projects / kconfig-hardened-check.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Improve 'dunno' report in debug_mode
[kconfig-hardened-check.git] / kconfig-hardened-check.py
diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py
index 85a0d2fb8086c40a034c49b0da9d845ddf68b28b..79206d2785706cad163b127c6899197f097ebbab 100755 (executable)
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -20,6 +20,7 @@
 #    page_poison=1 (if enabled)
 #    init_on_alloc=1
 #    init_on_free=1
+#    loadpin.enforce=1
 #
 #    Mitigations of CPU vulnerabilities:
 #       Аrch-independent:
@@ -347,7 +348,10 @@ def construct_checklist(checklist, arch):
     if debug_mode or arch == 'ARM':
         checklist.append(OptCheck('SECURITY',                               'y', 'kspp', 'security_policy')) # and choose your favourite LSM
     checklist.append(OptCheck('SECURITY_YAMA',                          'y', 'kspp', 'security_policy'))
-    checklist.append(OptCheck('SECURITY_LOADPIN',                       'y', 'my', 'security_policy')) # needs userspace support
+    loadpin_is_set = OptCheck('SECURITY_LOADPIN',                       'y', 'my', 'security_policy') # needs userspace support
+    checklist.append(loadpin_is_set)
+    checklist.append(AND(OptCheck('SECURITY_LOADPIN_ENFORCE',           'y', 'my', 'security_policy'), \
+                         loadpin_is_set))
     checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM',                  'y', 'my', 'security_policy'))
     checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM_EARLY',            'y', 'my', 'security_policy'))
     checklist.append(OptCheck('LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y', 'my', 'security_policy'))
@@ -410,6 +414,7 @@ def construct_checklist(checklist, arch):
     checklist.append(OptCheck('BPF_SYSCALL',          'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
     checklist.append(OptCheck('MMIOTRACE_TEST',       'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
 
+    checklist.append(OptCheck('STAGING',                  'is not set', 'clipos', 'cut_attack_surface'))
     checklist.append(OptCheck('KSM',                      'is not set', 'clipos', 'cut_attack_surface')) # to prevent FLUSH+RELOAD attack
 #   checklist.append(OptCheck('IKCONFIG',                 'is not set', 'clipos', 'cut_attack_surface')) # no, this info is needed for this check :)
     checklist.append(OptCheck('KALLSYMS',                 'is not set', 'clipos', 'cut_attack_surface'))
@@ -540,7 +545,14 @@ def check_config_file(checklist, fname):
         perform_checks(checklist, parsed_options)
 
         if debug_mode:
-            known_options = [opt.name for opt in checklist]
+            known_options = []
+            for opt in checklist:
+                if hasattr(opt, 'opts'):
+                    for o in opt.opts:
+                        if hasattr(o, 'name'):
+                            known_options.append(o.name)
+                else:
+                    known_options.append(opt.name)
             for option, value in parsed_options.items():
                 if option not in known_options:
                     print('DEBUG: dunno about option {} ({})'.format(option, value))
kconfig-hardened-check