Commits · eec17478288683baa6f3b54ccf5862414f767e18 · fact-depend / kernel-hardening-checker

12 Jun, 2023 9 commits
- Update the README · eec17478
```
Refers to #67.
```
  Alexander Popov authored Jun 12, 2023
  eec17478 Browse Files
- Add a new feature --generate · c6db991b
```
With this argument the tool generates a Kconfig fragment with the security
hardening options for the selected microarchitecture.

Refers to #67.

This Kconfig fragment can be merged with the existing Linux kernel config:

$ ./bin/kconfig-hardened-check -g X86_64 > /tmp/fragment
$ cd ~/linux-src/
$ ./scripts/kconfig/merge_config.sh .config /tmp/fragment
Using .config as base
Merging /tmp/fragment
Value of CONFIG_BUG_ON_DATA_CORRUPTION is redefined by fragment /tmp/fragment:
Previous value: # CONFIG_BUG_ON_DATA_CORRUPTION is not set
New value: CONFIG_BUG_ON_DATA_CORRUPTION=y
...
```
  Alexander Popov authored Jun 12, 2023
  c6db991b Browse Files
- Refactoring of the argument parsing · 0cc764f5
  Alexander Popov authored Jun 12, 2023
  
  0cc764f5 Browse Files
- Improve the comments and README (part II) · db71a9e2
  Alexander Popov authored Jun 12, 2023
  
  db71a9e2 Browse Files
- Skip normalize_cmdline_options() for the vdso32 and vdso cmdline parameters · 82a4ee73
```
See vdso32_setup() in arch/x86/entry/vdso/vdso32-setup.c
```
  Alexander Popov authored Jun 12, 2023
  82a4ee73 Browse Files
- Skip normalize_cmdline_options() for the vsyscall cmdline parameter · 7e8aa925
```
See vsyscall_setup() in arch/x86/entry/vsyscall/vsyscall_64.c
```
  Alexander Popov authored Jun 12, 2023
  7e8aa925 Browse Files
- Skip normalize_cmdline_options() for the iommu cmdline parameter · d85b4a58
```
See iommu_setup() in arch/x86/kernel/pci-dma.c
```
  Alexander Popov authored Jun 12, 2023
  d85b4a58 Browse Files
- Skip normalize_cmdline_options() for the slub_debug cmdline parameter · 18915d53
```
See setup_slub_debug() in mm/slub.c
```
  Alexander Popov authored Jun 12, 2023
  18915d53 Browse Files
- Improve the comments and README · d6caae53
  Alexander Popov authored Jun 12, 2023
  
  d6caae53 Browse Files
05 Jun, 2023 2 commits
- Skip normalize_cmdline_options() for the rodata cmdline parameter · 4dd0d2f9
```
Also fix the rodata check (change '1' to 'on').

See set_debug_rodata() in init/main.c.
```
  Alexander Popov authored Jun 05, 2023
  4dd0d2f9 Browse Files
- Skip normalize_cmdline_options() for the ssbd cmdline parameter · 8c565d5f
```
See parse_spectre_v4_param() in arch/arm64/kernel/proton-pack.c
```
  Alexander Popov authored Jun 05, 2023
  8c565d5f Browse Files
28 May, 2023 3 commits
- Add a comment about cfi boot parameter · 9653013a
  Alexander Popov authored May 29, 2023
  
  9653013a Browse Files
- Add the X86_KERNEL_IBT check · 2588752f
```
Now it's enabled by default for X86_64.
```
  Alexander Popov authored May 29, 2023
  2588752f Browse Files
- Add a comment about `kernel.oops_limit` and `kernel.warn_limit` sysctls · eea34881
  Alexander Popov authored May 29, 2023
  
  eea34881 Browse Files
27 May, 2023 2 commits
- Add a comment about `kernel.unprivileged_userns_clone` sysctl in Debian · 4d5de996
  Alexander Popov authored May 27, 2023
  
  4d5de996 Browse Files
- Add the comments about HARDENED_USERCOPY features · 5d9e4f83
  Alexander Popov authored May 27, 2023
  
  5d9e4f83 Browse Files
09 May, 2023 1 commit
- Fix CI output style and move `pip install coverage` to the proper place · fb93b0f1
  Alexander Popov authored May 10, 2023
  
  fb93b0f1 Browse Files
08 May, 2023 4 commits
- Use .github/workflows/functional_test.sh in GitHub Actions (like in Woodpecker-CI) · afbe887c
```
Now functional_test.sh is a common script used both in GitHub Actions
and Woodpecker-CI.

And also test the forgotten .gz kernel config.
```
  Alexander Popov authored May 08, 2023
  afbe887c Browse Files
- Run the functional tests and collect the coverage in Woodpecker-CI · 2136dcfa
  Alexander Popov authored May 08, 2023
  
  2136dcfa Browse Files
- Check all configs with the installed tool the functional test in Woodpecker-CI · b266de5d
  Alexander Popov authored May 08, 2023
  
  b266de5d Browse Files
- Test the package installation in the functional test in Woodpecker-CI · 4a4ec3aa
  Alexander Popov authored May 08, 2023
  
  4a4ec3aa Browse Files
07 May, 2023 3 commits
- Run the engine unit-test in Woodpecker-CI · b9f7cd4b
  Alexander Popov authored May 08, 2023
  
  b9f7cd4b Browse Files
- Create multiple pipelines for Woodpecker-CI at Codeberg · 74f975ac
  Alexander Popov authored May 07, 2023
  
  74f975ac Browse Files
- Create a configuration template for Codeberg CI (.woodpecker.yml) · 51cdffd5
  Alexander Popov authored May 07, 2023
  
  51cdffd5 Browse Files
01 May, 2023 1 commit
- Add the checks for vdso32 and vdso on X86_64 and X86_32 · f45c60b6
```
We need to check them because these kernel cmdline parameters can
override the COMPAT_VDSO kconfig option.
```
  Alexander Popov authored May 01, 2023
  f45c60b6 Browse Files
30 Apr, 2023 3 commits

Improve the COMPAT_VDSO check · 22728555

CONFIG_COMPAT_VDSO disabled ASLR of vDSO only on X86_64 and X86_32.
On ARM64 this option has different meaning (see the mainline commit
7c4791c9efca8c105a86022f7d5532aeaa819125).

Thanks to @izh1979 for the idea

authored May 01, 2023

22728555 Browse Files

Improve the vsyscall checks · 7bb6a185

Disabling X86_VSYSCALL_EMULATION turns vsyscall off completely, and
LEGACY_VSYSCALL_NONE can be changed at boot time via the cmdline parameter.

Thanks to @izh1979 for the idea

authored Apr 30, 2023

7bb6a185 Browse Files

Add the comment about kernel.sysrq=0 · 5fd14d3f
Alexander Popov authored Apr 30, 2023

5fd14d3f Browse Files

22 Apr, 2023 6 commits
- Make hackish refinement of the CONFIG_ARCH_MMAP_RND_BITS check · 9bbea5b5
```
Use new override_expected_value() for that.

This is needed to avoid wrong recommendations for ARM64 and ARM, where
CONFIG_ARCH_MMAP_RND_BITS_MAX depends on the paging configuration.
```
  Alexander Popov authored Apr 23, 2023
  9bbea5b5 Browse Files
- test_engine: add test_value_overriding() · 7194de8d
  Alexander Popov authored Apr 23, 2023
  
  7194de8d Browse Files
- engine: implement override_expected_value() · c1090722
  Alexander Popov authored Apr 23, 2023
  
  c1090722 Browse Files
- Require one of major LSMs implementing MAC · 9297ada2
```
SELinux, Smack, Tomoyo, and AppArmor implement Mandatory Access Control (MAC).

Thanks to @izh1979 for the idea
```
  Alexander Popov authored Apr 22, 2023
  9297ada2 Browse Files
- Add the norandmaps check · a6732ba5
```
Thanks to @izh1979 for the idea
```
  Alexander Popov authored Apr 22, 2023
  a6732ba5 Browse Files
- Check that CoreSight Tracing Support is disabled (to cut attack surface) · 21170ca6
```
The CONFIG_CORESIGHT framework provides a kernel interface for the
CoreSight debug and trace drivers for ARM/ARM64. It's better to have it
disabled to cut attack surface.
```
  Alexander Popov authored Apr 22, 2023
  21170ca6 Browse Files
09 Apr, 2023 4 commits
- Drop the INTEGRITY check · 4c2090a3
```
CONFIG_INTEGRITY is useless without enabling IMA/EVM.
We can't require enabling IMA/EVM because there are other
file system integrity mechanisms like DM_VERITY, FS_VERITY, etc.
So there is no reason to check CONFIG_INTEGRITY.

Refers to #75
```
  Alexander Popov authored Apr 10, 2023
  4c2090a3 Browse Files
- Add the DEBUG_ALIGN_RODATA check for ARM · f19835db
  Alexander Popov authored Apr 10, 2023
  
  f19835db Browse Files
- Add new Android kernel configs from my friends · 98371b5f
```
Also rename old Android configs
```
  Alexander Popov authored Apr 10, 2023
  98371b5f Browse Files
- Add the LEGACY_TIOCSTI check · f0c9f888
  Alexander Popov authored Apr 10, 2023
  
  f0c9f888 Browse Files
02 Apr, 2023 2 commits
- engine: remove the unused 'type' property from the OptCheck object · fa57d8b2
  Alexander Popov authored Apr 02, 2023
  
  fa57d8b2 Browse Files
- test_engine: rename unit-tests · 353e88fd
  Alexander Popov authored Apr 02, 2023
  
  353e88fd Browse Files