projects
/
kconfig-hardened-check.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Skip normalize_cmdline_options() for the iommu cmdline parameter
[kconfig-hardened-check.git]
/
kconfig_hardened_check
/
checks.py
diff --git
a/kconfig_hardened_check/checks.py
b/kconfig_hardened_check/checks.py
index ab25afa41b00d6b179a0174e903fc35560fef780..6a41be215541c6368c0f7aab0fca888421d4e081 100644
(file)
--- a/
kconfig_hardened_check/checks.py
+++ b/
kconfig_hardened_check/checks.py
@@
-1,9
+1,7
@@
#!/usr/bin/python3
"""
#!/usr/bin/python3
"""
-This tool helps me to check Linux kernel options against
-my security hardening preferences for X86_64, ARM64, X86_32, and ARM.
-Let the computers do their job!
+This tool is for checking the security hardening options of the Linux kernel.
Author: Alexander Popov <alex.popov@linux.com>
Author: Alexander Popov <alex.popov@linux.com>
@@
-48,6
+46,7
@@
This module contains knowledge for checks.
# intel_iommu=on
# amd_iommu=on
# efi=disable_early_pci_dma
# intel_iommu=on
# amd_iommu=on
# efi=disable_early_pci_dma
+# cfi=
# pylint: disable=missing-function-docstring,line-too-long,invalid-name
# pylint: disable=too-many-branches,too-many-statements
# pylint: disable=missing-function-docstring,line-too-long,invalid-name
# pylint: disable=too-many-branches,too-many-statements
@@
-116,6
+115,7
@@
def add_kconfig_checks(l, arch):
if arch == 'X86_64':
l += [KconfigCheck('self_protection', 'defconfig', 'PAGE_TABLE_ISOLATION', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'RANDOMIZE_MEMORY', 'y')]
if arch == 'X86_64':
l += [KconfigCheck('self_protection', 'defconfig', 'PAGE_TABLE_ISOLATION', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'RANDOMIZE_MEMORY', 'y')]
+ l += [KconfigCheck('self_protection', 'defconfig', 'X86_KERNEL_IBT', 'y')]
l += [AND(KconfigCheck('self_protection', 'defconfig', 'INTEL_IOMMU', 'y'),
iommu_support_is_set)]
l += [AND(KconfigCheck('self_protection', 'defconfig', 'AMD_IOMMU', 'y'),
l += [AND(KconfigCheck('self_protection', 'defconfig', 'INTEL_IOMMU', 'y'),
iommu_support_is_set)]
l += [AND(KconfigCheck('self_protection', 'defconfig', 'AMD_IOMMU', 'y'),
@@
-488,7
+488,7
@@
def add_cmdline_checks(l, arch):
AND(KconfigCheck('self_protection', 'defconfig', 'RODATA_FULL_DEFAULT_ENABLED', 'y'),
CmdlineCheck('self_protection', 'defconfig', 'rodata', 'is not set')))]
else:
AND(KconfigCheck('self_protection', 'defconfig', 'RODATA_FULL_DEFAULT_ENABLED', 'y'),
CmdlineCheck('self_protection', 'defconfig', 'rodata', 'is not set')))]
else:
- l += [OR(CmdlineCheck('self_protection', 'defconfig', 'rodata', '
1
'),
+ l += [OR(CmdlineCheck('self_protection', 'defconfig', 'rodata', '
on
'),
CmdlineCheck('self_protection', 'defconfig', 'rodata', 'is not set'))]
# 'self_protection', 'kspp'
CmdlineCheck('self_protection', 'defconfig', 'rodata', 'is not set'))]
# 'self_protection', 'kspp'
@@
-586,6
+586,10
@@
no_kstrtobool_options = [
'srbds', # See srbds_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
'mmio_stale_data', # See mmio_stale_data_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
'retbleed', # See retbleed_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
'srbds', # See srbds_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
'mmio_stale_data', # See mmio_stale_data_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
'retbleed', # See retbleed_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
+ 'rodata', # See set_debug_rodata() in init/main.c
+ 'ssbd', # See parse_spectre_v4_param() in arch/arm64/kernel/proton-pack.c
+ 'slub_debug', # See setup_slub_debug() in mm/slub.c
+ 'iommu', # See iommu_setup() in arch/x86/kernel/pci-dma.c
'tsx' # See tsx_init() in arch/x86/kernel/cpu/tsx.c
]
'tsx' # See tsx_init() in arch/x86/kernel/cpu/tsx.c
]