# N.B Hardening command line parameters:
# page_alloc.shuffle=1
# iommu=force (does it help against DMA attacks?)
-# iommu.passthrough=0
-# iommu.strict=1
# slub_debug=FZ (slow)
-# init_on_alloc=1 (since v5.3)
-# init_on_free=1 (since v5.3, otherwise slub_debug=P and page_poison=1)
# loadpin.enforce=1
# debugfs=no-mount (or off if possible)
#
# ssbd=force-on
#
# Should NOT be set:
-# slab_merge
# nokaslr
# rodata=off
# sysrq_always_enabled
'empty {} check'.format(self.__class__.__name__)
assert(len(self.opts) != 1), \
'useless {} check: {}'.format(self.__class__.__name__, opts)
- assert(isinstance(opts[0], KconfigCheck) or isinstance(opts[0], CmdlineCheck)), \
+ assert(isinstance(opts[0], (KconfigCheck, CmdlineCheck))), \
'invalid {} check: {}'.format(self.__class__.__name__, opts)
self.result = None
l += [KconfigCheck('self_protection', 'kspp', 'KFENCE', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'WERROR', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_PASSTHROUGH', 'is not set')] # true if IOMMU_DEFAULT_DMA_STRICT is set
l += [KconfigCheck('self_protection', 'kspp', 'ZERO_CALL_USED_REGS', 'y')]
randstruct_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT', 'y')
l += [randstruct_is_set]
if arch in ('X86_64', 'ARM64', 'X86_32'):
stackleak_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y')
l += [stackleak_is_set]
- l += [OR(KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y'),
- CmdlineCheck('self_protection', 'kspp', 'randomize_kstack_offset', '1'))]
+ l += [KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y')]
if arch in ('X86_64', 'X86_32'):
l += [KconfigCheck('self_protection', 'kspp', 'SCHED_CORE', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '65536')]
l += [KconfigCheck('self_protection', 'clipos', 'STATIC_USERMODEHELPER', 'y')] # needs userspace support
l += [OR(KconfigCheck('self_protection', 'clipos', 'EFI_DISABLE_PCI_DMA', 'y'),
efi_not_set)]
- l += [OR(KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set'),
- CmdlineCheck('self_protection', 'kspp', 'slab_nomerge'))] # option presence check
+ l += [KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set')]
l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_BOOTLOADER', 'is not set')]
l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_CPU', 'is not set')]
l += [AND(KconfigCheck('self_protection', 'clipos', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'),
def add_cmdline_checks(l, arch):
# Calling the CmdlineCheck class constructor:
# CmdlineCheck(reason, decision, name, expected)
-
+ # Don't add CmdlineChecks in add_kconfig_checks() to avoid wrong results
+ # when the tool doesn't check the cmdline.
+
+ l += [OR(CmdlineCheck('self_protection', 'kspp', 'init_on_alloc', '1'),
+ AND(KconfigCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y'),
+ CmdlineCheck('self_protection', 'kspp', 'init_on_alloc', 'is not set')))]
+ l += [OR(CmdlineCheck('self_protection', 'kspp', 'init_on_free', '1'),
+ AND(KconfigCheck('self_protection', 'kspp', 'INIT_ON_FREE_DEFAULT_ON', 'y'),
+ CmdlineCheck('self_protection', 'kspp', 'init_on_free', 'is not set')),
+ AND(CmdlineCheck('self_protection', 'kspp', 'page_poison', '1'),
+ KconfigCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'),
+ CmdlineCheck('self_protection', 'kspp', 'slub_debug', 'P')))]
+ l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_nomerge'),
+ AND(KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set'),
+ CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set')))] # option presence check
+ l += [OR(CmdlineCheck('self_protection', 'kspp', 'iommu.strict', '1'),
+ AND(KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y'),
+ CmdlineCheck('self_protection', 'kspp', 'iommu.strict', 'is not set')))]
+ l += [OR(CmdlineCheck('self_protection', 'kspp', 'iommu.passthrough', '0'),
+ AND(KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_PASSTHROUGH', 'is not set'),
+ CmdlineCheck('self_protection', 'kspp', 'iommu.passthrough', 'is not set')))]
+ if arch in ('X86_64', 'ARM64', 'X86_32'):
+ l += [OR(CmdlineCheck('self_protection', 'kspp', 'randomize_kstack_offset', '1'),
+ AND(KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y'),
+ CmdlineCheck('self_protection', 'kspp', 'randomize_kstack_offset', 'is not set')))]
if arch in ('X86_64', 'X86_32'):
l += [CmdlineCheck('self_protection', 'kspp', 'pti', 'on')]
+
+ if arch == 'X86_64':
+ l += [OR(CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'none'),
+ AND(KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y'),
+ CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'is not set')))]
+
# TODO: add other
if opt_is_on.match(line):
option, value = line.split('=', 1)
+ if value == 'is not set':
+ sys.exit('[!] ERROR: bad enabled kconfig option "{}"'.format(line))
elif opt_is_off.match(line):
option, value = line[2:].split(' ', 1)
if value != 'is not set':
# add relevant kconfig checks to the checklist
add_kconfig_checks(config_checklist, arch)
+ if args.cmdline:
+ # add relevant cmdline checks to the checklist
+ add_cmdline_checks(config_checklist, arch)
+
# populate the checklist with the parsed kconfig data
parsed_kconfig_options = OrderedDict()
parse_kconfig_file(parsed_kconfig_options, args.config)
populate_with_data(config_checklist, kernel_version, 'version')
if args.cmdline:
- # add relevant cmdline checks to the checklist
- add_cmdline_checks(config_checklist, arch)
-
# populate the checklist with the parsed kconfig data
parsed_cmdline_options = OrderedDict()
parse_cmdline_file(parsed_cmdline_options, args.cmdline)
parser.print_help()
sys.exit(0)
-
-if __name__ == '__main__':
- main()