# iommu.passthrough=0
# iommu.strict=1
# slub_debug=FZ (slow)
-# init_on_alloc=1 (since v5.3)
# init_on_free=1 (since v5.3, otherwise slub_debug=P and page_poison=1)
# loadpin.enforce=1
# debugfs=no-mount (or off if possible)
# ssbd=force-on
#
# Should NOT be set:
-# slab_merge
# nokaslr
# rodata=off
# sysrq_always_enabled
'empty {} check'.format(self.__class__.__name__)
assert(len(self.opts) != 1), \
'useless {} check: {}'.format(self.__class__.__name__, opts)
- assert(isinstance(opts[0], KconfigCheck) or isinstance(opts[0], CmdlineCheck)), \
+ assert(isinstance(opts[0], (KconfigCheck, CmdlineCheck))), \
'invalid {} check: {}'.format(self.__class__.__name__, opts)
self.result = None
l += [OR(KconfigCheck('self_protection', 'kspp', 'INIT_STACK_ALL_ZERO', 'y'),
KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y'))]
l += [OR(KconfigCheck('self_protection', 'kspp', 'INIT_ON_FREE_DEFAULT_ON', 'y'),
- KconfigCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'))]
+ AND(KconfigCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'),
+ CmdlineCheck('self_protection', 'kspp', 'page_poison', '1')))]
# CONFIG_INIT_ON_FREE_DEFAULT_ON was added in v5.3.
# CONFIG_PAGE_POISONING_ZERO was removed in v5.11.
# Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks
if arch in ('X86_64', 'ARM64', 'X86_32'):
stackleak_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y')
l += [stackleak_is_set]
- l += [OR(KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y'),
- CmdlineCheck('self_protection', 'kspp', 'randomize_kstack_offset', '1'))]
+ l += [KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y')]
if arch in ('X86_64', 'X86_32'):
l += [KconfigCheck('self_protection', 'kspp', 'SCHED_CORE', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '65536')]
l += [KconfigCheck('self_protection', 'clipos', 'STATIC_USERMODEHELPER', 'y')] # needs userspace support
l += [OR(KconfigCheck('self_protection', 'clipos', 'EFI_DISABLE_PCI_DMA', 'y'),
efi_not_set)]
- l += [OR(KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set'),
- CmdlineCheck('self_protection', 'kspp', 'slab_nomerge'))] # option presence check
+ l += [KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set')]
l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_BOOTLOADER', 'is not set')]
l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_CPU', 'is not set')]
l += [AND(KconfigCheck('self_protection', 'clipos', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'),
# Calling the CmdlineCheck class constructor:
# CmdlineCheck(reason, decision, name, expected)
+ l += [OR(CmdlineCheck('self_protection', 'kspp', 'init_on_alloc', '1'),
+ AND(KconfigCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y'),
+ CmdlineCheck('self_protection', 'kspp', 'init_on_alloc', 'is not set')))]
+ l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_nomerge'),
+ AND(KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set'),
+ CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set')))] # option presence check
+ if arch in ('X86_64', 'ARM64', 'X86_32'):
+ l += [OR(CmdlineCheck('self_protection', 'kspp', 'randomize_kstack_offset', '1'),
+ AND(KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y'),
+ CmdlineCheck('self_protection', 'kspp', 'randomize_kstack_offset', 'is not set')))]
if arch in ('X86_64', 'X86_32'):
l += [CmdlineCheck('self_protection', 'kspp', 'pti', 'on')]
# TODO: add other
if opt_is_on.match(line):
option, value = line.split('=', 1)
+ if value == 'is not set':
+ sys.exit('[!] ERROR: bad enabled kconfig option "{}"'.format(line))
elif opt_is_off.match(line):
option, value = line[2:].split(' ', 1)
if value != 'is not set':
# add relevant kconfig checks to the checklist
add_kconfig_checks(config_checklist, arch)
+ if args.cmdline:
+ # add relevant cmdline checks to the checklist
+ add_cmdline_checks(config_checklist, arch)
+
# populate the checklist with the parsed kconfig data
parsed_kconfig_options = OrderedDict()
parse_kconfig_file(parsed_kconfig_options, args.config)
populate_with_data(config_checklist, kernel_version, 'version')
if args.cmdline:
- # add relevant cmdline checks to the checklist
- add_cmdline_checks(config_checklist, arch)
-
# populate the checklist with the parsed kconfig data
parsed_cmdline_options = OrderedDict()
parse_cmdline_file(parsed_cmdline_options, args.cmdline)
parser.print_help()
sys.exit(0)
-
-if __name__ == '__main__':
- main()