# N.B Hardening command line parameters:
# page_alloc.shuffle=1
# iommu=force (does it help against DMA attacks?)
-# iommu.passthrough=0
-# iommu.strict=1
# slub_debug=FZ (slow)
# loadpin.enforce=1
# debugfs=no-mount (or off if possible)
#
# Should NOT be set:
# nokaslr
-# rodata=off
# sysrq_always_enabled
# arm64.nobti
# arm64.nopauth
# vm.unprivileged_userfaultfd=0
# (at first, it disabled unprivileged userfaultfd,
# and since v5.11 it enables unprivileged userfaultfd for user-mode only)
+# vm.mmap_min_addr has a good value
# dev.tty.ldisc_autoload=0
# fs.protected_symlinks=1
# fs.protected_hardlinks=1
def add_kconfig_checks(l, arch):
# Calling the KconfigCheck class constructor:
# KconfigCheck(reason, decision, name, expected)
+ #
+ # [!] Don't add CmdlineChecks in add_kconfig_checks() to avoid wrong results
+ # when the tool doesn't check the cmdline.
modules_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set')
devmem_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'DEVMEM', 'is not set') # refers to LOCKDOWN
l += [KconfigCheck('self_protection', 'defconfig', 'SLUB_DEBUG', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'GCC_PLUGINS', 'y')]
l += [OR(KconfigCheck('self_protection', 'defconfig', 'STACKPROTECTOR', 'y'),
- KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR', 'y'))]
+ KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR', 'y'),
+ KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR_REGULAR', 'y'),
+ KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR_AUTO', 'y'),
+ KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR_STRONG', 'y'))]
l += [OR(KconfigCheck('self_protection', 'defconfig', 'STACKPROTECTOR_STRONG', 'y'),
KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR_STRONG', 'y'))]
l += [OR(KconfigCheck('self_protection', 'defconfig', 'STRICT_KERNEL_RWX', 'y'),
l += [KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_HISTORY', 'y')]
# 'self_protection', 'kspp'
- l += [KconfigCheck('self_protection', 'kspp', 'SECURITY_DMESG_RESTRICT', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'BUG_ON_DATA_CORRUPTION', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_WX', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'SCHED_STACK_END_CHECK', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'KFENCE', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'WERROR', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_PASSTHROUGH', 'is not set')] # true if IOMMU_DEFAULT_DMA_STRICT is set
l += [KconfigCheck('self_protection', 'kspp', 'ZERO_CALL_USED_REGS', 'y')]
randstruct_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT', 'y')
l += [randstruct_is_set]
devmem_not_set)] # refers to LOCKDOWN
# 'cut_attack_surface', 'kspp'
+ l += [KconfigCheck('cut_attack_surface', 'kspp', 'SECURITY_DMESG_RESTRICT', 'y')]
l += [KconfigCheck('cut_attack_surface', 'kspp', 'ACPI_CUSTOM_METHOD', 'is not set')] # refers to LOCKDOWN
l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_BRK', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'kspp', 'DEVKMEM', 'is not set')] # refers to LOCKDOWN
l += [KconfigCheck('harden_userspace', 'defconfig', 'INTEGRITY', 'y')]
if arch == 'ARM':
l += [KconfigCheck('harden_userspace', 'my', 'INTEGRITY', 'y')]
+ if arch == 'ARM64':
+ l += [KconfigCheck('harden_userspace', 'defconfig', 'ARM64_PTR_AUTH', 'y')]
+ l += [KconfigCheck('harden_userspace', 'defconfig', 'ARM64_BTI', 'y')]
if arch in ('ARM', 'X86_32'):
l += [KconfigCheck('harden_userspace', 'defconfig', 'VMSPLIT_3G', 'y')]
if arch in ('X86_64', 'ARM64'):
if arch in ('X86_32', 'ARM'):
l += [KconfigCheck('harden_userspace', 'my', 'ARCH_MMAP_RND_BITS', '16')]
-# l += [KconfigCheck('feature_test', 'my', 'LKDTM', 'm')] # only for debugging!
-
def add_cmdline_checks(l, arch):
# Calling the CmdlineCheck class constructor:
# CmdlineCheck(reason, decision, name, expected)
- # Don't add CmdlineChecks in add_kconfig_checks() to avoid wrong results
- # when the tool doesn't check the cmdline.
+ #
+ # [!] Don't add CmdlineChecks in add_kconfig_checks() to avoid wrong results
+ # when the tool doesn't check the cmdline.
+ #
+ # [!] Make sure that values of the options in CmdlineChecks need normalization.
+ # For more info see normalize_cmdline_options().
+ #
+ # A common pattern for checking the 'param_x' cmdline parameter
+ # that __overrides__ the 'PARAM_X_DEFAULT' kconfig option:
+ # l += [OR(CmdlineCheck(reason, decision, 'param_x', '1'),
+ # AND(KconfigCheck(reason, decision, 'PARAM_X_DEFAULT_ON', 'y'),
+ # CmdlineCheck(reason, decision, 'param_x, 'is not set')))]
+ #
+ # Here we don't check the kconfig options or minimal kernel version
+ # required for the cmdline parameters. That would make the checks
+ # very complex and not give a 100% guarantee anyway.
+
+ if arch == 'ARM64':
+ l += [OR(CmdlineCheck('self_protection', 'defconfig', 'rodata', 'full'),
+ AND(KconfigCheck('self_protection', 'defconfig', 'RODATA_FULL_DEFAULT_ENABLED', 'y'),
+ CmdlineCheck('self_protection', 'defconfig', 'rodata', 'is not set')))]
+ else:
+ l += [OR(CmdlineCheck('self_protection', 'defconfig', 'rodata', '1'),
+ CmdlineCheck('self_protection', 'defconfig', 'rodata', 'is not set'))]
l += [OR(CmdlineCheck('self_protection', 'kspp', 'init_on_alloc', '1'),
AND(KconfigCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y'),
l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_nomerge'),
AND(KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set'),
CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set')))] # option presence check
+ l += [OR(CmdlineCheck('self_protection', 'kspp', 'iommu.strict', '1'),
+ AND(KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y'),
+ CmdlineCheck('self_protection', 'kspp', 'iommu.strict', 'is not set')))]
+ l += [OR(CmdlineCheck('self_protection', 'kspp', 'iommu.passthrough', '0'),
+ AND(KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_PASSTHROUGH', 'is not set'),
+ CmdlineCheck('self_protection', 'kspp', 'iommu.passthrough', 'is not set')))]
+ l += [OR(CmdlineCheck('self_protection', 'kspp', 'hardened_usercopy', '1'),
+ AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y'),
+ CmdlineCheck('self_protection', 'kspp', 'hardened_usercopy', 'is not set')))]
+ l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', '0'),
+ AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'),
+ CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', 'is not set')))]
if arch in ('X86_64', 'ARM64', 'X86_32'):
l += [OR(CmdlineCheck('self_protection', 'kspp', 'randomize_kstack_offset', '1'),
AND(KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y'),
CmdlineCheck('self_protection', 'kspp', 'randomize_kstack_offset', 'is not set')))]
if arch in ('X86_64', 'X86_32'):
l += [CmdlineCheck('self_protection', 'kspp', 'pti', 'on')]
+
+ if arch == 'X86_64':
+ l += [OR(CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'none'),
+ AND(KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y'),
+ CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'is not set')))]
+
# TODO: add other
parsed_options[option] = value
+def normalize_cmdline_options(option, value):
+ # Handle special cases
+ if option == 'pti':
+ # Don't normalize the pti value since
+ # the Linux kernel doesn't use kstrtobool() for pti.
+ # See pti_check_boottime_disable() in linux/arch/x86/mm/pti.c
+ return value
+
+ # Implement a limited part of the kstrtobool() logic
+ if value in ('1', 'on', 'On', 'ON', 'y', 'Y', 'yes', 'Yes', 'YES'):
+ return '1'
+ if value in ('0', 'off', 'Off', 'OFF', 'n', 'N', 'no', 'No', 'NO'):
+ return '0'
+
+ # Preserve unique values
+ return value
+
+
def parse_cmdline_file(parsed_options, fname):
with open(fname, 'r') as f:
line = f.readline()
else:
name = opt
value = '' # '' is not None
+ value = normalize_cmdline_options(name, value)
parsed_options[name] = value
projects / kconfig-hardened-check.git / blobdiff