- [KSPP recommended settings][1],
- [CLIP OS kernel configuration][2],
- - last public [grsecurity][3] patch (options which they disable),
+ - Last public [grsecurity][3] patch (options which they disable),
- [SECURITY_LOCKDOWN_LSM][5] patchset,
- - direct feedback from Linux kernel maintainers (Daniel Vetter in [issue #38][6]).
+ - Direct feedback from Linux kernel maintainers (see [#38][6], [#53][15], [#54][16]).
I also created [__Linux Kernel Defence Map__][4] that is a graphical representation of the
relationships between security hardening features and the corresponding vulnerability classes
- ARM64
- ARM
+TODO: RISC-V
+
## Installation
You can install the package:
or simply run `./bin/kconfig-hardened-check` from the cloned repository.
+Some Linux distributions also provide `kconfig-hardened-check` as a package.
+
## Usage
```
usage: kconfig-hardened-check [-h] [--version] [-p {X86_64,X86_32,ARM64,ARM}]
choose the report mode
```
-## Output for `Ubuntu 20.04 LTS (Focal Fossa)` kernel config
+## Output modes
+
+ - no `-m` argument for the default output mode (see the example below)
+ - `-m verbose` for printing additional info:
+ - config options without a corresponding check
+ - internals of complex checks with AND/OR, like this:
+```
+-------------------------------------------------------------------------------------------
+ <<< OR >>>
+CONFIG_STRICT_DEVMEM | y |defconfig | cut_attack_surface
+CONFIG_DEVMEM | is not set | kspp | cut_attack_surface
+-------------------------------------------------------------------------------------------
+```
+ - `-m show_fail` for showing only the failed checks
+ - `-m show_ok` for showing only the successful checks
+ - `-m json` for printing the results in JSON format (for combining `kconfig-hardened-check` with other tools)
+
+## Example output for `Ubuntu 20.04 LTS (Focal Fossa)` kernel config
```
$ ./bin/kconfig-hardened-check -c kconfig_hardened_check/config_files/distros/ubuntu-focal.config
[+] Config file to check: kconfig_hardened_check/config_files/distros/ubuntu-focal.config
CONFIG_GCC_PLUGIN_RANDSTRUCT | y | kspp | self_protection | FAIL: not found
CONFIG_HARDENED_USERCOPY | y | kspp | self_protection | OK
CONFIG_HARDENED_USERCOPY_FALLBACK | is not set | kspp | self_protection | FAIL: "y"
+CONFIG_HARDENED_USERCOPY_PAGESPAN | is not set | kspp | self_protection | OK
CONFIG_MODULE_SIG | y | kspp | self_protection | OK
CONFIG_MODULE_SIG_ALL | y | kspp | self_protection | OK
CONFIG_MODULE_SIG_SHA512 | y | kspp | self_protection | OK
CONFIG_INIT_STACK_ALL_ZERO | y | kspp | self_protection | FAIL: not found
CONFIG_INIT_ON_FREE_DEFAULT_ON | y | kspp | self_protection | OK: CONFIG_PAGE_POISONING_ZERO "y"
CONFIG_GCC_PLUGIN_STACKLEAK | y | kspp | self_protection | FAIL: not found
+CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT | y | kspp | self_protection | FAIL: not found
CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | kspp | self_protection | OK
+CONFIG_UBSAN_BOUNDS | y |maintainer| self_protection | FAIL: not found
+CONFIG_UBSAN_SANITIZE_ALL | y |maintainer| self_protection | FAIL: CONFIG_UBSAN_BOUNDS not "y"
+CONFIG_UBSAN_TRAP | y |maintainer| self_protection | FAIL: CONFIG_UBSAN_BOUNDS not "y"
CONFIG_DEBUG_VIRTUAL | y | clipos | self_protection | FAIL: "is not set"
CONFIG_STATIC_USERMODEHELPER | y | clipos | self_protection | FAIL: "is not set"
CONFIG_EFI_DISABLE_PCI_DMA | y | clipos | self_protection | FAIL: not found
CONFIG_STACKLEAK_RUNTIME_DISABLE | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y"
CONFIG_INTEL_IOMMU_DEFAULT_ON | y | clipos | self_protection | FAIL: "is not set"
CONFIG_INTEL_IOMMU_SVM | y | clipos | self_protection | OK
-CONFIG_UBSAN_BOUNDS | y | my | self_protection | FAIL: CONFIG_UBSAN_TRAP not "y"
CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection | OK
CONFIG_AMD_IOMMU_V2 | y | my | self_protection | FAIL: "m"
CONFIG_SECURITY | y |defconfig | security_policy | OK
CONFIG_PAGE_OWNER | is not set |grsecurity| cut_attack_surface | OK
CONFIG_DEBUG_KMEMLEAK | is not set |grsecurity| cut_attack_surface | OK
CONFIG_BINFMT_AOUT | is not set |grsecurity| cut_attack_surface | OK: not found
-CONFIG_KPROBES | is not set |grsecurity| cut_attack_surface | FAIL: "y"
-CONFIG_UPROBES | is not set |grsecurity| cut_attack_surface | FAIL: "y"
+CONFIG_KPROBE_EVENTS | is not set |grsecurity| cut_attack_surface | FAIL: "y"
+CONFIG_UPROBE_EVENTS | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_GENERIC_TRACER | is not set |grsecurity| cut_attack_surface | FAIL: "y"
+CONFIG_FUNCTION_TRACER | is not set |grsecurity| cut_attack_surface | FAIL: "y"
+CONFIG_STACK_TRACER | is not set |grsecurity| cut_attack_surface | FAIL: "y"
+CONFIG_HIST_TRIGGERS | is not set |grsecurity| cut_attack_surface | FAIL: "y"
+CONFIG_BLK_DEV_IO_TRACE | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_PROC_VMCORE | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_PROC_PAGE_MONITOR | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_USELIB | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_DEVPORT | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_DEBUG_FS | is not set |grsecurity| cut_attack_surface | FAIL: "y"
CONFIG_NOTIFIER_ERROR_INJECTION | is not set |grsecurity| cut_attack_surface | FAIL: "m"
-CONFIG_X86_PTDUMP | is not set |grsecurity| cut_attack_surface | OK
+CONFIG_FAIL_FUTEX | is not set |grsecurity| cut_attack_surface | OK: not found
+CONFIG_PUNIT_ATOM_DEBUG | is not set |grsecurity| cut_attack_surface | FAIL: "m"
+CONFIG_ACPI_CONFIGFS | is not set |grsecurity| cut_attack_surface | FAIL: "m"
+CONFIG_EDAC_DEBUG | is not set |grsecurity| cut_attack_surface | OK
+CONFIG_DRM_I915_DEBUG | is not set |grsecurity| cut_attack_surface | OK
+CONFIG_BCACHE_CLOSURES_DEBUG | is not set |grsecurity| cut_attack_surface | OK
+CONFIG_DVB_C8SECTPFE | is not set |grsecurity| cut_attack_surface | OK: not found
+CONFIG_MTD_SLRAM | is not set |grsecurity| cut_attack_surface | FAIL: "m"
+CONFIG_MTD_PHRAM | is not set |grsecurity| cut_attack_surface | FAIL: "m"
+CONFIG_IO_URING | is not set |grsecurity| cut_attack_surface | FAIL: "y"
+CONFIG_KCMP | is not set |grsecurity| cut_attack_surface | OK: not found
+CONFIG_RSEQ | is not set |grsecurity| cut_attack_surface | FAIL: "y"
+CONFIG_LATENCYTOP | is not set |grsecurity| cut_attack_surface | OK
+CONFIG_KCOV | is not set |grsecurity| cut_attack_surface | OK
+CONFIG_PROVIDE_OHCI1394_DMA_INIT | is not set |grsecurity| cut_attack_surface | OK
+CONFIG_SUNRPC_DEBUG | is not set |grsecurity| cut_attack_surface | FAIL: "y"
+CONFIG_PTDUMP_DEBUGFS | is not set |grsecurity| cut_attack_surface | OK: not found
CONFIG_DRM_LEGACY | is not set |maintainer| cut_attack_surface | OK
CONFIG_FB | is not set |maintainer| cut_attack_surface | FAIL: "y"
CONFIG_VT | is not set |maintainer| cut_attack_surface | FAIL: "y"
+CONFIG_BLK_DEV_FD | is not set |maintainer| cut_attack_surface | FAIL: "m"
CONFIG_AIO | is not set |grapheneos| cut_attack_surface | FAIL: "y"
CONFIG_STAGING | is not set | clipos | cut_attack_surface | FAIL: "y"
CONFIG_KSM | is not set | clipos | cut_attack_surface | FAIL: "y"
CONFIG_USER_NS | is not set | clipos | cut_attack_surface | FAIL: "y"
CONFIG_X86_MSR | is not set | clipos | cut_attack_surface | FAIL: "m"
CONFIG_X86_CPUID | is not set | clipos | cut_attack_surface | FAIL: "m"
-CONFIG_IO_URING | is not set | clipos | cut_attack_surface | FAIL: "y"
CONFIG_X86_IOPL_IOPERM | is not set | clipos | cut_attack_surface | OK: not found
CONFIG_ACPI_TABLE_UPGRADE | is not set | clipos | cut_attack_surface | FAIL: "y"
CONFIG_EFI_CUSTOM_SSDT_OVERLAYS | is not set | clipos | cut_attack_surface | OK: not found
CONFIG_EFI_TEST | is not set | lockdown | cut_attack_surface | FAIL: "m"
CONFIG_BPF_SYSCALL | is not set | lockdown | cut_attack_surface | FAIL: "y"
CONFIG_MMIOTRACE_TEST | is not set | lockdown | cut_attack_surface | OK
+CONFIG_KPROBES | is not set | lockdown | cut_attack_surface | FAIL: "y"
CONFIG_TRIM_UNUSED_KSYMS | y | my | cut_attack_surface | FAIL: not found
CONFIG_MMIOTRACE | is not set | my | cut_attack_surface | FAIL: "y"
CONFIG_LIVEPATCH | is not set | my | cut_attack_surface | FAIL: "y"
CONFIG_INTEGRITY | y |defconfig |userspace_hardening | OK
CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos |userspace_hardening | FAIL: "28"
-[+] Config check is finished: 'OK' - 58 / 'FAIL' - 81
+[+] Config check is finished: 'OK' - 68 / 'FAIL' - 96
```
## kconfig-hardened-check versioning
[12]: https://github.com/tych0
[13]: https://github.com/speed47/spectre-meltdown-checker
[14]: https://github.com/speed47
+[15]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/53
+[16]: https://github.com/a13xp0p0v/kconfig-hardened-check/pull/54