# N.B Hardening command line parameters:
# slub_debug=FZP
# slab_nomerge
-# kernel.kptr_restrict=1
# page_alloc.shuffle=1
# iommu=force (does it help against DMA attacks?)
# page_poison=1 (if enabled)
# spec_store_bypass_disable=on
# l1tf=full,force
# mds=full,nosmt
+# tsx=off
# ARM64:
# kpti=on
# ssbd=force-on
#
# N.B. Hardening sysctls:
-# net.core.bpf_jit_harden=2
-# kptr_restrict=2
-# vm.unprivileged_userfaultfd=0
+# kernel.kptr_restrict=2
+# kernel.dmesg_restrict=1
# kernel.perf_event_paranoid=3
-# kernel.yama.ptrace_scope=1 (or even 3?)
+# kernel.kexec_load_disabled=1
+# kernel.yama.ptrace_scope=3
+# user.max_user_namespaces=0
# kernel.unprivileged_bpf_disabled=1
+# net.core.bpf_jit_harden=2
+#
+# vm.unprivileged_userfaultfd=0
+#
+# dev.tty.ldisc_autoload=0
+# fs.protected_symlinks=1
+# fs.protected_hardlinks=1
+# fs.protected_fifos=2
+# fs.protected_regular=2
# fs.suid_dumpable=0
-# fs.protected_symlinks = 1
-# fs.protected_hardlinks = 1
-# fs.protected_fifos = 2
-# fs.protected_regular = 2
+# kernel.modules_disabled=1
import sys
from argparse import ArgumentParser
checklist.append(OptCheck('BPF_SYSCALL', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN
checklist.append(OptCheck('MMIOTRACE_TEST', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN
+ if arch == 'X86_64' or arch == 'X86_32':
+ checklist.append(OptCheck('X86_INTEL_TSX_MODE_OFF', 'y', 'clipos', 'cut_attack_surface')) # tsx=off
checklist.append(OptCheck('STAGING', 'is not set', 'clipos', 'cut_attack_surface'))
checklist.append(OptCheck('KSM', 'is not set', 'clipos', 'cut_attack_surface')) # to prevent FLUSH+RELOAD attack
# checklist.append(OptCheck('IKCONFIG', 'is not set', 'clipos', 'cut_attack_surface')) # no, this info is needed for this check :)