# Please don't cry if my Python code looks like C.
#
#
-# N.B Missing hardening command line parameters:
-# iommu=force (does it help against DMA attacks?)
-#
-# Hardware tag-based KASAN with arm64 Memory Tagging Extension (MTE):
-# kasan=on
-# kasan.stacktrace=off
-# kasan.fault=panic
-#
# N.B. Hardening sysctls:
# kernel.kptr_restrict=2 (or 1?)
# kernel.dmesg_restrict=1 (also see the kconfig option)
'invalid expected value "{}" for "{}" check (1)'.format(expected, name)
val_len = len(expected.split())
if val_len == 3:
- assert(expected == 'is not set' or expected == 'is not off'), \
+ assert(expected in ('is not set', 'is not off')), \
'invalid expected value "{}" for "{}" check (2)'.format(expected, name)
elif val_len == 2:
assert(expected == 'is present'), \
self.result = 'FAIL: {} is not "{}"'.format(opt.name, opt.expected)
elif opt.result == 'FAIL: is not present':
self.result = 'FAIL: {} is not present'.format(opt.name)
- elif opt.result == 'FAIL: is off' or opt.result == 'FAIL: is off, "0"':
+ elif opt.result in ('FAIL: is off', 'FAIL: is off, "0"'):
self.result = 'FAIL: {} is off'.format(opt.name)
elif opt.result == 'FAIL: is off, not found':
self.result = 'FAIL: {} is off, not found'.format(opt.name)
if arch == 'ARM64':
l += [KconfigCheck('self_protection', 'kspp', 'ARM64_SW_TTBR0_PAN', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'SHADOW_CALL_STACK', 'y')]
- l += [KconfigCheck('self_protection', 'kspp', 'KASAN_HW_TAGS', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'KASAN_HW_TAGS', 'y')] # see also: kasan=on, kasan.stacktrace=off, kasan.fault=panic
if arch == 'X86_32':
l += [KconfigCheck('self_protection', 'kspp', 'PAGE_TABLE_ISOLATION', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'HIGHMEM64G', 'y')]
CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not set'))]
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not off'),
CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not set'))]
+ l += [OR(CmdlineCheck('self_protection', 'defconfig', 'kvm.nx_huge_pages', 'is not off'),
+ CmdlineCheck('self_protection', 'defconfig', 'kvm.nx_huge_pages', 'is not set'))]
if arch == 'ARM64':
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'ssbd', 'kernel'),
CmdlineCheck('self_protection', 'my', 'ssbd', 'force-on'),
CmdlineCheck('self_protection', 'kspp', 'slub_debug', 'P')))]
l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_nomerge', 'is present'),
AND(KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set'),
- CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set')))]
+ CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set'),
+ CmdlineCheck('self_protection', 'clipos', 'slub_merge', 'is not set')))]
l += [OR(CmdlineCheck('self_protection', 'kspp', 'iommu.strict', '1'),
AND(KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y'),
CmdlineCheck('self_protection', 'kspp', 'iommu.strict', 'is not set')))]
# 'self_protection', 'clipos'
l += [CmdlineCheck('self_protection', 'clipos', 'page_alloc.shuffle', '1')]
+ if arch in ('X86_64', 'X86_32'):
+ l += [CmdlineCheck('self_protection', 'clipos', 'iommu', 'force')]
# 'cut_attack_surface', 'defconfig'
if arch in ('X86_64', 'X86_32'):