projects / kconfig-hardened-check.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
SECURITY_LOCKDOWN_LSM is recommended by CLIP OS
[kconfig-hardened-check.git] / kconfig-hardened-check.py
diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py
index 3efaf403b5650066e184f128f0033ebdd64097ce..c7eab1b0a40020200a5cdaa3a46867c5353077ec 100755 (executable)
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -14,7 +14,6 @@
 #    slub_debug=FZP
 #    slab_nomerge
 #    kernel.kptr_restrict=1
-#    lockdown=1 (is it changed?)
 #    page_alloc.shuffle=1
 #    iommu=force (does it help against DMA attacks?)
 #    page_poison=1 (if enabled)
@@ -140,7 +139,7 @@ class ComplexOptCheck:
 
 
 class OR(ComplexOptCheck):
-    # self.opts[0] is the option which this OR-check is about.
+    # self.opts[0] is the option that this OR-check is about.
     # Use case:
     #     OR(<X_is_hardened>, <X_is_disabled>)
     #     OR(<X_is_hardened>, <X_is_hardened_old>)
@@ -162,7 +161,7 @@ class OR(ComplexOptCheck):
 
 
 class AND(ComplexOptCheck):
-    # self.opts[0] is the option which this AND-check is about.
+    # self.opts[0] is the option that this AND-check is about.
     # Use case: AND(<suboption>, <main_option>)
     # Suboption is not checked if checking of the main_option is failed.
 
@@ -347,13 +346,13 @@ def construct_checklist(checklist, arch):
     if arch == 'ARM':
         checklist.append(OptCheck('SECURITY',                               'y', 'kspp', 'security_policy')) # and choose your favourite LSM
     checklist.append(OptCheck('SECURITY_YAMA',                          'y', 'kspp', 'security_policy'))
+    checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM',                  'y', 'clipos', 'security_policy'))
+    checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM_EARLY',            'y', 'clipos', 'security_policy'))
+    checklist.append(OptCheck('LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y', 'clipos', 'security_policy'))
     loadpin_is_set = OptCheck('SECURITY_LOADPIN',                       'y', 'my', 'security_policy') # needs userspace support
     checklist.append(loadpin_is_set)
     checklist.append(AND(OptCheck('SECURITY_LOADPIN_ENFORCE',           'y', 'my', 'security_policy'), \
                          loadpin_is_set))
-    checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM',                  'y', 'my', 'security_policy'))
-    checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM_EARLY',            'y', 'my', 'security_policy'))
-    checklist.append(OptCheck('LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y', 'my', 'security_policy'))
     checklist.append(OptCheck('SECURITY_SAFESETID',                     'y', 'my', 'security_policy'))
     checklist.append(OptCheck('SECURITY_WRITABLE_HOOKS',                'is not set', 'my', 'security_policy'))
 
@@ -434,6 +433,7 @@ def construct_checklist(checklist, arch):
     if arch == 'X86_32':
         checklist.append(OptCheck('MODIFY_LDT_SYSCALL',   'is not set', 'my', 'cut_attack_surface'))
 
+    checklist.append(OptCheck('INTEGRITY',       'y', 'defconfig', 'userspace_hardening'))
     if arch == 'ARM64':
         checklist.append(OptCheck('ARM64_PTR_AUTH',       'y', 'defconfig', 'userspace_hardening'))
     if arch == 'X86_64' or arch == 'ARM64':
kconfig-hardened-check