Commits · 25cb2389d0d47892e472f7b66c39597ddf41a278 · fact-depend / kernel-hardening-checker · GitLab

19 Jun, 2021 12 commits
- Remember that SHADOW_CALL_STACK depends on clang · 25cb2389
  Alexander Popov authored Jun 19, 2021
  
  25cb2389 Browse Files
- STACKPROTECTOR_PER_TASK is also available for ARM64 · 31767839
  Alexander Popov authored Jun 19, 2021
  
  31767839 Browse Files
- INTEL_IOMMU_SVM is available only for X86_64 · f8b12633
  Alexander Popov authored Jun 19, 2021
  
  f8b12633 Browse Files
- Reorder arch checks · 3b2a9440
  Alexander Popov authored Jun 19, 2021
  
  3b2a9440 Browse Files
- SECURITY_DMESG_RESTRICT is recommended by KSPP now · d1a8bb6a
  Alexander Popov authored Jun 19, 2021
  
  d1a8bb6a Browse Files
- Think about kptr_restrict later (KSPP recommends to set it to 1) · a486a640
  Alexander Popov authored Jun 19, 2021
  
  a486a640 Browse Files
- Mention that nosmt is slow · 361e571e
  Alexander Popov authored Jun 19, 2021
  
  361e571e Browse Files
- More info on init_on_free and init_on_alloc · 495d4374
  Alexander Popov authored Jun 19, 2021
  
  495d4374 Browse Files
- SLUB_DEBUG_ON is very slow, leave it for the kernel command line · 4c4f2527
  Alexander Popov authored Jun 19, 2021
  
  4c4f2527 Browse Files
- Update KSPP recommendations · 29de5cc2
  Alexander Popov authored Jun 19, 2021
  
  29de5cc2 Browse Files
- Add defconfigs for v5.10 · fb4d95bd
```
Made with updated https://github.com/a13xp0p0v/kernel-build-containers

Excellent!
```
  Alexander Popov authored Jun 19, 2021
  fb4d95bd Browse Files
- HARDEN_BRANCH_PREDICTOR for ARM64 is enabled by default since v5.10 · 12d6535d
  Alexander Popov authored Jun 19, 2021
  
  12d6535d Browse Files
18 Jun, 2021 3 commits
- Add ARM64_MTE for userspace · 2bc87b84
  Alexander Popov authored Jun 19, 2021
  
  2bc87b84 Browse Files
- Maybe SHADOW_CALL_STACK should be alternative to STACKPROTECTOR_STRONG · 029bd7f4
  Alexander Popov authored Jun 19, 2021
  
  029bd7f4 Browse Files
- Save 'debugfs=no-mount' for future · ff5a84ba
  Alexander Popov authored Jun 18, 2021
  
  ff5a84ba Browse Files
30 Oct, 2020 2 commits
- Update the README. · 2f8e7a4d
```
Ready for the release 0.5.9.
```
  Alexander Popov authored Oct 30, 2020
  2f8e7a4d Browse Files
- Fix indentation (thanks to pylint) · fbaf5df4
  Alexander Popov authored Oct 30, 2020
  
  fbaf5df4 Browse Files
29 Oct, 2020 1 commit
- Add a Q&A about spectre-meltdown-checker maintained by @speed47 · 6cf7b9be
  Alexander Popov authored Oct 29, 2020
  
  6cf7b9be Browse Files
23 Oct, 2020 2 commits
- INIT_STACK_ALL -> INIT_STACK_ALL_ZERO (was renamed) · 0a728e14
  Alexander Popov authored Oct 23, 2020
  
  0a728e14 Browse Files
- Add SHADOW_CALL_STACK for ARM64 · 29700a52
  Alexander Popov authored Oct 23, 2020
  
  29700a52 Browse Files
22 Oct, 2020 7 commits
- Add the recommendation about TRIM_UNUSED_KSYMS · 1ce2fdcf
  Alexander Popov authored Oct 22, 2020
  
  1ce2fdcf Browse Files
- Add ARM64_BTI_KERNEL · f9438fcc
  Alexander Popov authored Oct 22, 2020
  
  f9438fcc Browse Files
- Add the recommendation about UBSAN_BOUNDS · e1652891
```
Enable UBSAN_BOUNDS and UBSAN_TRAP.
But keep UBSAN_MISC disabled to avoid useless reports.
```
  Alexander Popov authored Oct 22, 2020
  e1652891 Browse Files
- PAGE_POISONING -> PAGE_POISONING_ZERO · 4dcb0cdd
```
In fact, KSPP recommends PAGE_POISONING_ZERO.
```
  Alexander Popov authored Oct 22, 2020
  4dcb0cdd Browse Files
- Improve AND check reports · 1a789f4b
  Alexander Popov authored Oct 22, 2020
  
  1a789f4b Browse Files
- Improve HARDEN_EL2_VECTORS check · 45bb1e8f
```
In fact HARDEN_EL2_VECTORS was included in RANDOMIZE_BASE in v5.9.
Use new nested ComplexOptChecks for this rule.

Refers to #48.
```
  Alexander Popov authored Oct 22, 2020
  45bb1e8f Browse Files
- Merge remote-tracking branch 'pgils/el2_vectors' · 4e739dbf
```
Thanks, @pgils.

Refers to #48.
```
  Alexander Popov authored Oct 22, 2020
  4e739dbf Browse Files
21 Oct, 2020 1 commit
- Add nested ComplexOptChecks support · cbd83d73
```
Now we can do things like OR(opt1, AND(opt2, opt3)).
Cool!

Refers to #48
```
  Alexander Popov authored Oct 21, 2020
  cbd83d73 Browse Files
19 Oct, 2020 1 commit
- Do not check CONFIG_HARDEN_EL2_VECTORS for v5.9+ · 4425d8b2
  Pelle van Gils authored Oct 19, 2020
  
  4425d8b2 Browse Files
16 Oct, 2020 4 commits
- Add TODO about SLUB_DEBUG_ON · 150c5ae7
  Alexander Popov authored Oct 16, 2020
  
  150c5ae7 Browse Files
- Add CLIP OS recommendation about EFI_CUSTOM_SSDT_OVERLAYS · 103bbe92
  Alexander Popov authored Oct 16, 2020
  
  103bbe92 Browse Files
- Disabling ACPI_TABLE_UPGRADE is now recommended by CLIP OS · 44de4353
  Alexander Popov authored Oct 16, 2020
  
  44de4353 Browse Files
- Withdraw my recommendation about BPF_JIT · 4c7a125e
```
CLIP OS wiki and Kees say that BPF interpreter is worse for the kernel
security than BPF_JIT.

So for now I withdraw my recommendation about BPF_JIT.

N.B. LOCKDOWN disables BPF_SYSCALL, but not BPF_JIT.
```
  Alexander Popov authored Oct 16, 2020
  4c7a125e Browse Files
14 Oct, 2020 2 commits
- Use cross compiler to build defconfigs · f1903be8
  Alexander Popov authored Oct 14, 2020
  
  f1903be8 Browse Files
- Add defconfigs for Linux kernel v5.9 · 516e431d
  Alexander Popov authored Oct 14, 2020
  
  516e431d Browse Files
15 Jul, 2020 5 commits
- Update the README · c2b6141f
```
Ready for release 0.5.7
```
  Alexander Popov authored Jul 16, 2020
  c2b6141f Browse Files
- Fix relevant pylint warnings · 75143ce1
  Alexander Popov authored Jul 16, 2020
  
  75143ce1 Browse Files
- Fix 'decision' priority order ('lockdown' vs 'clipos' vs 'grapheneos') · 3974da72
  Alexander Popov authored Jul 15, 2020
  
  3974da72 Browse Files
- Add CLIP OS recommendations about CONFIG_IO_URING and CONFIG_X86_IOPL_IOPERM · 4abb7881
```
CONFIG_X86_IOPL_IOPERM is also disabled by kernel lockdown
```
  Alexander Popov authored Jul 15, 2020
  4abb7881 Browse Files
- Add CONFIG_EFI_DISABLE_PCI_DMA recommended by CLIP OS · 43994ab7
  Alexander Popov authored Jul 15, 2020
  
  43994ab7 Browse Files