# Please don't cry if my Python code looks like C.
#
#
-# N.B Missing hardening command line parameters:
-# iommu=force (does it help against DMA attacks?)
-#
-# Hardware tag-based KASAN with arm64 Memory Tagging Extension (MTE):
-# kasan=on
-# kasan.stacktrace=off
-# kasan.fault=panic
-#
# N.B. Hardening sysctls:
# kernel.kptr_restrict=2 (or 1?)
# kernel.dmesg_restrict=1 (also see the kconfig option)
if arch == 'ARM64':
l += [KconfigCheck('self_protection', 'kspp', 'ARM64_SW_TTBR0_PAN', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'SHADOW_CALL_STACK', 'y')]
- l += [KconfigCheck('self_protection', 'kspp', 'KASAN_HW_TAGS', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'KASAN_HW_TAGS', 'y')] # see also: kasan=on, kasan.stacktrace=off, kasan.fault=panic
if arch == 'X86_32':
l += [KconfigCheck('self_protection', 'kspp', 'PAGE_TABLE_ISOLATION', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'HIGHMEM64G', 'y')]
# 'self_protection', 'clipos'
l += [CmdlineCheck('self_protection', 'clipos', 'page_alloc.shuffle', '1')]
+ if arch in ('X86_64', 'X86_32'):
+ l += [CmdlineCheck('self_protection', 'clipos', 'iommu', 'force')]
# 'cut_attack_surface', 'defconfig'
if arch in ('X86_64', 'X86_32'):
parse_cmdline_file(parsed_cmdline_options, args.cmdline)
populate_with_data(config_checklist, parsed_cmdline_options, 'cmdline')
- # now everything is ready for performing the checks
+ # now everything is ready, perform the checks
perform_checks(config_checklist)
- # finally print the results
if mode == 'verbose':
- print_unknown_options(config_checklist, parsed_kconfig_options)
+ # print the parsed options without the checks (for debugging)
+ all_parsed_options = parsed_kconfig_options # assignment does not copy
+ all_parsed_options.update(parsed_cmdline_options)
+ print_unknown_options(config_checklist, all_parsed_options)
+
+ # finally print the results
print_checklist(mode, config_checklist, True)
sys.exit(0)