#
# This script helps me to check the Linux kernel Kconfig option list
-# against my hardening preferences for x86_64. Let the computers do their job!
+# against my hardening preferences for X86_64, ARM64, X86_32, and ARM.
+# Let the computers do their job!
#
# Author: Alexander Popov <alex.popov@linux.com>
#
#
# N.B. Hardening sysctl's:
# net.core.bpf_jit_harden
-#
-#
-# TODO: add hardening preferences for ARM
import sys
from argparse import ArgumentParser
self.result = None
# self.opts[0] is the option which this OR-check is about.
- # Use case: OR(<X_is_hardened>, <X_is_disabled>)
+ # Use case:
+ # OR(<X_is_hardened>, <X_is_disabled>)
+ # OR(<X_is_hardened>, <X_is_hardened_old>)
@property
def name(self):
if i == 0:
self.result = opt.result
else:
- self.result = 'CONFIG_{}: {} ("{}")'.format(opt.name, opt.result, opt.expected)
+ self.result = 'OK: CONFIG_{} "{}"'.format(opt.name, opt.expected)
return True, self.result
self.result = self.opts[0].result
return False, self.result
modules_not_set))
checklist.append(OR(OptCheck('MODULE_SIG_SHA512', 'y', 'kspp', 'self_protection'), \
modules_not_set))
- checklist.append(OptCheck('MODULE_SIG_FORCE', 'y', 'kspp', 'self_protection')) # refers to LOCK_DOWN_KERNEL
+ checklist.append(OR(OptCheck('MODULE_SIG_FORCE', 'y', 'kspp', 'self_protection'), \
+ modules_not_set)) # refers to LOCK_DOWN_KERNEL
if debug_mode or arch == 'X86_64' or arch == 'X86_32':
checklist.append(OptCheck('DEFAULT_MMAP_MIN_ADDR', '65536', 'kspp', 'self_protection'))
checklist.append(OptCheck('REFCOUNT_FULL', 'y', 'kspp', 'self_protection'))
checklist.append(OptCheck('LOCK_DOWN_KERNEL', 'y', 'my', 'self_protection')) # remember about LOCK_DOWN_MANDATORY
checklist.append(OptCheck('SLUB_DEBUG_ON', 'y', 'my', 'self_protection'))
checklist.append(OptCheck('SECURITY_DMESG_RESTRICT', 'y', 'my', 'self_protection'))
- checklist.append(OptCheck('STATIC_USERMODEHELPER', 'y', 'my', 'self_protection')) # breaks systemd?
- checklist.append(OptCheck('SECURITY_LOADPIN', 'y', 'my', 'self_protection'))
+ checklist.append(OptCheck('STATIC_USERMODEHELPER', 'y', 'my', 'self_protection')) # needs userspace support (systemd)
+ checklist.append(OptCheck('SECURITY_LOADPIN', 'y', 'my', 'self_protection')) # needs userspace support
+ checklist.append(OptCheck('RESET_ATTACK_MITIGATION', 'y', 'my', 'self_protection')) # needs userspace support (systemd)
checklist.append(OptCheck('PAGE_POISONING_NO_SANITY', 'is not set', 'my', 'self_protection'))
checklist.append(OptCheck('PAGE_POISONING_ZERO', 'is not set', 'my', 'self_protection'))
checklist.append(OptCheck('SLAB_MERGE_DEFAULT', 'is not set', 'my', 'self_protection')) # slab_nomerge
checklist.append(OR(OptCheck('STRICT_DEVMEM', 'y', 'defconfig', 'cut_attack_surface'), \
devmem_not_set)) # refers to LOCK_DOWN_KERNEL
+ checklist.append(modules_not_set)
+ checklist.append(devmem_not_set)
checklist.append(OR(OptCheck('IO_STRICT_DEVMEM', 'y', 'kspp', 'cut_attack_surface'), \
devmem_not_set)) # refers to LOCK_DOWN_KERNEL
if debug_mode or arch == 'ARM':
projects / kconfig-hardened-check.git / blobdiff