X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;ds=inline;f=README.md;h=c5cc464071aae5b8376c33fe7eff8888202cb59c;hb=7509302a8f521d5bc201dc4d21c53a68e595abb8;hp=ffae44456c0921af6131893a3d137ebbfad0d684;hpb=75bed5d6178375a64f93ced4795ee0cf47442df1;p=kconfig-hardened-check.git
diff --git a/README.md b/README.md
index ffae444..c5cc464 100644
--- a/README.md
+++ b/README.md
@@ -44,7 +44,7 @@ or simply run `./bin/kconfig-hardened-check` from the cloned repository.
## Usage
```
usage: kconfig-hardened-check [-h] [-p {X86_64,X86_32,ARM64,ARM}] [-c CONFIG]
- [--debug] [--json]
+ [--debug] [--json] [--version]
Checks the hardening options in the Linux kernel config
@@ -56,17 +56,18 @@ optional arguments:
check the config_file against these preferences
--debug enable verbose debug mode
--json print results in JSON format
+ --version show program's version number and exit
```
-## Output for `Ubuntu 18.04 (Bionic Beaver with HWE)` kernel config
+## Output for `Ubuntu 20.04 LTS (Focal Fossa)` kernel config
```
-$ ./bin/kconfig-hardened-check -c kconfig_hardened_check/config_files/distros/ubuntu-bionic-generic.config
-[+] Trying to detect architecture in "kconfig_hardened_check/config_files/distros/ubuntu-bionic-generic.config"...
+$ ./bin/kconfig-hardened-check -c kconfig_hardened_check/config_files/distros/ubuntu-focal.config
+[+] Trying to detect architecture in "kconfig_hardened_check/config_files/distros/ubuntu-focal.config"...
[+] Detected architecture: X86_64
-[+] Trying to detect kernel version in "kconfig_hardened_check/config_files/distros/ubuntu-bionic-generic.config"...
-[+] Found version line: "# Linux/x86 5.3.0-28-generic Kernel Configuration"
-[+] Detected kernel version: 5.3
-[+] Checking "kconfig_hardened_check/config_files/distros/ubuntu-bionic-generic.config" against X86_64 hardening preferences...
+[+] Trying to detect kernel version in "kconfig_hardened_check/config_files/distros/ubuntu-focal.config"...
+[+] Found version line: "# Linux/x86 5.4.0-29-generic Kernel Configuration"
+[+] Detected kernel version: 5.4
+[+] Checking "kconfig_hardened_check/config_files/distros/ubuntu-focal.config" against X86_64 hardening preferences...
=========================================================================================================================
option name | desired val | decision | reason | check result
=========================================================================================================================
@@ -121,7 +122,7 @@ CONFIG_DEBUG_VIRTUAL | y | clipos | self_pr
CONFIG_STATIC_USERMODEHELPER | y | clipos | self_protection | FAIL: "is not set"
CONFIG_SLAB_MERGE_DEFAULT | is not set | clipos | self_protection | FAIL: "y"
CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_RANDSTRUCT is needed
-CONFIG_RANDOM_TRUST_BOOTLOADER | is not set | clipos | self_protection | OK: not found
+CONFIG_RANDOM_TRUST_BOOTLOADER | is not set | clipos | self_protection | FAIL: "y"
CONFIG_RANDOM_TRUST_CPU | is not set | clipos | self_protection | FAIL: "y"
CONFIG_INTEL_IOMMU_SVM | y | clipos | self_protection | OK
CONFIG_INTEL_IOMMU_DEFAULT_ON | y | clipos | self_protection | FAIL: "is not set"
@@ -131,9 +132,9 @@ CONFIG_AMD_IOMMU_V2 | y | my | self_pr
CONFIG_SECURITY | y |defconfig | security_policy | OK
CONFIG_SECURITY_YAMA | y | kspp | security_policy | OK
CONFIG_SECURITY_WRITABLE_HOOKS | is not set | my | security_policy | OK: not found
-CONFIG_SECURITY_LOCKDOWN_LSM | y | clipos | security_policy | FAIL: not found
-CONFIG_SECURITY_LOCKDOWN_LSM_EARLY | y | clipos | security_policy | FAIL: not found
-CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY| y | clipos | security_policy | FAIL: not found
+CONFIG_SECURITY_LOCKDOWN_LSM | y | clipos | security_policy | OK
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY | y | clipos | security_policy | OK
+CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY| y | clipos | security_policy | FAIL: "is not set"
CONFIG_SECURITY_LOADPIN | y | my | security_policy | FAIL: "is not set"
CONFIG_SECURITY_LOADPIN_ENFORCE | y | my | security_policy | FAIL: CONFIG_SECURITY_LOADPIN is needed
CONFIG_SECURITY_SAFESETID | y | my | security_policy | OK
@@ -203,10 +204,11 @@ CONFIG_IP_SCTP | is not set | my | cut_atta
CONFIG_FTRACE | is not set | my | cut_attack_surface | FAIL: "y"
CONFIG_BPF_JIT | is not set | my | cut_attack_surface | FAIL: "y"
CONFIG_VIDEO_VIVID | is not set | my | cut_attack_surface | FAIL: "m"
+CONFIG_INPUT_EVBUG | is not set | my | cut_attack_surface | FAIL: "m"
CONFIG_INTEGRITY | y |defconfig |userspace_hardening | OK
CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos |userspace_hardening | FAIL: "28"
-[+] config check is finished: 'OK' - 56 / 'FAIL' - 79
+[+] config check is finished: 'OK' - 57 / 'FAIL' - 79
```
## kconfig-hardened-check versioning
@@ -215,9 +217,7 @@ I usually update the kernel hardening recommendations after each Linux kernel re
So the version of `kconfig-hardened-check` is associated with the corresponding version of the kernel.
-The version format is: __[major_number].[kernel_version]__
-
-The current version of `kconfig-hardened-check` is __0.5.5__, it's marked with the git tag.
+The version format is: __[major_number].[kernel_version].[kernel_patchlevel]__
## Questions and answers
@@ -248,9 +248,32 @@ __A:__ I personally don't support this recommendation because it provides easy d
attacks for the whole system (kernel oops is not a rare situation). I think having `CONFIG_BUG` is enough here --
if we have a kernel oops in the process context, the offending/attacking process is killed.
+
+
+__Q:__ What about performance impact of these kernel hardening options?
+
+__A:__ Ike Devolder [@BlackIkeEagle][7] made some performance tests and described the results in [this article][8].
+
+
+
+__Q:__ Why enabling `CONFIG_STATIC_USERMODEHELPER` breaks various things in my GNU/Linux system?
+Do I really need that feature?
+
+__A:__ Linux kernel usermode helpers can be used for privilege escalation in kernel exploits
+([example 1][9], [example 2][10]). `CONFIG_STATIC_USERMODEHELPER` prevents that method. But it
+requires the corresponding support in the userspace: see the [example implementation][11] by
+Tycho Andersen [@tych0][12].
+
+
[1]: http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
[2]: https://docs.clip-os.org/clipos/kernel.html#configuration
[3]: https://grsecurity.net/
[4]: https://github.com/a13xp0p0v/linux-kernel-defence-map
[5]: https://lwn.net/Articles/791863/
[6]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/38
+[7]: https://github.com/BlackIkeEagle
+[8]: https://blog.herecura.eu/blog/2020-05-30-kconfig-hardening-tests/
+[9]: https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html
+[10]: https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html
+[11]: https://github.com/tych0/huldufolk
+[12]: https://github.com/tych0