projects / kconfig-hardened-check.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Update to 5.3.16 (SLE15-SP2)
[kconfig-hardened-check.git] / README.md
diff --git a/README.md b/README.md
index 63d7952b73221215f4c8534fc0b7f73bf62856ee..0c9aaec6df95df3b290debd4259078232ebfa3e0 100644 (file)
--- a/README.md
+++ b/README.md
@@ -86,7 +86,6 @@ CONFIG_DEBUG_LIST                            |      y      |   kspp   |  self_pr
 CONFIG_DEBUG_SG                              |      y      |   kspp   |  self_protection   |   FAIL: "is not set"
 CONFIG_DEBUG_CREDENTIALS                     |      y      |   kspp   |  self_protection   |   FAIL: "is not set"
 CONFIG_DEBUG_NOTIFIERS                       |      y      |   kspp   |  self_protection   |   FAIL: "is not set"
-CONFIG_PAGE_POISONING                        |      y      |   kspp   |  self_protection   |   FAIL: "is not set"
 CONFIG_HARDENED_USERCOPY                     |      y      |   kspp   |  self_protection   |   OK
 CONFIG_HARDENED_USERCOPY_FALLBACK            | is not set  |   kspp   |  self_protection   |   OK: not found
 CONFIG_MODULE_SIG                            |      y      |   kspp   |  self_protection   |   OK
@@ -111,8 +110,6 @@ CONFIG_INTEL_IOMMU_SVM                       |      y      |  clipos  |  self_pr
 CONFIG_INTEL_IOMMU_DEFAULT_ON                |      y      |  clipos  |  self_protection   |   FAIL: "is not set"
 CONFIG_SLUB_DEBUG_ON                         |      y      |    my    |  self_protection   |   FAIL: "is not set"
 CONFIG_RESET_ATTACK_MITIGATION               |      y      |    my    |  self_protection   |   OK
-CONFIG_PAGE_POISONING_NO_SANITY              | is not set  |    my    |  self_protection   |   FAIL: CONFIG_PAGE_POISONING is needed
-CONFIG_PAGE_POISONING_ZERO                   | is not set  |    my    |  self_protection   |   FAIL: CONFIG_PAGE_POISONING is needed
 CONFIG_AMD_IOMMU_V2                          |      y      |    my    |  self_protection   |   FAIL: "m"
 CONFIG_SECURITY                              |      y      |defconfig |  security_policy   |   OK
 CONFIG_SECURITY_WRITABLE_HOOKS               | is not set  |defconfig |  security_policy   |   OK
@@ -181,7 +178,7 @@ CONFIG_BPF_JIT                               | is not set  |    my    | cut_atta
 CONFIG_VIDEO_VIVID                           | is not set  |    my    | cut_attack_surface |   FAIL: "m"
 CONFIG_ARCH_MMAP_RND_BITS                    |     32      |  clipos  |userspace_hardening |   FAIL: "28"
 
-[+] config check is finished: 'OK' - 49 / 'FAIL' - 77
+[+] config check is finished: 'OK' - 49 / 'FAIL' - 74
 ```
 
 ## kconfig-hardened-check versioning
@@ -215,6 +212,13 @@ __Q:__ Why `CONFIG_GCC_PLUGINS` is automatically disabled during the kernel comp
 __A:__ It means that your gcc doesn't support plugins. For example, if you have `gcc-7` on Ubuntu,
 try to install `gcc-7-plugin-dev` package, it should help.
 
+<br />
+
+__Q:__ KSPP and CLIP OS recommend `CONFIG_PANIC_ON_OOPS=y`. Why doesn't this tool do the same?
+
+__A:__ I personally don't support this recommendation because it provides easy denial-of-service
+attacks for the whole system (kernel oops is not a rare situation). I think having `CONFIG_BUG` is enough here --
+if we have a kernel oops in the process context, the offending/attacking process is killed.
 
 [1]: http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
 [2]: https://docs.clip-os.org/clipos/kernel.html#configuration
kconfig-hardened-check