# kernel.kptr_restrict=1
# lockdown=1
#
-# spectre_v2=on
-# pti=on
-# spec_store_bypass_disable=on
-# l1tf=full,force
-#
+# Mitigations of CPU vulnerabilities:
+# Аrch-independent:
+# mitigations=auto,nosmt
+# X86:
+# spectre_v2=on
+# pti=on
+# spec_store_bypass_disable=on
+# l1tf=full,force
+# mds=full,nosmt
+# ARM64:
+# ? CONFIG_HARDEN_BRANCH_PREDICTOR
+# kpti=on
+# ssbd=force-on
#
# N.B. Hardening sysctl's:
# net.core.bpf_jit_harden
+# kptr_restrict=2
import sys
from argparse import ArgumentParser
return '{} = {}'.format(self.name, self.state)
-class OR:
+class ComplexOptCheck:
def __init__(self, *opts):
self.opts = opts
self.result = None
- # self.opts[0] is the option which this OR-check is about.
- # Use case: OR(<X_is_hardened>, <X_is_disabled>)
-
@property
def name(self):
return self.opts[0].name
def reason(self):
return self.opts[0].reason
+
+class OR(ComplexOptCheck):
+ # self.opts[0] is the option which this OR-check is about.
+ # Use case:
+ # OR(<X_is_hardened>, <X_is_disabled>)
+ # OR(<X_is_hardened>, <X_is_hardened_old>)
+
def check(self):
+ if not self.opts:
+ sys.exit('[!] ERROR: invalid OR check')
+
for i, opt in enumerate(self.opts):
- result, msg = opt.check()
- if result:
+ ret, msg = opt.check()
+ if ret:
if i == 0:
self.result = opt.result
else:
- self.result = 'CONFIG_{}: {} ("{}")'.format(opt.name, opt.result, opt.expected)
+ self.result = 'OK: CONFIG_{} "{}"'.format(opt.name, opt.expected)
return True, self.result
self.result = self.opts[0].result
return False, self.result
+class AND(ComplexOptCheck):
+ # self.opts[0] is the option which this AND-check is about.
+ # Use case: AND(<suboption>, <main_option>)
+ # Suboption is not checked if checking of the main_option is failed.
+
+ def check(self):
+ for i, opt in reversed(list(enumerate(self.opts))):
+ ret, msg = opt.check()
+ if i == 0:
+ self.result = opt.result
+ return ret, self.result
+ elif not ret:
+ self.result = 'FAIL: CONFIG_{} is needed'.format(opt.name)
+ return False, self.result
+
+ sys.exit('[!] ERROR: invalid AND check')
+
+
def detect_arch(fname):
with open(fname, 'r') as f:
arch_pattern = re.compile("CONFIG_[a-zA-Z0-9_]*=y")
checklist.append(OptCheck('BUG_ON_DATA_CORRUPTION', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('DEBUG_WX', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('SCHED_STACK_END_CHECK', 'y', 'kspp', 'self_protection'))
- checklist.append(OptCheck('PAGE_POISONING', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('SLAB_FREELIST_HARDENED', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('SLAB_FREELIST_RANDOM', 'y', 'kspp', 'self_protection'))
- checklist.append(OptCheck('HARDENED_USERCOPY', 'y', 'kspp', 'self_protection'))
- checklist.append(OptCheck('HARDENED_USERCOPY_FALLBACK', 'is not set', 'kspp', 'self_protection'))
checklist.append(OptCheck('FORTIFY_SOURCE', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('GCC_PLUGINS', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('GCC_PLUGIN_RANDSTRUCT', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('DEBUG_SG', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('DEBUG_CREDENTIALS', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('DEBUG_NOTIFIERS', 'y', 'kspp', 'self_protection'))
+ page_poisoning_is_set = OptCheck('PAGE_POISONING', 'y', 'kspp', 'self_protection')
+ checklist.append(page_poisoning_is_set)
+ hardened_usercopy_is_set = OptCheck('HARDENED_USERCOPY', 'y', 'kspp', 'self_protection')
+ checklist.append(hardened_usercopy_is_set)
+ checklist.append(AND(OptCheck('HARDENED_USERCOPY_FALLBACK', 'is not set', 'kspp', 'self_protection'), \
+ hardened_usercopy_is_set))
checklist.append(OR(OptCheck('MODULE_SIG', 'y', 'kspp', 'self_protection'), \
modules_not_set))
checklist.append(OR(OptCheck('MODULE_SIG_ALL', 'y', 'kspp', 'self_protection'), \
checklist.append(OptCheck('DEFAULT_MMAP_MIN_ADDR', '32768', 'kspp', 'self_protection'))
if debug_mode or arch == 'X86_64' or arch == 'ARM64' or arch == 'X86_32':
- checklist.append(OptCheck('GCC_PLUGIN_STACKLEAK', 'y', 'my', 'self_protection'))
+ stackleak_is_set = OptCheck('GCC_PLUGIN_STACKLEAK', 'y', 'my', 'self_protection')
+ checklist.append(stackleak_is_set)
+ checklist.append(AND(OptCheck('STACKLEAK_METRICS', 'is not set', 'my', 'self_protection'), \
+ stackleak_is_set))
+ checklist.append(AND(OptCheck('STACKLEAK_RUNTIME_DISABLE','is not set', 'my', 'self_protection'), \
+ stackleak_is_set))
checklist.append(OptCheck('LOCK_DOWN_KERNEL', 'y', 'my', 'self_protection')) # remember about LOCK_DOWN_MANDATORY
checklist.append(OptCheck('SLUB_DEBUG_ON', 'y', 'my', 'self_protection'))
checklist.append(OptCheck('SECURITY_DMESG_RESTRICT', 'y', 'my', 'self_protection'))
checklist.append(OptCheck('STATIC_USERMODEHELPER', 'y', 'my', 'self_protection')) # needs userspace support (systemd)
checklist.append(OptCheck('SECURITY_LOADPIN', 'y', 'my', 'self_protection')) # needs userspace support
checklist.append(OptCheck('RESET_ATTACK_MITIGATION', 'y', 'my', 'self_protection')) # needs userspace support (systemd)
- checklist.append(OptCheck('PAGE_POISONING_NO_SANITY', 'is not set', 'my', 'self_protection'))
- checklist.append(OptCheck('PAGE_POISONING_ZERO', 'is not set', 'my', 'self_protection'))
checklist.append(OptCheck('SLAB_MERGE_DEFAULT', 'is not set', 'my', 'self_protection')) # slab_nomerge
+ checklist.append(AND(OptCheck('PAGE_POISONING_NO_SANITY', 'is not set', 'my', 'self_protection'), \
+ page_poisoning_is_set))
+ checklist.append(AND(OptCheck('PAGE_POISONING_ZERO', 'is not set', 'my', 'self_protection'), \
+ page_poisoning_is_set))
if debug_mode or arch == 'X86_32':
checklist.append(OptCheck('PAGE_TABLE_ISOLATION', 'y', 'my', 'self_protection'))
+ if debug_mode or arch == 'ARM':
+ checklist.append(OptCheck('STACKPROTECTOR_PER_TASK', 'y', 'my', 'self_protection'))
if debug_mode or arch == 'X86_64' or arch == 'ARM64' or arch == 'X86_32':
- checklist.append(OptCheck('SECURITY', 'y', 'defconfig', 'security_policy'))
+ checklist.append(OptCheck('SECURITY', 'y', 'defconfig', 'security_policy')) # and choose your favourite LSM
if debug_mode or arch == 'ARM':
- checklist.append(OptCheck('SECURITY', 'y', 'kspp', 'security_policy'))
+ checklist.append(OptCheck('SECURITY', 'y', 'kspp', 'security_policy')) # and choose your favourite LSM
checklist.append(OptCheck('SECURITY_YAMA', 'y', 'kspp', 'security_policy'))
- checklist.append(OptCheck('SECURITY_SELINUX_DISABLE', 'is not set', 'kspp', 'security_policy'))
checklist.append(OptCheck('SECCOMP', 'y', 'defconfig', 'cut_attack_surface'))
checklist.append(OptCheck('SECCOMP_FILTER', 'y', 'defconfig', 'cut_attack_surface'))
checklist.append(OR(OptCheck('STRICT_DEVMEM', 'y', 'defconfig', 'cut_attack_surface'), \
devmem_not_set)) # refers to LOCK_DOWN_KERNEL
+ checklist.append(modules_not_set)
+ checklist.append(devmem_not_set)
checklist.append(OR(OptCheck('IO_STRICT_DEVMEM', 'y', 'kspp', 'cut_attack_surface'), \
devmem_not_set)) # refers to LOCK_DOWN_KERNEL
if debug_mode or arch == 'ARM':
checklist.append(OptCheck('BPF_SYSCALL', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
checklist.append(OptCheck('MMIOTRACE_TEST', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
+ checklist.append(OptCheck('KSM', 'is not set', 'clipos', 'cut_attack_surface')) # to prevent FLUSH+RELOAD attack
+ checklist.append(OptCheck('IKCONFIG', 'is not set', 'clipos', 'cut_attack_surface'))
+ checklist.append(OptCheck('KALLSYMS', 'is not set', 'clipos', 'cut_attack_surface'))
+ checklist.append(OptCheck('X86_VSYSCALL_EMULATION', 'is not set', 'clipos', 'cut_attack_surface'))
+ checklist.append(OptCheck('MAGIC_SYSRQ', 'is not set', 'clipos', 'cut_attack_surface'))
+
checklist.append(OptCheck('MMIOTRACE', 'is not set', 'my', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL (permissive)
checklist.append(OptCheck('KEXEC_FILE', 'is not set', 'my', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL (permissive)
checklist.append(OptCheck('LIVEPATCH', 'is not set', 'my', 'cut_attack_surface'))
if debug_mode or arch == 'X86_32':
checklist.append(OptCheck('MODIFY_LDT_SYSCALL', 'is not set', 'my', 'cut_attack_surface'))
+ if debug_mode or arch == 'ARM64':
+ checklist.append(OptCheck('ARM64_PTR_AUTH', 'y', 'defconfig', 'userspace_protection'))
if debug_mode or arch == 'X86_64' or arch == 'ARM64':
checklist.append(OptCheck('ARCH_MMAP_RND_BITS', '32', 'my', 'userspace_protection'))
if debug_mode or arch == 'X86_32' or arch == 'ARM':
def print_checklist(arch):
print('[+] Printing kernel hardening preferences for {}...'.format(arch))
- print(' {:<39}|{:^13}|{:^10}|{:^20}'.format(
+ print('{:^40}|{:^13}|{:^10}|{:^20}'.format(
'option name', 'desired val', 'decision', 'reason'))
- print(' ' + '=' * 86)
+ print('=' * 87)
for opt in checklist:
- print(' CONFIG_{:<32}|{:^13}|{:^10}|{:^20}'.format(
+ print('CONFIG_{:<33}|{:^13}|{:^10}|{:^20}'.format(
opt.name, opt.expected, opt.decision, opt.reason))
print()
def print_check_results():
- print(' {:<39}|{:^13}|{:^10}|{:^20}||{:^28}'.format(
+ print('{:^40}|{:^13}|{:^10}|{:^20}||{:^28}'.format(
'option name', 'desired val', 'decision', 'reason', 'check result'))
- print(' ' + '=' * 115)
+ print('=' * 116)
for opt in checklist:
- print(' CONFIG_{:<32}|{:^13}|{:^10}|{:^20}||{:^28}'.format(
+ print('CONFIG_{:<33}|{:^13}|{:^10}|{:^20}||{:^28}'.format(
opt.name, opt.expected, opt.decision, opt.reason, opt.result))
print()
construct_checklist(arch)
check_config_file(args.config)
error_count = len(list(filter(lambda opt: opt.result.startswith('FAIL'), checklist)))
+ ok_count = len(list(filter(lambda opt: opt.result.startswith('OK'), checklist)))
if debug_mode:
sys.exit(0)
- if error_count == 0:
- print('[+] config check is PASSED')
- sys.exit(0)
- else:
- sys.exit('[-] config check is NOT PASSED: {} errors'.format(error_count))
+ print('[+] config check is finished: \'OK\' - {} / \'FAIL\' - {}'.format(ok_count, error_count))
+ sys.exit(0)
if args.print:
arch = args.print
projects / kconfig-hardened-check.git / blobdiff