# kernel.kptr_restrict=1
# lockdown=1
#
-# spectre_v2=on
-# pti=on
-# spec_store_bypass_disable=on
-# l1tf=full,force
-#
+# Mitigations of CPU vulnerabilities:
+# Аrch-independent:
+# mitigations=auto,nosmt
+# X86:
+# spectre_v2=on
+# pti=on
+# spec_store_bypass_disable=on
+# l1tf=full,force
+# mds=full,nosmt
+# ARM64:
+# ? CONFIG_HARDEN_BRANCH_PREDICTOR
+# kpti=on
+# ssbd=force-on
#
# N.B. Hardening sysctl's:
# net.core.bpf_jit_harden
+# kptr_restrict=2
import sys
from argparse import ArgumentParser
page_poisoning_is_set))
if debug_mode or arch == 'X86_32':
checklist.append(OptCheck('PAGE_TABLE_ISOLATION', 'y', 'my', 'self_protection'))
+ if debug_mode or arch == 'ARM':
+ checklist.append(OptCheck('STACKPROTECTOR_PER_TASK', 'y', 'my', 'self_protection'))
if debug_mode or arch == 'X86_64' or arch == 'ARM64' or arch == 'X86_32':
checklist.append(OptCheck('SECURITY', 'y', 'defconfig', 'security_policy'))
if debug_mode or arch == 'X86_32':
checklist.append(OptCheck('MODIFY_LDT_SYSCALL', 'is not set', 'my', 'cut_attack_surface'))
+ if debug_mode or arch == 'ARM64':
+ checklist.append(OptCheck('ARM64_PTR_AUTH', 'y', 'defconfig', 'userspace_protection'))
if debug_mode or arch == 'X86_64' or arch == 'ARM64':
checklist.append(OptCheck('ARCH_MMAP_RND_BITS', '32', 'my', 'userspace_protection'))
if debug_mode or arch == 'X86_32' or arch == 'ARM':
projects / kconfig-hardened-check.git / blobdiff