# Аrch-independent:
# mitigations=auto,nosmt (nosmt is slow)
# X86:
-# spectre_v2=on
# spec_store_bypass_disable=on
# l1tf=full,force
# l1d_flush=on (a part of the l1tf option)
# ssbd=force-on
#
# Should NOT be set:
-# nokaslr
# sysrq_always_enabled
# arm64.nobti
# arm64.nopauth
return arch, 'OK'
-def detect_version(fname):
+def detect_kernel_version(fname):
with open(fname, 'r') as f:
ver_pattern = re.compile("# Linux/.* Kernel Configuration")
for line in f.readlines():
return None, 'no kernel version detected'
+def detect_compiler(fname):
+ gcc_version = None
+ clang_version = None
+ with open(fname, 'r') as f:
+ gcc_version_pattern = re.compile("CONFIG_GCC_VERSION=[0-9]*")
+ clang_version_pattern = re.compile("CONFIG_CLANG_VERSION=[0-9]*")
+ for line in f.readlines():
+ if gcc_version_pattern.match(line):
+ gcc_version = line[19:-1]
+ if clang_version_pattern.match(line):
+ clang_version = line[21:-1]
+ if not gcc_version or not clang_version:
+ return None, 'no CONFIG_GCC_VERSION or CONFIG_CLANG_VERSION'
+ if gcc_version == '0' and clang_version != '0':
+ return 'CLANG ' + clang_version, 'OK'
+ if gcc_version != '0' and clang_version == '0':
+ return 'GCC ' + gcc_version, 'OK'
+ sys.exit('[!] ERROR: invalid GCC_VERSION and CLANG_VERSION: {} {}'.format(gcc_version, clang_version))
+
+
def add_kconfig_checks(l, arch):
# Calling the KconfigCheck class constructor:
# KconfigCheck(reason, decision, name, expected)
# [!] Don't add CmdlineChecks in add_kconfig_checks() to avoid wrong results
# when the tool doesn't check the cmdline.
+ efi_not_set = KconfigCheck('-', '-', 'EFI', 'is not set')
+ cc_is_gcc = KconfigCheck('-', '-', 'CC_IS_GCC', 'y') # exists since v4.18
+ cc_is_clang = KconfigCheck('-', '-', 'CC_IS_CLANG', 'y') # exists since v4.18
+
modules_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set')
devmem_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'DEVMEM', 'is not set') # refers to LOCKDOWN
bpf_syscall_not_set = KconfigCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set') # refers to LOCKDOWN
- efi_not_set = KconfigCheck('cut_attack_surface', 'my', 'EFI', 'is not set')
# 'self_protection', 'defconfig'
l += [KconfigCheck('self_protection', 'defconfig', 'BUG', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'SLUB_DEBUG', 'y')]
- l += [KconfigCheck('self_protection', 'defconfig', 'GCC_PLUGINS', 'y')]
+ gcc_plugins_support_is_set = KconfigCheck('self_protection', 'defconfig', 'GCC_PLUGINS', 'y')
+ l += [gcc_plugins_support_is_set]
l += [OR(KconfigCheck('self_protection', 'defconfig', 'STACKPROTECTOR', 'y'),
KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR', 'y'),
KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR_REGULAR', 'y'),
if arch in ('X86_64', 'X86_32'):
l += [KconfigCheck('self_protection', 'defconfig', 'MICROCODE', 'y')] # is needed for mitigating CPU bugs
l += [KconfigCheck('self_protection', 'defconfig', 'RETPOLINE', 'y')]
- l += [KconfigCheck('self_protection', 'defconfig', 'X86_SMAP', 'y')]
+ l += [OR(KconfigCheck('self_protection', 'defconfig', 'X86_SMAP', 'y'),
+ VersionCheck((5, 19)))] # X86_SMAP is enabled by default since v5.19
l += [KconfigCheck('self_protection', 'defconfig', 'SYN_COOKIES', 'y')] # another reason?
l += [OR(KconfigCheck('self_protection', 'defconfig', 'X86_UMIP', 'y'),
KconfigCheck('self_protection', 'defconfig', 'X86_INTEL_UMIP', 'y'))]
l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_CREDENTIALS', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_NOTIFIERS', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y')]
- l += [KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_LATENT_ENTROPY', 'y')]
+ l += [AND(KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_LATENT_ENTROPY', 'y'),
+ gcc_plugins_support_is_set)]
l += [KconfigCheck('self_protection', 'kspp', 'KFENCE', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'WERROR', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_PASSTHROUGH', 'is not set')] # true if IOMMU_DEFAULT_DMA_STRICT is set
l += [KconfigCheck('self_protection', 'kspp', 'ZERO_CALL_USED_REGS', 'y')]
- randstruct_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT', 'y')
+ randstruct_is_set = OR(KconfigCheck('self_protection', 'kspp', 'RANDSTRUCT_FULL', 'y'),
+ KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT', 'y'))
l += [randstruct_is_set]
hardened_usercopy_is_set = KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y')
l += [hardened_usercopy_is_set]
# That brings higher performance penalty.
if arch in ('X86_64', 'ARM64', 'X86_32'):
stackleak_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y')
- l += [stackleak_is_set]
+ l += [AND(stackleak_is_set, gcc_plugins_support_is_set)]
l += [KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y')]
if arch in ('X86_64', 'X86_32'):
l += [KconfigCheck('self_protection', 'kspp', 'SCHED_CORE', 'y')]
l += [KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set')]
l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_BOOTLOADER', 'is not set')]
l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_CPU', 'is not set')]
- l += [AND(KconfigCheck('self_protection', 'clipos', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'),
+ l += [AND(KconfigCheck('self_protection', 'clipos', 'RANDSTRUCT_PERFORMANCE', 'is not set'),
+ KconfigCheck('self_protection', 'clipos', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'),
randstruct_is_set)]
if arch in ('X86_64', 'ARM64', 'X86_32'):
l += [AND(KconfigCheck('self_protection', 'clipos', 'STACKLEAK_METRICS', 'is not set'),
- stackleak_is_set)]
+ stackleak_is_set,
+ gcc_plugins_support_is_set)]
l += [AND(KconfigCheck('self_protection', 'clipos', 'STACKLEAK_RUNTIME_DISABLE', 'is not set'),
- stackleak_is_set)]
+ stackleak_is_set,
+ gcc_plugins_support_is_set)]
if arch in ('X86_64', 'X86_32'):
l += [AND(KconfigCheck('self_protection', 'clipos', 'INTEL_IOMMU_DEFAULT_ON', 'y'),
iommu_support_is_set)]
# 'self_protection', 'my'
l += [OR(KconfigCheck('self_protection', 'my', 'RESET_ATTACK_MITIGATION', 'y'),
efi_not_set)] # needs userspace support (systemd)
+ l += [OR(KconfigCheck('self_protection', 'my', 'UBSAN_LOCAL_BOUNDS', 'y'),
+ AND(ubsan_bounds_is_set,
+ cc_is_gcc))]
if arch == 'X86_64':
l += [KconfigCheck('self_protection', 'my', 'SLS', 'y')] # vs CVE-2021-26341 in Straight-Line-Speculation
l += [AND(KconfigCheck('self_protection', 'my', 'AMD_IOMMU_V2', 'y'),
iommu_support_is_set)]
if arch == 'ARM64':
- l += [KconfigCheck('self_protection', 'my', 'SHADOW_CALL_STACK', 'y')] # depends on clang, maybe it's alternative to STACKPROTECTOR_STRONG
+ l += [KconfigCheck('self_protection', 'my', 'SHADOW_CALL_STACK', 'y')] # maybe it's alternative to STACKPROTECTOR_STRONG
l += [KconfigCheck('self_protection', 'my', 'KASAN_HW_TAGS', 'y')]
cfi_clang_is_set = KconfigCheck('self_protection', 'my', 'CFI_CLANG', 'y')
l += [cfi_clang_is_set]
if arch == 'ARM':
l += [KconfigCheck('security_policy', 'kspp', 'SECURITY', 'y')] # and choose your favourite LSM
l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_YAMA', 'y')]
+ l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_LANDLOCK', 'y')]
l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_SELINUX_DISABLE', 'is not set')]
l += [KconfigCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM', 'y')]
l += [KconfigCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM_EARLY', 'y')]
# very complex and not give a 100% guarantee anyway.
# 'self_protection', 'defconfig'
+ l += [CmdlineCheck('self_protection', 'defconfig', 'nosmep', 'is not set')]
+ l += [CmdlineCheck('self_protection', 'defconfig', 'nosmap', 'is not set')]
+ l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_v1', 'is not set')]
+ l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_v2', 'is not set')]
if arch == 'ARM64':
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'rodata', 'full'),
AND(KconfigCheck('self_protection', 'defconfig', 'RODATA_FULL_DEFAULT_ENABLED', 'y'),
AND(KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_PASSTHROUGH', 'is not set'),
CmdlineCheck('self_protection', 'kspp', 'iommu.passthrough', 'is not set')))]
# The cmdline checks compatible with the kconfig recommendations of the KSPP project...
+ l += [CmdlineCheck('self_protection', 'kspp', 'nokaslr', 'is not set')]
l += [OR(CmdlineCheck('self_protection', 'kspp', 'hardened_usercopy', '1'),
AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y'),
CmdlineCheck('self_protection', 'kspp', 'hardened_usercopy', 'is not set')))]
l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', '0'),
AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'),
CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', 'is not set')))]
- l += [OR(CmdlineCheck('self_protection', 'kspp', 'page_alloc.shuffle', '1'),
- AND(KconfigCheck('self_protection', 'kspp', 'SHUFFLE_PAGE_ALLOCATOR', 'y'),
- CmdlineCheck('self_protection', 'kspp', 'page_alloc.shuffle', 'is not set')))] # ... the end
+ if arch in ('X86_64', 'X86_32'):
+ l += [AND(CmdlineCheck('self_protection', 'kspp', 'pti', 'on'),
+ CmdlineCheck('self_protection', 'kspp', 'nopti', 'is not set'))] # ... the end
if arch in ('X86_64', 'ARM64', 'X86_32'):
l += [OR(CmdlineCheck('self_protection', 'kspp', 'randomize_kstack_offset', '1'),
AND(KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y'),
CmdlineCheck('self_protection', 'kspp', 'randomize_kstack_offset', 'is not set')))]
+
+ # 'self_protection', 'clipos'
+ l += [CmdlineCheck('self_protection', 'clipos', 'page_alloc.shuffle', '1')]
if arch in ('X86_64', 'X86_32'):
- l += [CmdlineCheck('self_protection', 'kspp', 'pti', 'on')]
+ l += [CmdlineCheck('self_protection', 'clipos', 'spectre_v2', 'on')]
# 'cut_attack_surface', 'kspp'
if arch == 'X86_64':
if option == 'pti':
# See pti_check_boottime_disable() in linux/arch/x86/mm/pti.c
return value
+ if option == 'spectre_v2':
+ # See spectre_v2_parse_cmdline() in linux/arch/x86/kernel/cpu/bugs.c
+ return value
if option == 'debugfs':
# See debugfs_kernel() in fs/debugfs/inode.c
return value
if mode != 'json':
print('[+] Detected architecture: {}'.format(arch))
- kernel_version, msg = detect_version(args.config)
+ kernel_version, msg = detect_kernel_version(args.config)
if not kernel_version:
sys.exit('[!] ERROR: {}'.format(msg))
if mode != 'json':
print('[+] Detected kernel version: {}.{}'.format(kernel_version[0], kernel_version[1]))
+ compiler, msg = detect_compiler(args.config)
+ if mode != 'json':
+ if compiler:
+ print('[+] Detected compiler: {}'.format(compiler))
+ else:
+ print('[-] Can\'t detect the compiler: {}'.format(msg))
+
# add relevant kconfig checks to the checklist
add_kconfig_checks(config_checklist, arch)
projects / kconfig-hardened-check.git / blobdiff