Update the README

Refers to #67.

Update the README
Refers to #67.
eec17478 · Alexander Popov · c6db991b · eec17478
Commit eec17478 authored Jun 12, 2023 by Alexander Popov
Hide whitespace changes
Inline Side-by-side

Showing with 27 additions and 15 deletions

README.md README.md +27 -15

No files found.
--- a/README.md
+++ b/README.md
@@ -63,24 +63,28 @@ Some Linux distributions also provide `kconfig-hardened-check` as a package.

 ## Usage
 ```
-usage: kconfig-hardened-check [-h] [--version] [-p {X86_64,X86_32,ARM64,ARM}] [-c CONFIG]
-                              [-l CMDLINE] [-m {verbose,json,show_ok,show_fail}]
+usage: kconfig-hardened-check [-h] [--version] [-m {verbose,json,show_ok,show_fail}]
+                              [-c CONFIG] [-l CMDLINE] [-p {X86_64,X86_32,ARM64,ARM}]
+                              [-g {X86_64,X86_32,ARM64,ARM}]

 A tool for checking the security hardening options of the Linux kernel

 options:
  -h, --help            show this help message and exit
  --version             show program's version number and exit
-  -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM}
-                        print the security hardening recommendations for the selected
-                        microarchitecture
+  -m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail}
+                        choose the report mode
  -c CONFIG, --config CONFIG
-                        check the security hardening options in the kernel kconfig file (also
-                        supports *.gz files)
+                        check the security hardening options in the kernel Kconfig file
+                        (also supports *.gz files)
  -l CMDLINE, --cmdline CMDLINE
                        check the security hardening options in the kernel cmdline file
-  -m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail}
-                        choose the report mode
+  -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM}
+                        print the security hardening recommendations for the selected
+                        microarchitecture
+  -g {X86_64,X86_32,ARM64,ARM}, --generate {X86_64,X86_32,ARM64,ARM}
+                        generate a Kconfig fragment with the security hardening options for
+                        the selected microarchitecture
 ```

 ## Output modes
@@ -338,14 +342,22 @@ sysrq_always_enabled                    |cmdline| is not set |    my    |cut_att
 [+] Config check is finished: 'OK' - 122 / 'FAIL' - 101
 ```

-## kconfig-hardened-check versioning
-
-I usually update the kernel security hardening recommendations every few kernel releases.
+## Generating a Kconfig fragment with the security hardening options

-So the version of `kconfig-hardened-check` is associated with the corresponding version of the kernel.
-
-The version format is: __[major_number].[kernel_version].[kernel_patchlevel]__
+With the `-g` argument the tool generates a Kconfig fragment with the security hardening options for the selected microarchitecture.

+This Kconfig fragment can be merged with the existing Linux kernel config:
+```
+$ ./bin/kconfig-hardened-check -g X86_64 > /tmp/fragment
+$ cd ~/linux-src/
+$ ./scripts/kconfig/merge_config.sh .config /tmp/fragment
+Using .config as base
+Merging /tmp/fragment
+Value of CONFIG_BUG_ON_DATA_CORRUPTION is redefined by fragment /tmp/fragment:
+Previous value: # CONFIG_BUG_ON_DATA_CORRUPTION is not set
+New value: CONFIG_BUG_ON_DATA_CORRUPTION=y
+ ...
+```

 ## Questions and answers