#
# This tool helps me to check the Linux kernel Kconfig option list
-# against my hardening preferences for X86_64, ARM64, X86_32, and ARM.
+# against my security hardening preferences for X86_64, ARM64, X86_32, and ARM.
# Let the computers do their job!
#
# Author: Alexander Popov <alex.popov@linux.com>
# init_on_free=1 (since v5.3, otherwise slub_debug=P and page_poison=1)
# loadpin.enforce=1
# debugfs=no-mount (or off if possible)
+# randomize_kstack_offset=1
#
# Mitigations of CPU vulnerabilities:
# Аrch-independent:
# kpti=on
# ssbd=force-on
#
+# Should NOT be set:
+# nokaslr
+# arm64.nobti
+# arm64.nopauth
+#
+# Hardware tag-based KASAN with arm64 Memory Tagging Extension (MTE):
+# kasan=on
+# kasan.stacktrace=off
+# kasan.fault=panic
+#
# N.B. Hardening sysctls:
# kernel.kptr_restrict=2 (or 1?)
# kernel.dmesg_restrict=1 (also see the kconfig option)
# net.core.bpf_jit_harden=2
#
# vm.unprivileged_userfaultfd=0
+# (at first, it disabled unprivileged userfaultfd,
+# and since v5.11 it enables unprivileged userfaultfd for user-mode only)
#
# dev.tty.ldisc_autoload=0
# fs.protected_symlinks=1
l += [OptCheck('self_protection', 'defconfig', 'SYN_COOKIES', 'y')] # another reason?
l += [OR(OptCheck('self_protection', 'defconfig', 'X86_UMIP', 'y'),
OptCheck('self_protection', 'defconfig', 'X86_INTEL_UMIP', 'y'))]
+ if arch in ('ARM64', 'ARM'):
+ l += [OptCheck('self_protection', 'defconfig', 'STACKPROTECTOR_PER_TASK', 'y')]
if arch == 'X86_64':
l += [OptCheck('self_protection', 'defconfig', 'PAGE_TABLE_ISOLATION', 'y')]
l += [OptCheck('self_protection', 'defconfig', 'RANDOMIZE_MEMORY', 'y')]
iommu_support_is_set)]
if arch == 'ARM64':
l += [OptCheck('self_protection', 'defconfig', 'ARM64_PAN', 'y')]
+ l += [OptCheck('self_protection', 'defconfig', 'ARM64_EPAN', 'y')]
l += [OptCheck('self_protection', 'defconfig', 'UNMAP_KERNEL_AT_EL0', 'y')]
l += [OR(OptCheck('self_protection', 'defconfig', 'HARDEN_EL2_VECTORS', 'y'),
AND(OptCheck('self_protection', 'defconfig', 'RANDOMIZE_BASE', 'y'),
l += [OptCheck('self_protection', 'defconfig', 'ARM64_PTR_AUTH', 'y')]
l += [OptCheck('self_protection', 'defconfig', 'ARM64_BTI_KERNEL', 'y')]
l += [OR(OptCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y'),
- VerCheck((5, 10)))] # HARDEN_BRANCH_PREDICTOR is enabled by default since v5.10
+ VerCheck((5, 10)))] # HARDEN_BRANCH_PREDICTOR is enabled by default since v5.10
+ l += [OptCheck('self_protection', 'defconfig', 'ARM64_MTE', 'y')]
if arch == 'ARM':
l += [OptCheck('self_protection', 'defconfig', 'CPU_SW_DOMAIN_PAN', 'y')]
- l += [OptCheck('self_protection', 'defconfig', 'STACKPROTECTOR_PER_TASK', 'y')]
l += [OptCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y')]
# 'self_protection', 'kspp'
l += [OR(OptCheck('self_protection', 'kspp', 'INIT_STACK_ALL_ZERO', 'y'),
OptCheck('self_protection', 'kspp', 'GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y'))]
l += [OR(OptCheck('self_protection', 'kspp', 'INIT_ON_FREE_DEFAULT_ON', 'y'),
- OptCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'))] # before v5.3
+ OptCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'))]
+ # CONFIG_INIT_ON_FREE_DEFAULT_ON was added in v5.3.
+ # CONFIG_PAGE_POISONING_ZERO was removed in v5.11.
+ # Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks
+ # the 0xAA poison pattern on allocation.
+ # That brings higher performance penalty.
if arch in ('X86_64', 'ARM64', 'X86_32'):
stackleak_is_set = OptCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y')
l += [stackleak_is_set]
OptCheck('self_protection', 'my', 'UBSAN_MISC', 'is not set'),
OptCheck('self_protection', 'my', 'UBSAN_TRAP', 'y'))]
l += [OptCheck('self_protection', 'my', 'RESET_ATTACK_MITIGATION', 'y')] # needs userspace support (systemd)
+ if arch in ('X86_64', 'ARM64', 'X86_32'):
+ l += [OptCheck('self_protection', 'my', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y')]
if arch == 'X86_64':
l += [AND(OptCheck('self_protection', 'my', 'AMD_IOMMU_V2', 'y'),
iommu_support_is_set)]
if arch == 'ARM64':
- l += [OptCheck('self_protection', 'my', 'SHADOW_CALL_STACK', 'y')] # maybe it should be alternative to STACKPROTECTOR_STRONG
+ l += [OptCheck('self_protection', 'my', 'SHADOW_CALL_STACK', 'y')] # depends on clang, maybe it's alternative to STACKPROTECTOR_STRONG
+ l += [OptCheck('self_protection', 'my', 'KASAN_HW_TAGS', 'y')]
+ cfi_clang_is_set = OptCheck('self_protection', 'my', 'CFI_CLANG', 'y')
+ l += [cfi_clang_is_set]
+ l += [AND(OptCheck('self_protection', 'my', 'CFI_PERMISSIVE', 'is not set'),
+ cfi_clang_is_set)]
# 'security_policy'
if arch in ('X86_64', 'ARM64', 'X86_32'):
l += [OptCheck('cut_attack_surface', 'maintainer', 'DRM_LEGACY', 'is not set')]
l += [OptCheck('cut_attack_surface', 'maintainer', 'FB', 'is not set')]
l += [OptCheck('cut_attack_surface', 'maintainer', 'VT', 'is not set')]
+ l += [OptCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD', 'is not set')]
# 'cut_attack_surface', 'grapheneos'
l += [OptCheck('cut_attack_surface', 'grapheneos', 'AIO', 'is not set')]
report_modes = ['verbose', 'json', 'show_ok', 'show_fail']
supported_archs = ['X86_64', 'X86_32', 'ARM64', 'ARM']
parser = ArgumentParser(prog='kconfig-hardened-check',
- description='Checks the hardening options in the Linux kernel config')
+ description='A tool for checking the security hardening options of the Linux kernel')
parser.add_argument('--version', action='version', version='%(prog)s ' + __version__)
parser.add_argument('-p', '--print', choices=supported_archs,
- help='print hardening preferences for selected architecture')
+ help='print security hardening preferences for the selected architecture')
parser.add_argument('-c', '--config',
help='check the kernel config file against these preferences')
parser.add_argument('-m', '--mode', choices=report_modes,
arch = args.print
construct_checklist(config_checklist, arch)
if mode != 'json':
- print('[+] Printing kernel hardening preferences for {}...'.format(arch))
+ print('[+] Printing kernel security hardening preferences for {}...'.format(arch))
print_checklist(mode, config_checklist, False)
sys.exit(0)