# kernel.perf_event_paranoid=2 (or 3 with a custom patch, see https://lwn.net/Articles/696216/)
# kernel.kexec_load_disabled=1
# kernel.yama.ptrace_scope=3
-# user.max_user_namespaces=0
+# user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone)
# what about bpf_jit_enable?
# kernel.unprivileged_bpf_disabled=1
# net.core.bpf_jit_harden=2
# nosmt sysfs control file
# dev.tty.legacy_tiocsti=0
# vm.mmap_rnd_bits=max (?)
+# kernel.sysrq=0
+# abi.vsyscall32 (any value except 2)
+# kernel.oops_limit (think about a proper value)
+# kernel.warn_limit (think about a proper value)
#
# Think of these boot params:
# module.sig_enforce=1
# intel_iommu=on
# amd_iommu=on
# efi=disable_early_pci_dma
+# cfi=
# pylint: disable=missing-function-docstring,line-too-long,invalid-name
# pylint: disable=too-many-branches,too-many-statements
if arch == 'X86_64':
l += [KconfigCheck('self_protection', 'defconfig', 'PAGE_TABLE_ISOLATION', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'RANDOMIZE_MEMORY', 'y')]
+ l += [KconfigCheck('self_protection', 'defconfig', 'X86_KERNEL_IBT', 'y')]
l += [AND(KconfigCheck('self_protection', 'defconfig', 'INTEL_IOMMU', 'y'),
iommu_support_is_set)]
l += [AND(KconfigCheck('self_protection', 'defconfig', 'AMD_IOMMU', 'y'),
hardened_usercopy_is_set = KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y')
l += [hardened_usercopy_is_set]
l += [AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'),
- hardened_usercopy_is_set)]
+ hardened_usercopy_is_set)] # usercopy whitelist violations should be prohibited
l += [AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_PAGESPAN', 'is not set'),
- hardened_usercopy_is_set)]
+ hardened_usercopy_is_set)] # this debugging for HARDENED_USERCOPY is not needed for security
l += [AND(KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_LATENT_ENTROPY', 'y'),
gcc_plugins_support_is_set)]
l += [OR(KconfigCheck('self_protection', 'kspp', 'MODULE_SIG', 'y'),
l += [KconfigCheck('cut_attack_surface', 'kspp', 'ACPI_CUSTOM_METHOD', 'is not set')] # refers to LOCKDOWN
l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_BRK', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'kspp', 'DEVKMEM', 'is not set')] # refers to LOCKDOWN
- l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'kspp', 'BINFMT_MISC', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'kspp', 'INET_DIAG', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'kspp', 'KEXEC', 'is not set')] # refers to LOCKDOWN
devmem_not_set)] # refers to LOCKDOWN
l += [AND(KconfigCheck('cut_attack_surface', 'kspp', 'LDISC_AUTOLOAD', 'is not set'),
KconfigCheck('cut_attack_surface', 'kspp', 'LDISC_AUTOLOAD', 'is present'))]
- if arch == 'X86_64':
- l += [KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y')] # 'vsyscall=none'
+ if arch in ('X86_64', 'X86_32'):
+ l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set')]
+ # CONFIG_COMPAT_VDSO disabled ASLR of vDSO only on X86_64 and X86_32;
+ # on ARM64 this option has different meaning
if arch == 'ARM':
l += [OR(KconfigCheck('cut_attack_surface', 'kspp', 'STRICT_DEVMEM', 'y'),
devmem_not_set)] # refers to LOCKDOWN
l += [KconfigCheck('cut_attack_surface', 'clipos', 'STAGING', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'clipos', 'KSM', 'is not set')] # to prevent FLUSH+RELOAD attack
l += [KconfigCheck('cut_attack_surface', 'clipos', 'KALLSYMS', 'is not set')]
- l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_VSYSCALL_EMULATION', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'clipos', 'MAGIC_SYSRQ', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'clipos', 'KEXEC_FILE', 'is not set')] # refers to LOCKDOWN (permissive)
l += [KconfigCheck('cut_attack_surface', 'clipos', 'USER_NS', 'is not set')] # user.max_user_namespaces=0
l += [KconfigCheck('cut_attack_surface', 'clipos', 'EFI_CUSTOM_SSDT_OVERLAYS', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'clipos', 'COREDUMP', 'is not set')] # cut userspace attack surface
# l += [KconfigCheck('cut_attack_surface', 'clipos', 'IKCONFIG', 'is not set')] # no, IKCONFIG is needed for this check :)
+ if arch == 'X86_64':
+ l += [OR(KconfigCheck('cut_attack_surface', 'clipos', 'X86_VSYSCALL_EMULATION', 'is not set'),
+ KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y'))]
+ # disabling X86_VSYSCALL_EMULATION turns vsyscall off completely,
+ # and LEGACY_VSYSCALL_NONE can be changed at boot time via the cmdline parameter
# 'cut_attack_surface', 'lockdown'
l += [KconfigCheck('cut_attack_surface', 'lockdown', 'EFI_TEST', 'is not set')] # refers to LOCKDOWN
# 'cut_attack_surface', 'kspp'
if arch == 'X86_64':
l += [OR(CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'none'),
+ KconfigCheck('cut_attack_surface', 'clipos', 'X86_VSYSCALL_EMULATION', 'is not set'),
AND(KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y'),
CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'is not set')))]
+ l += [OR(CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '1'),
+ CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '0'),
+ AND(KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set'),
+ CmdlineCheck('cut_attack_surface', 'my', 'vdso32', 'is not set')))] # the vdso32 parameter must not be 2
+ if arch == 'X86_32':
+ l += [OR(CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '1'),
+ CmdlineCheck('cut_attack_surface', 'my', 'vdso', '1'),
+ CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '0'),
+ CmdlineCheck('cut_attack_surface', 'my', 'vdso', '0'),
+ AND(KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set'),
+ CmdlineCheck('cut_attack_surface', 'my', 'vdso32', 'is not set'),
+ CmdlineCheck('cut_attack_surface', 'my', 'vdso', 'is not set')))] # the vdso and vdso32 parameters must not be 2
# 'cut_attack_surface', 'grsec'
# The cmdline checks compatible with the kconfig options disabled by grsecurity...
'srbds', # See srbds_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
'mmio_stale_data', # See mmio_stale_data_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
'retbleed', # See retbleed_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
+ 'ssbd', # See parse_spectre_v4_param() in arch/arm64/kernel/proton-pack.c
'tsx' # See tsx_init() in arch/x86/kernel/cpu/tsx.c
]
projects / kconfig-hardened-check.git / blobdiff