KconfigCheck('self_protection', 'clipos', 'DEBUG_VIRTUAL', 'y')]
l += [OptCheck('self_protection', 'clipos', 'STATIC_USERMODEHELPER', 'y')] # needs userspace support l += [KconfigCheck('self_protection', 'clipos', 'STATIC_USERMODEHELPER', 'y')] # needs userspace support
l += [OptCheck('self_protection', 'clipos', 'EFI_DISABLE_PCI_DMA', 'y')] l += [KconfigCheck('self_protection', 'clipos', 'EFI_DISABLE_PCI_DMA', 'y')]
l += [OptCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set')] # slab_nomerge l += [KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set')] # slab_nomerge
l += [OptCheck('self_protection', 'clipos', 'RANDOM_TRUST_BOOTLOADER', 'is not set')] l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_BOOTLOADER', 'is not set')]
l += [OptCheck('self_protection', 'clipos', 'RANDOM_TRUST_CPU', 'is not set')] l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_CPU', 'is not set')]
l += [AND(OptCheck('self_protection', 'clipos', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'), l += [AND(KconfigCheck('self_protection', 'clipos', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'),
randstruct_is_set)] randstruct_is_set)]
if arch in ('X86_64', 'ARM64', 'X86_32'): if arch in ('X86_64', 'ARM64', 'X86_32'):
l += [AND(OptCheck('self_protection', 'clipos', 'STACKLEAK_METRICS', 'is not set'), l += [AND(KconfigCheck('self_protection', 'clipos', 'STACKLEAK_METRICS', 'is not set'),
stackleak_is_set)] stackleak_is_set)]
l += [AND(OptCheck('self_protection', 'clipos', 'STACKLEAK_RUNTIME_DISABLE', 'is not set'), l += [AND(KconfigCheck('self_protection', 'clipos', 'STACKLEAK_RUNTIME_DISABLE', 'is not set'),
stackleak_is_set)] stackleak_is_set)]
if arch in ('X86_64', 'X86_32'): if arch in ('X86_64', 'X86_32'):
l += [AND(OptCheck('self_protection', 'clipos', 'INTEL_IOMMU_DEFAULT_ON', 'y'), l += [AND(KconfigCheck('self_protection', 'clipos', 'INTEL_IOMMU_DEFAULT_ON', 'y'),
iommu_support_is_set)] iommu_support_is_set)]
if arch == 'X86_64': if arch == 'X86_64':
l += [AND(OptCheck('self_protection', 'clipos', 'INTEL_IOMMU_SVM', 'y'), l += [AND(KconfigCheck('self_protection', 'clipos', 'INTEL_IOMMU_SVM', 'y'),
iommu_support_is_set)] iommu_support_is_set)]
if arch == 'X86_32': if arch == 'X86_32':
l += [AND(OptCheck('self_protection', 'clipos', 'INTEL_IOMMU', 'y'), l += [AND(KconfigCheck('self_protection', 'clipos', 'INTEL_IOMMU', 'y'),
iommu_support_is_set)] iommu_support_is_set)]
# 'self_protection', 'my' # 'self_protection', 'my'
l += [OptCheck('self_protection', 'my', 'RESET_ATTACK_MITIGATION', 'y')] # needs userspace support (systemd) l += [KconfigCheck('self_protection', 'my', 'RESET_ATTACK_MITIGATION', 'y')] # needs userspace support (systemd)
if arch == 'X86_64': if arch == 'X86_64':
l += [AND(OptCheck('self_protection', 'my', 'AMD_IOMMU_V2', 'y'), l += [AND(KconfigCheck('self_protection', 'my', 'AMD_IOMMU_V2', 'y'),
iommu_support_is_set)] iommu_support_is_set)]
if arch == 'ARM64': if arch == 'ARM64':
l += [OptCheck('self_protection', 'my', 'SHADOW_CALL_STACK', 'y')] # depends on clang, maybe it's alternative to STACKPROTECTOR_STRONG l += [KconfigCheck('self_protection', 'my', 'SHADOW_CALL_STACK', 'y')] # depends on clang, maybe it's alternative to STACKPROTECTOR_STRONG
l += [OptCheck('self_protection', 'my', 'KASAN_HW_TAGS', 'y')] l += [KconfigCheck('self_protection', 'my', 'KASAN_HW_TAGS', 'y')]
cfi_clang_is_set = OptCheck('self_protection', 'my', 'CFI_CLANG', 'y') cfi_clang_is_set = KconfigCheck('self_protection', 'my', 'CFI_CLANG', 'y')
l += [cfi_clang_is_set] l += [cfi_clang_is_set]
l += [AND(OptCheck('self_protection', 'my', 'CFI_PERMISSIVE', 'is not set'), l += [AND(KconfigCheck('self_protection', 'my', 'CFI_PERMISSIVE', 'is not set'),
cfi_clang_is_set)] cfi_clang_is_set)]
# 'security_policy' # 'security_policy'
if arch in ('X86_64', 'ARM64', 'X86_32'): if arch in ('X86_64', 'ARM64', 'X86_32'):
l += [OptCheck('security_policy', 'defconfig', 'SECURITY', 'y')] # and choose your favourite LSM l += [KconfigCheck('security_policy', 'defconfig', 'SECURITY', 'y')] # and choose your favourite LSM
if arch == 'ARM': if arch == 'ARM':
l += [OptCheck('security_policy', 'kspp', 'SECURITY', 'y')] # and choose your favourite LSM l += [KconfigCheck('security_policy', 'kspp', 'SECURITY', 'y')] # and choose your favourite LSM
l += [OptCheck('security_policy', 'kspp', 'SECURITY_YAMA', 'y')] l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_YAMA', 'y')]
l += [OR(OptCheck('security_policy', 'my', 'SECURITY_WRITABLE_HOOKS', 'is not set'), l += [OR(KconfigCheck('security_policy', 'my', 'SECURITY_WRITABLE_HOOKS', 'is not set'),
OptCheck('security_policy', 'kspp', 'SECURITY_SELINUX_DISABLE', 'is not set'))] KconfigCheck('security_policy', 'kspp', 'SECURITY_SELINUX_DISABLE', 'is not set'))]
l += [OptCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM', 'y')] l += [KconfigCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM', 'y')]
l += [OptCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM_EARLY', 'y')] l += [KconfigCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM_EARLY', 'y')]
l += [OptCheck('security_policy', 'clipos', 'LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y')] l += [KconfigCheck('security_policy', 'clipos', 'LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y')]
l += [OptCheck('security_policy', 'my', 'SECURITY_SAFESETID', 'y')] l += [KconfigCheck('security_policy', 'my', 'SECURITY_SAFESETID', 'y')]
loadpin_is_set = OptCheck('security_policy', 'my', 'SECURITY_LOADPIN', 'y') loadpin_is_set = KconfigCheck('security_policy', 'my', 'SECURITY_LOADPIN', 'y')
l += [loadpin_is_set] # needs userspace support l += [loadpin_is_set] # needs userspace support
l += [AND(OptCheck('security_policy', 'my', 'SECURITY_LOADPIN_ENFORCE', 'y'), l += [AND(KconfigCheck('security_policy', 'my', 'SECURITY_LOADPIN_ENFORCE', 'y'),
loadpin_is_set)] loadpin_is_set)]
# 'cut_attack_surface', 'defconfig' # 'cut_attack_surface', 'defconfig'
l += [OptCheck('cut_attack_surface', 'defconfig', 'SECCOMP', 'y')] l += [KconfigCheck('cut_attack_surface', 'defconfig', 'SECCOMP', 'y')]
l += [OptCheck('cut_attack_surface', 'defconfig', 'SECCOMP_FILTER', 'y')] l += [KconfigCheck('cut_attack_surface', 'defconfig', 'SECCOMP_FILTER', 'y')]
if arch in ('X86_64', 'ARM64', 'X86_32'): if arch in ('X86_64', 'ARM64', 'X86_32'):
l += [OR(OptCheck('cut_attack_surface', 'defconfig', 'STRICT_DEVMEM', 'y'), l += [OR(KconfigCheck('cut_attack_surface', 'defconfig', 'STRICT_DEVMEM', 'y'),
devmem_not_set)] # refers to LOCKDOWN devmem_not_set)] # refers to LOCKDOWN
# 'cut_attack_surface', 'kspp' # 'cut_attack_surface', 'kspp'
l += [OptCheck('cut_attack_surface', 'kspp', 'ACPI_CUSTOM_METHOD', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'kspp', 'ACPI_CUSTOM_METHOD', 'is not set')] # refers to LOCKDOWN
l += [OptCheck('cut_attack_surface', 'kspp', 'COMPAT_BRK', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_BRK', 'is not set')]
l += [OptCheck('cut_attack_surface', 'kspp', 'DEVKMEM', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'kspp', 'DEVKMEM', 'is not set')] # refers to LOCKDOWN
l += [OptCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set')]
l += [OptCheck('cut_attack_surface', 'kspp', 'BINFMT_MISC', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'BINFMT_MISC', 'is not set')]
l += [OptCheck('cut_attack_surface', 'kspp', 'INET_DIAG', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'INET_DIAG', 'is not set')]
l += [OptCheck('cut_attack_surface', 'kspp', 'KEXEC', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'kspp', 'KEXEC', 'is not set')] # refers to LOCKDOWN
l += [OptCheck('cut_attack_surface', 'kspp', 'PROC_KCORE', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'kspp', 'PROC_KCORE', 'is not set')] # refers to LOCKDOWN
l += [OptCheck('cut_attack_surface', 'kspp', 'LEGACY_PTYS', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_PTYS', 'is not set')]
l += [OptCheck('cut_attack_surface', 'kspp', 'HIBERNATION', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'kspp', 'HIBERNATION', 'is not set')] # refers to LOCKDOWN
l += [OptCheck('cut_attack_surface', 'kspp', 'IA32_EMULATION', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'IA32_EMULATION', 'is not set')]
l += [OptCheck('cut_attack_surface', 'kspp', 'X86_X32', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'X86_X32', 'is not set')]
l += [OptCheck('cut_attack_surface', 'kspp', 'MODIFY_LDT_SYSCALL', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'MODIFY_LDT_SYSCALL', 'is not set')]
l += [OptCheck('cut_attack_surface', 'kspp', 'OABI_COMPAT', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'OABI_COMPAT', 'is not set')]
l += [modules_not_set] l += [modules_not_set]
l += [devmem_not_set] l += [devmem_not_set]
l += [OR(OptCheck('cut_attack_surface', 'kspp', 'IO_STRICT_DEVMEM', 'y'), l += [OR(KconfigCheck('cut_attack_surface', 'kspp', 'IO_STRICT_DEVMEM', 'y'),
devmem_not_set)] # refers to LOCKDOWN devmem_not_set)] # refers to LOCKDOWN
if arch == 'ARM': if arch == 'ARM':
l += [OR(OptCheck('cut_attack_surface', 'kspp', 'STRICT_DEVMEM', 'y'), l += [OR(KconfigCheck('cut_attack_surface', 'kspp', 'STRICT_DEVMEM', 'y'),
devmem_not_set)] # refers to LOCKDOWN devmem_not_set)] # refers to LOCKDOWN
if arch == 'X86_64': if arch == 'X86_64':
l += [OptCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y')] # 'vsyscall=none' l += [KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y')] # 'vsyscall=none'
# 'cut_attack_surface', 'grsecurity' # 'cut_attack_surface', 'grsecurity'
l += [OptCheck('cut_attack_surface', 'grsecurity', 'ZSMALLOC_STAT', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'ZSMALLOC_STAT', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'PAGE_OWNER', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'PAGE_OWNER', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'DEBUG_KMEMLEAK', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'DEBUG_KMEMLEAK', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'BINFMT_AOUT', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'BINFMT_AOUT', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'KPROBE_EVENTS', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'KPROBE_EVENTS', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'UPROBE_EVENTS', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'UPROBE_EVENTS', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'GENERIC_TRACER', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'GENERIC_TRACER', 'is not set')] # refers to LOCKDOWN
l += [OptCheck('cut_attack_surface', 'grsecurity', 'FUNCTION_TRACER', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'FUNCTION_TRACER', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'STACK_TRACER', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'STACK_TRACER', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'HIST_TRIGGERS', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'HIST_TRIGGERS', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'BLK_DEV_IO_TRACE', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'BLK_DEV_IO_TRACE', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'PROC_VMCORE', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'PROC_VMCORE', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'PROC_PAGE_MONITOR', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'PROC_PAGE_MONITOR', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'USELIB', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'USELIB', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'CHECKPOINT_RESTORE', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'CHECKPOINT_RESTORE', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'USERFAULTFD', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'USERFAULTFD', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'HWPOISON_INJECT', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'HWPOISON_INJECT', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'MEM_SOFT_DIRTY', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'MEM_SOFT_DIRTY', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'DEVPORT', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'DEVPORT', 'is not set')] # refers to LOCKDOWN
l += [OptCheck('cut_attack_surface', 'grsecurity', 'DEBUG_FS', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'DEBUG_FS', 'is not set')] # refers to LOCKDOWN
l += [OptCheck('cut_attack_surface', 'grsecurity', 'NOTIFIER_ERROR_INJECTION', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'NOTIFIER_ERROR_INJECTION', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'FAIL_FUTEX', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'FAIL_FUTEX', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'PUNIT_ATOM_DEBUG', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'PUNIT_ATOM_DEBUG', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'ACPI_CONFIGFS', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'ACPI_CONFIGFS', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'EDAC_DEBUG', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'EDAC_DEBUG', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'DRM_I915_DEBUG', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'DRM_I915_DEBUG', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'BCACHE_CLOSURES_DEBUG', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'BCACHE_CLOSURES_DEBUG', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'DVB_C8SECTPFE', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'DVB_C8SECTPFE', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'MTD_SLRAM', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'MTD_SLRAM', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'MTD_PHRAM', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'MTD_PHRAM', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'IO_URING', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'IO_URING', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'KCMP', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'KCMP', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'RSEQ', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'RSEQ', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'LATENCYTOP', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'LATENCYTOP', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'KCOV', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'KCOV', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'PROVIDE_OHCI1394_DMA_INIT', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'PROVIDE_OHCI1394_DMA_INIT', 'is not set')]
l += [OptCheck('cut_attack_surface', 'grsecurity', 'SUNRPC_DEBUG', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grsecurity', 'SUNRPC_DEBUG', 'is not set')]
l += [AND(OptCheck('cut_attack_surface', 'grsecurity', 'PTDUMP_DEBUGFS', 'is not set'), l += [AND(KconfigCheck('cut_attack_surface', 'grsecurity', 'PTDUMP_DEBUGFS', 'is not set'),
OptCheck('cut_attack_surface', 'grsecurity', 'X86_PTDUMP', 'is not set'))] KconfigCheck('cut_attack_surface', 'grsecurity', 'X86_PTDUMP', 'is not set'))]
# 'cut_attack_surface', 'maintainer' # 'cut_attack_surface', 'maintainer'
l += [OptCheck('cut_attack_surface', 'maintainer', 'DRM_LEGACY', 'is not set')] # recommended by Daniel Vetter in /issues/38 l += [KconfigCheck('cut_attack_surface', 'maintainer', 'DRM_LEGACY', 'is not set')] # recommended by Daniel Vetter in /issues/38
l += [OptCheck('cut_attack_surface', 'maintainer', 'FB', 'is not set')] # recommended by Daniel Vetter in /issues/38 l += [KconfigCheck('cut_attack_surface', 'maintainer', 'FB', 'is not set')] # recommended by Daniel Vetter in /issues/38
l += [OptCheck('cut_attack_surface', 'maintainer', 'VT', 'is not set')] # recommended by Daniel Vetter in /issues/38 l += [KconfigCheck('cut_attack_surface', 'maintainer', 'VT', 'is not set')] # recommended by Daniel Vetter in /issues/38
l += [OptCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD', 'is not set')] # recommended by Denis Efremov in /pull/54 l += [KconfigCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD', 'is not set')] # recommended by Denis Efremov in /pull/54
# 'cut_attack_surface', 'grapheneos' # 'cut_attack_surface', 'grapheneos'
l += [OptCheck('cut_attack_surface', 'grapheneos', 'AIO', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'grapheneos', 'AIO', 'is not set')]
# 'cut_attack_surface', 'clipos' # 'cut_attack_surface', 'clipos'
l += [OptCheck('cut_attack_surface', 'clipos', 'STAGING', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'clipos', 'STAGING', 'is not set')]
l += [OptCheck('cut_attack_surface', 'clipos', 'KSM', 'is not set')] # to prevent FLUSH+RELOAD attack l += [KconfigCheck('cut_attack_surface', 'clipos', 'KSM', 'is not set')] # to prevent FLUSH+RELOAD attack
# l += [OptCheck('cut_attack_surface', 'clipos', 'IKCONFIG', 'is not set')] # no, IKCONFIG is needed for this check :) # l += [KconfigCheck('cut_attack_surface', 'clipos', 'IKCONFIG', 'is not set')] # no, IKCONFIG is needed for this check :)
l += [OptCheck('cut_attack_surface', 'clipos', 'KALLSYMS', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'clipos', 'KALLSYMS', 'is not set')]
l += [OptCheck('cut_attack_surface', 'clipos', 'X86_VSYSCALL_EMULATION', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_VSYSCALL_EMULATION', 'is not set')]
l += [OptCheck('cut_attack_surface', 'clipos', 'MAGIC_SYSRQ', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'clipos', 'MAGIC_SYSRQ', 'is not set')]
l += [OptCheck('cut_attack_surface', 'clipos', 'KEXEC_FILE', 'is not set')] # refers to LOCKDOWN (permissive) l += [KconfigCheck('cut_attack_surface', 'clipos', 'KEXEC_FILE', 'is not set')] # refers to LOCKDOWN (permissive)
l += [OptCheck('cut_attack_surface', 'clipos', 'USER_NS', 'is not set')] # user.max_user_namespaces=0 l += [KconfigCheck('cut_attack_surface', 'clipos', 'USER_NS', 'is not set')] # user.max_user_namespaces=0
l += [OptCheck('cut_attack_surface', 'clipos', 'X86_MSR', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_MSR', 'is not set')] # refers to LOCKDOWN
l += [OptCheck('cut_attack_surface', 'clipos', 'X86_CPUID', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_CPUID', 'is not set')]
l += [OptCheck('cut_attack_surface', 'clipos', 'X86_IOPL_IOPERM', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_IOPL_IOPERM', 'is not set')] # refers to LOCKDOWN
l += [OptCheck('cut_attack_surface', 'clipos', 'ACPI_TABLE_UPGRADE', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'clipos', 'ACPI_TABLE_UPGRADE', 'is not set')] # refers to LOCKDOWN
l += [OptCheck('cut_attack_surface', 'clipos', 'EFI_CUSTOM_SSDT_OVERLAYS', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'clipos', 'EFI_CUSTOM_SSDT_OVERLAYS', 'is not set')]
l += [AND(OptCheck('cut_attack_surface', 'clipos', 'LDISC_AUTOLOAD', 'is not set'), l += [AND(KconfigCheck('cut_attack_surface', 'clipos', 'LDISC_AUTOLOAD', 'is not set'),
PresenceCheck('LDISC_AUTOLOAD'))] PresenceCheck('LDISC_AUTOLOAD'))]
if arch in ('X86_64', 'X86_32'): if arch in ('X86_64', 'X86_32'):
l += [OptCheck('cut_attack_surface', 'clipos', 'X86_INTEL_TSX_MODE_OFF', 'y')] # tsx=off l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_INTEL_TSX_MODE_OFF', 'y')] # tsx=off
# 'cut_attack_surface', 'lockdown' # 'cut_attack_surface', 'lockdown'
l += [OptCheck('cut_attack_surface', 'lockdown', 'EFI_TEST', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'lockdown', 'EFI_TEST', 'is not set')] # refers to LOCKDOWN
l += [OptCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set')] # refers to LOCKDOWN
l += [OptCheck('cut_attack_surface', 'lockdown', 'MMIOTRACE_TEST', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'lockdown', 'MMIOTRACE_TEST', 'is not set')] # refers to LOCKDOWN
l += [OptCheck('cut_attack_surface', 'lockdown', 'KPROBES', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'lockdown', 'KPROBES', 'is not set')] # refers to LOCKDOWN
# 'cut_attack_surface', 'my' # 'cut_attack_surface', 'my'
l += [OR(OptCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y'), l += [OR(KconfigCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y'),
modules_not_set)] modules_not_set)]
l += [OptCheck('cut_attack_surface', 'my', 'MMIOTRACE', 'is not set')] # refers to LOCKDOWN (permissive) l += [KconfigCheck('cut_attack_surface', 'my', 'MMIOTRACE', 'is not set')] # refers to LOCKDOWN (permissive)
l += [OptCheck('cut_attack_surface', 'my', 'LIVEPATCH', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'my', 'LIVEPATCH', 'is not set')]
l += [OptCheck('cut_attack_surface', 'my', 'IP_DCCP', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'my', 'IP_DCCP', 'is not set')]
l += [OptCheck('cut_attack_surface', 'my', 'IP_SCTP', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'my', 'IP_SCTP', 'is not set')]
l += [OptCheck('cut_attack_surface', 'my', 'FTRACE', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'my', 'FTRACE', 'is not set')] # refers to LOCKDOWN
l += [OptCheck('cut_attack_surface', 'my', 'VIDEO_VIVID', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'my', 'VIDEO_VIVID', 'is not set')]
l += [OptCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger l += [KconfigCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger
# 'userspace_hardening' # 'userspace_hardening'
if arch in ('X86_64', 'ARM64', 'X86_32'): if arch in ('X86_64', 'ARM64', 'X86_32'):
l += [OptCheck('userspace_hardening', 'defconfig', 'INTEGRITY', 'y')] l += [KconfigCheck('userspace_hardening', 'defconfig', 'INTEGRITY', 'y')]
if arch == 'ARM': if arch == 'ARM':
l += [OptCheck('userspace_hardening', 'my', 'INTEGRITY', 'y')] l += [KconfigCheck('userspace_hardening', 'my', 'INTEGRITY', 'y')]
if arch == 'ARM64': if arch == 'ARM64':
l += [OptCheck('userspace_hardening', 'defconfig', 'ARM64_MTE', 'y')] l += [KconfigCheck('userspace_hardening', 'defconfig', 'ARM64_MTE', 'y')]
if arch in ('ARM', 'X86_32'): if arch in ('ARM', 'X86_32'):
l += [OptCheck('userspace_hardening', 'defconfig', 'VMSPLIT_3G', 'y')] l += [KconfigCheck('userspace_hardening', 'defconfig', 'VMSPLIT_3G', 'y')]
if arch in ('X86_64', 'ARM64'): if arch in ('X86_64', 'ARM64'):
l += [OptCheck('userspace_hardening', 'clipos', 'ARCH_MMAP_RND_BITS', '32')] l += [KconfigCheck('userspace_hardening', 'clipos', 'ARCH_MMAP_RND_BITS', '32')]
if arch in ('X86_32', 'ARM'): if arch in ('X86_32', 'ARM'):
l += [OptCheck('userspace_hardening', 'my', 'ARCH_MMAP_RND_BITS', '16')] l += [KconfigCheck('userspace_hardening', 'my', 'ARCH_MMAP_RND_BITS', '16')]
# l += [OptCheck('feature_test', 'my', 'LKDTM', 'm')] # only for debugging! # l += [KconfigCheck('feature_test', 'my', 'LKDTM', 'm')] # only for debugging!
def print_unknown_options(checklist, parsed_options): def print_unknown_options(checklist, parsed_options):
...@@ -628,7 +630,7 @@ def print_checklist(mode, checklist, with_results): ...@@ -628,7 +630,7 @@ def print_checklist(mode, checklist, with_results):
if with_results: if with_results:
sep_line_len += 30 sep_line_len += 30
print('=' * sep_line_len) print('=' * sep_line_len)
print('{:^45}|{:^13}|{:^10}|{:^20}'.format('option name', 'desired val', 'decision', 'reason'), end='') print('{:^45}|{:^13}|{:^10}|{:^20}'.format('kconfig option name', 'desired val', 'decision', 'reason'), end='')
if with_results: if with_results:
print('| {}'.format('check result'), end='') print('| {}'.format('check result'), end='')
print() print()
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment