# Please don't cry if my Python code looks like C.
#
#
-# N.B Hardening command line parameters:
-# iommu=force (does it help against DMA attacks?)
-#
-# Mitigations of CPU vulnerabilities:
-# Аrch-independent:
-# X86:
-# l1d_flush=on (a part of the l1tf option)
-# tsx=off
-# ARM64:
-# kpti=on
-#
-# arm64.nopauth
-# arm64.nomte
-#
-# Hardware tag-based KASAN with arm64 Memory Tagging Extension (MTE):
-# kasan=on
-# kasan.stacktrace=off
-# kasan.fault=panic
-#
# N.B. Hardening sysctls:
# kernel.kptr_restrict=2 (or 1?)
# kernel.dmesg_restrict=1 (also see the kconfig option)
# fs.suid_dumpable=0
# kernel.modules_disabled=1
# kernel.randomize_va_space = 2
+# nosmt sysfs control file
# pylint: disable=missing-module-docstring,missing-class-docstring,missing-function-docstring
if self.expected == 'is not off':
if self.state == 'off':
self.result = 'FAIL: is off'
+ if self.state == '0':
+ self.result = 'FAIL: is off, "0"'
elif self.state is None:
self.result = 'FAIL: is off, not found'
else:
self.result = 'FAIL: {} is not "{}"'.format(opt.name, opt.expected)
elif opt.result == 'FAIL: is not present':
self.result = 'FAIL: {} is not present'.format(opt.name)
- elif opt.result == 'FAIL: is off':
+ elif opt.result == 'FAIL: is off' or opt.result == 'FAIL: is off, "0"':
self.result = 'FAIL: {} is off'.format(opt.name)
elif opt.result == 'FAIL: is off, not found':
self.result = 'FAIL: {} is off, not found'.format(opt.name)
VersionCheck((5, 5)))] # REFCOUNT_FULL is enabled by default since v5.5
if arch in ('X86_64', 'ARM64', 'X86_32'):
l += [KconfigCheck('self_protection', 'defconfig', 'RANDOMIZE_BASE', 'y')]
- if arch in ('X86_64', 'ARM64'):
+ if arch in ('X86_64', 'ARM64', 'ARM'):
l += [KconfigCheck('self_protection', 'defconfig', 'VMAP_STACK', 'y')]
if arch in ('X86_64', 'X86_32'):
+ l += [KconfigCheck('self_protection', 'defconfig', 'DEBUG_WX', 'y')]
+ l += [KconfigCheck('self_protection', 'defconfig', 'WERROR', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'X86_MCE', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'X86_MCE_INTEL', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'X86_MCE_AMD', 'y')]
l += [OR(KconfigCheck('self_protection', 'defconfig', 'X86_UMIP', 'y'),
KconfigCheck('self_protection', 'defconfig', 'X86_INTEL_UMIP', 'y'))]
if arch in ('ARM64', 'ARM'):
+ l += [KconfigCheck('self_protection', 'defconfig', 'IOMMU_DEFAULT_DMA_STRICT', 'y')]
+ l += [KconfigCheck('self_protection', 'defconfig', 'IOMMU_DEFAULT_PASSTHROUGH', 'is not set')] # true if IOMMU_DEFAULT_DMA_STRICT is set
l += [KconfigCheck('self_protection', 'defconfig', 'STACKPROTECTOR_PER_TASK', 'y')]
if arch == 'X86_64':
l += [KconfigCheck('self_protection', 'defconfig', 'PAGE_TABLE_ISOLATION', 'y')]
# 'self_protection', 'kspp'
l += [KconfigCheck('self_protection', 'kspp', 'BUG_ON_DATA_CORRUPTION', 'y')]
- l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_WX', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'SCHED_STACK_END_CHECK', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'SLAB_FREELIST_HARDENED', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'SLAB_FREELIST_RANDOM', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_NOTIFIERS', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'KFENCE', 'y')]
- l += [KconfigCheck('self_protection', 'kspp', 'WERROR', 'y')]
- l += [KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y')]
- l += [KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_PASSTHROUGH', 'is not set')] # true if IOMMU_DEFAULT_DMA_STRICT is set
l += [KconfigCheck('self_protection', 'kspp', 'ZERO_CALL_USED_REGS', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'HW_RANDOM_TPM', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'STATIC_USERMODEHELPER', 'y')] # needs userspace support
- l += [KconfigCheck('self_protection', 'kspp', 'SCHED_CORE', 'y')]
randstruct_is_set = OR(KconfigCheck('self_protection', 'kspp', 'RANDSTRUCT_FULL', 'y'),
KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT', 'y'))
l += [randstruct_is_set]
l += [AND(KconfigCheck('self_protection', 'kspp', 'CFI_PERMISSIVE', 'is not set'),
cfi_clang_is_set)]
if arch in ('X86_64', 'X86_32'):
+ l += [KconfigCheck('self_protection', 'kspp', 'SCHED_CORE', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '65536')]
+ l += [KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_PASSTHROUGH', 'is not set')] # true if IOMMU_DEFAULT_DMA_STRICT is set
l += [AND(KconfigCheck('self_protection', 'kspp', 'INTEL_IOMMU_DEFAULT_ON', 'y'),
iommu_support_is_set)]
if arch in ('ARM64', 'ARM'):
+ l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_WX', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'WERROR', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '32768')]
l += [KconfigCheck('self_protection', 'kspp', 'SYN_COOKIES', 'y')] # another reason?
if arch == 'X86_64':
if arch == 'ARM64':
l += [KconfigCheck('self_protection', 'kspp', 'ARM64_SW_TTBR0_PAN', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'SHADOW_CALL_STACK', 'y')]
- l += [KconfigCheck('self_protection', 'kspp', 'KASAN_HW_TAGS', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'KASAN_HW_TAGS', 'y')] # see also: kasan=on, kasan.stacktrace=off, kasan.fault=panic
if arch == 'X86_32':
l += [KconfigCheck('self_protection', 'kspp', 'PAGE_TABLE_ISOLATION', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'HIGHMEM64G', 'y')]
if arch in ('X86_64', 'ARM64', 'X86_32'):
l += [OR(KconfigCheck('cut_attack_surface', 'defconfig', 'STRICT_DEVMEM', 'y'),
devmem_not_set)] # refers to LOCKDOWN
+ if arch in ('X86_64', 'X86_32'):
+ l += [KconfigCheck('cut_attack_surface', 'defconfig', 'X86_INTEL_TSX_MODE_OFF', 'y')] # tsx=off
# 'cut_attack_surface', 'kspp'
l += [KconfigCheck('cut_attack_surface', 'kspp', 'SECURITY_DMESG_RESTRICT', 'y')]
l += [KconfigCheck('cut_attack_surface', 'kspp', 'PROC_KCORE', 'is not set')] # refers to LOCKDOWN
l += [KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_PTYS', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'kspp', 'HIBERNATION', 'is not set')] # refers to LOCKDOWN
+ l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'kspp', 'IA32_EMULATION', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'kspp', 'X86_X32', 'is not set')]
+ l += [KconfigCheck('cut_attack_surface', 'kspp', 'X86_X32_ABI', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'kspp', 'MODIFY_LDT_SYSCALL', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'kspp', 'OABI_COMPAT', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'kspp', 'X86_MSR', 'is not set')] # refers to LOCKDOWN
l += [KconfigCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD', 'is not set')] # recommended by Denis Efremov in /pull/54
l += [KconfigCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD_RAWCMD', 'is not set')] # recommended by Denis Efremov in /pull/62
- # 'cut_attack_surface', 'grapheneos'
- l += [KconfigCheck('cut_attack_surface', 'grapheneos', 'AIO', 'is not set')]
-
# 'cut_attack_surface', 'clipos'
l += [KconfigCheck('cut_attack_surface', 'clipos', 'STAGING', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'clipos', 'KSM', 'is not set')] # to prevent FLUSH+RELOAD attack
l += [KconfigCheck('cut_attack_surface', 'clipos', 'EFI_CUSTOM_SSDT_OVERLAYS', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'clipos', 'COREDUMP', 'is not set')] # cut userspace attack surface
# l += [KconfigCheck('cut_attack_surface', 'clipos', 'IKCONFIG', 'is not set')] # no, IKCONFIG is needed for this check :)
- if arch in ('X86_64', 'X86_32'):
- l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_INTEL_TSX_MODE_OFF', 'y')] # tsx=off
# 'cut_attack_surface', 'lockdown'
l += [KconfigCheck('cut_attack_surface', 'lockdown', 'EFI_TEST', 'is not set')] # refers to LOCKDOWN
l += [CmdlineCheck('self_protection', 'defconfig', 'nopti', 'is not set')]
l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_v1', 'is not set')]
l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_v2', 'is not set')]
+ l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_bhb', 'is not set')]
l += [CmdlineCheck('self_protection', 'defconfig', 'nospec_store_bypass_disable', 'is not set')]
l += [CmdlineCheck('self_protection', 'defconfig', 'arm64.nobti', 'is not set')]
+ l += [CmdlineCheck('self_protection', 'defconfig', 'arm64.nopauth', 'is not set')]
+ l += [CmdlineCheck('self_protection', 'defconfig', 'arm64.nomte', 'is not set')]
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'mitigations', 'is not off'),
CmdlineCheck('self_protection', 'defconfig', 'mitigations', 'is not set'))]
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'spectre_v2', 'is not off'),
CmdlineCheck('self_protection', 'defconfig', 'mmio_stale_data', 'is not set'))]
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not off'),
CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not set'))]
+ l += [OR(CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not off'),
+ CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not set'))]
if arch == 'ARM64':
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'ssbd', 'kernel'),
CmdlineCheck('self_protection', 'my', 'ssbd', 'force-on'),
# 'self_protection', 'clipos'
l += [CmdlineCheck('self_protection', 'clipos', 'page_alloc.shuffle', '1')]
+ if arch in ('X86_64', 'X86_32'):
+ l += [CmdlineCheck('self_protection', 'clipos', 'iommu', 'force')]
+
+ # 'cut_attack_surface', 'defconfig'
+ if arch in ('X86_64', 'X86_32'):
+ l += [OR(CmdlineCheck('cut_attack_surface', 'defconfig', 'tsx', 'off'),
+ AND(KconfigCheck('cut_attack_surface', 'defconfig', 'X86_INTEL_TSX_MODE_OFF', 'y'),
+ CmdlineCheck('cut_attack_surface', 'defconfig', 'tsx', 'is not set')))]
# 'cut_attack_surface', 'kspp'
if arch == 'X86_64':
if option == 'retbleed':
# See retbleed_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
return value
+ if option == 'tsx':
+ # See tsx_init() in arch/x86/kernel/cpu/tsx.c
+ return value
# Implement a limited part of the kstrtobool() logic
if value in ('1', 'on', 'On', 'ON', 'y', 'Y', 'yes', 'Yes', 'YES'):
parse_cmdline_file(parsed_cmdline_options, args.cmdline)
populate_with_data(config_checklist, parsed_cmdline_options, 'cmdline')
- # now everything is ready for performing the checks
+ # now everything is ready, perform the checks
perform_checks(config_checklist)
- # finally print the results
if mode == 'verbose':
- print_unknown_options(config_checklist, parsed_kconfig_options)
+ # print the parsed options without the checks (for debugging)
+ all_parsed_options = parsed_kconfig_options # assignment does not copy
+ all_parsed_options.update(parsed_cmdline_options)
+ print_unknown_options(config_checklist, all_parsed_options)
+
+ # finally print the results
print_checklist(mode, config_checklist, True)
sys.exit(0)