# page_poison=1
# slub_debug=FZP
# slab_nomerge
-# pti=on
# kernel.kptr_restrict=1
-# lockdown=1
+# lockdown=1 (is it changed?)
+# page_alloc.shuffle=1
+# iommu=force (does it help against DMA attacks?)
#
# Mitigations of CPU vulnerabilities:
# Аrch-independent:
checklist.append(OptCheck('SYN_COOKIES', 'y', 'kspp', 'self_protection')) # another reason?
checklist.append(OptCheck('DEFAULT_MMAP_MIN_ADDR', '32768', 'kspp', 'self_protection'))
+ checklist.append(OR(OptCheck('INIT_STACK_ALL', 'y', 'clipos', 'self_protection'), \
+ OptCheck('GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y', 'kspp', 'self_protection')))
+ checklist.append(OptCheck('INIT_ON_ALLOC_DEFAULT_ON', 'y', 'clipos', 'self_protection'))
+ checklist.append(OptCheck('INIT_ON_FREE_DEFAULT_ON', 'y', 'clipos', 'self_protection'))
checklist.append(OptCheck('SECURITY_DMESG_RESTRICT', 'y', 'clipos', 'self_protection'))
checklist.append(OptCheck('DEBUG_VIRTUAL', 'y', 'clipos', 'self_protection'))
checklist.append(OptCheck('STATIC_USERMODEHELPER', 'y', 'clipos', 'self_protection')) # needs userspace support (systemd)
checklist.append(AND(OptCheck('INTEL_IOMMU_DEFAULT_ON', 'y', 'clipos', 'self_protection'), \
iommu_support_is_set))
- checklist.append(OR(OptCheck('INIT_STACK_ALL', 'y', 'my', 'self_protection'), \
- OptCheck('GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y', 'kspp', 'self_protection')))
checklist.append(OptCheck('SLUB_DEBUG_ON', 'y', 'my', 'self_protection'))
- checklist.append(OptCheck('INIT_ON_ALLOC_DEFAULT_ON', 'y', 'my', 'self_protection'))
- checklist.append(OptCheck('INIT_ON_FREE_DEFAULT_ON', 'y', 'my', 'self_protection'))
checklist.append(OptCheck('RESET_ATTACK_MITIGATION', 'y', 'my', 'self_protection')) # needs userspace support (systemd)
checklist.append(AND(OptCheck('PAGE_POISONING_NO_SANITY', 'is not set', 'my', 'self_protection'), \
page_poisoning_is_set))
return
# header
- print('{:^40}|{:^13}|{:^10}|{:^20}'.format('option name', 'desired val', 'decision', 'reason'), end='')
- sep_line_len = 86
+ print('{:^45}|{:^13}|{:^10}|{:^20}'.format('option name', 'desired val', 'decision', 'reason'), end='')
+ sep_line_len = 91
if with_results:
print('||{:^28}'.format('check result'), end='')
sep_line_len += 30
print('=' * sep_line_len)
for opt in checklist:
- print('CONFIG_{:<33}|{:^13}|{:^10}|{:^20}'.format(opt.name, opt.expected, opt.decision, opt.reason), end='')
+ print('CONFIG_{:<38}|{:^13}|{:^10}|{:^20}'.format(opt.name, opt.expected, opt.decision, opt.reason), end='')
if with_results:
print('||{:^28}'.format(opt.result), end='')
print()