Refers to #65

Refers to #65

The XFS V4 format is deprecated:
https://elixir.bootlin.com/linux/v6.3.11/source/fs/xfs/Kconfig#L25

Quote:
The V4 filesystem format lacks certain features that are supported
by the V5 format, such as metadata checksumming, strengthened
metadata verification, and the ability to store timestamps past the
year 2038. Because of this, the V4 format is deprecated. All users
should upgrade by backing up their files, reformatting, and restoring
from the backup... To close off an attack surface, say N.

The Kconfig fragment should describe the microarchitecture to avoid mistakes.

I tested CONFIG_CMDLINE and CONFIG_BOOT_CONFIG mechanisms.
They allow passing additional boot parameters for the Linux kernel.

I see that all boot parameters are collected in /proc/cmdline.

So /proc/cmdline is the only information source that we should check to
analyze the Linux kernel boot parameters.

Use 'license_files' instead.

This automatic discovery doesn't fit to the flat layout of my package
(without the "src" directory).

Instead, let's specify the "packages" explicitly in setup.cfg.

The warning:
  ############################
  # Package would be ignored #
  ############################
  Python recognizes 'kconfig_hardened_check.config_files.distros' as an importable package,
  but it is not listed in the `packages` configuration of setuptools.

  'kconfig_hardened_check.config_files.distros' has been automatically added to the distribution only
  because it may contain data files, but this behavior is likely to change
  in future versions of setuptools (and therefore is considered deprecated).

  Please make sure that 'kconfig_hardened_check.config_files.distros' is included as a package by using
  the `packages` configuration field or the proper discovery methods
  (for example by using `find_namespace_packages(...)`/`find_namespace:`
  instead of `find_packages(...)`/`find:`).

So let's use "find_namespace:" for package directory to include
the package data. More info in the documentation:
https://setuptools.pypa.io/en/latest/userguide/package_discovery.html#finding-namespace-packages

More info in the documentation:
https://setuptools.pypa.io/en/latest/deprecated/zip_safe.html

And fix style by the way.

Refers to #65

Refers to #67.

Refers to #67.

With this argument the tool generates a Kconfig fragment with the security
hardening options for the selected microarchitecture.

Refers to #67.

This Kconfig fragment can be merged with the existing Linux kernel config:

$ ./bin/kconfig-hardened-check -g X86_64 > /tmp/fragment
$ cd ~/linux-src/
$ ./scripts/kconfig/merge_config.sh .config /tmp/fragment
Using .config as base
Merging /tmp/fragment
Value of CONFIG_BUG_ON_DATA_CORRUPTION is redefined by fragment /tmp/fragment:
Previous value: # CONFIG_BUG_ON_DATA_CORRUPTION is not set
New value: CONFIG_BUG_ON_DATA_CORRUPTION=y
...

See vdso32_setup() in arch/x86/entry/vdso/vdso32-setup.c

See vsyscall_setup() in arch/x86/entry/vsyscall/vsyscall_64.c

See iommu_setup() in arch/x86/kernel/pci-dma.c

See setup_slub_debug() in mm/slub.c

Also fix the rodata check (change '1' to 'on').

See set_debug_rodata() in init/main.c.

See parse_spectre_v4_param() in arch/arm64/kernel/proton-pack.c

Now it's enabled by default for X86_64.

Now functional_test.sh is a common script used both in GitHub Actions
and Woodpecker-CI.

And also test the forgotten .gz kernel config.

We need to check them because these kernel cmdline parameters can
override the COMPAT_VDSO kconfig option.