X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=README.md;h=03b8bcfbc7d6ee781e0f3700eb04b8e0d687e693;hb=7f9ca336e7f48c966e18fece3804f8a3de5ce9b5;hp=6840e55924684cf5fed24d208952bf7bf4cb45ba;hpb=0db002da2fa008b61ab9837816be23e1e7533feb;p=kconfig-hardened-check.git
diff --git a/README.md b/README.md
index 6840e55..03b8bcf 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,6 @@
# kconfig-hardened-check
+![GitHub tag (latest by date)](https://img.shields.io/github/v/tag/a13xp0p0v/kconfig-hardened-check?label=release)
![functional test](https://github.com/a13xp0p0v/kconfig-hardened-check/workflows/functional%20test/badge.svg)
[![Coverage Status](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check/graph/badge.svg)](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check)
@@ -11,18 +12,18 @@ make our systems more secure.
But nobody likes checking configs manually. So let the computers do their job!
-__kconfig-hardened-check.py__ helps me to check the Linux kernel options
+__kconfig-hardened-check__ helps me to check the Linux kernel options
against my security hardening preferences, which are based on the
- - [KSPP recommended settings][1],
- - [CLIP OS kernel configuration][2],
- - Last public [grsecurity][3] patch (options which they disable),
- - [SECURITY_LOCKDOWN_LSM][5] patchset,
- - Direct feedback from Linux kernel maintainers (see [#38][6], [#53][15], [#54][16], [#62][17]).
+ - [KSPP recommended settings][1]
+ - [CLIP OS kernel configuration][2]
+ - Last public [grsecurity][3] patch (options which they disable)
+ - [SECURITY_LOCKDOWN_LSM][5] patchset
+ - [Direct feedback from the Linux kernel maintainers][23]
This tool supports checking __Kconfig__ options and __kernel cmdline__ parameters.
-I also created [__Linux Kernel Defence Map__][4] that is a graphical representation of the
+I also created the [__Linux Kernel Defence Map__][4], which is a graphical representation of the
relationships between security hardening features and the corresponding vulnerability classes
or exploitation techniques.
@@ -33,7 +34,7 @@ or exploitation techniques.
- ARM64
- ARM
-TODO: RISC-V
+TODO: RISC-V (issue [#56][22])
## Installation
@@ -86,13 +87,14 @@ CONFIG_DEVMEM | is not set | kspp | cut_atta
- `-m show_ok` for showing only the successful checks
- `-m json` for printing the results in JSON format (for combining `kconfig-hardened-check` with other tools)
-## Example output for `Fedora 34` kernel config
+## Example output for `Fedora 34` kernel configuration
```
-$ ./bin/kconfig-hardened-check -c /boot/config-5.16.20-100.fc34.x86_64 -l /proc/cmdline
-[+] Kconfig file to check: /boot/config-5.16.20-100.fc34.x86_64
+$ ./bin/kconfig-hardened-check -c /boot/config-5.19.4-200.fc36.x86_64 -l /proc/cmdline
+[+] Kconfig file to check: /boot/config-5.19.4-200.fc36.x86_64
[+] Kernel cmdline file to check: /proc/cmdline
[+] Detected architecture: X86_64
-[+] Detected kernel version: 5.16
+[+] Detected kernel version: 5.19
+[+] Detected compiler: GCC 120201
=========================================================================================================================
option name | type |desired val | decision | reason | check result
=========================================================================================================================
@@ -110,14 +112,13 @@ CONFIG_RANDOMIZE_BASE |kconfig| y |defconfig | self_p
CONFIG_VMAP_STACK |kconfig| y |defconfig | self_protection | OK
CONFIG_MICROCODE |kconfig| y |defconfig | self_protection | OK
CONFIG_RETPOLINE |kconfig| y |defconfig | self_protection | OK
-CONFIG_X86_SMAP |kconfig| y |defconfig | self_protection | OK
+CONFIG_X86_SMAP |kconfig| y |defconfig | self_protection | OK: version >= 5.19
CONFIG_SYN_COOKIES |kconfig| y |defconfig | self_protection | OK
CONFIG_X86_UMIP |kconfig| y |defconfig | self_protection | OK
CONFIG_PAGE_TABLE_ISOLATION |kconfig| y |defconfig | self_protection | OK
CONFIG_RANDOMIZE_MEMORY |kconfig| y |defconfig | self_protection | OK
CONFIG_INTEL_IOMMU |kconfig| y |defconfig | self_protection | OK
CONFIG_AMD_IOMMU |kconfig| y |defconfig | self_protection | OK
-CONFIG_SECURITY_DMESG_RESTRICT |kconfig| y | kspp | self_protection | FAIL: "is not set"
CONFIG_BUG_ON_DATA_CORRUPTION |kconfig| y | kspp | self_protection | OK
CONFIG_DEBUG_WX |kconfig| y | kspp | self_protection | OK
CONFIG_SCHED_STACK_END_CHECK |kconfig| y | kspp | self_protection | OK
@@ -134,8 +135,9 @@ CONFIG_GCC_PLUGIN_LATENT_ENTROPY |kconfig| y | kspp | self_p
CONFIG_KFENCE |kconfig| y | kspp | self_protection | OK
CONFIG_WERROR |kconfig| y | kspp | self_protection | FAIL: "is not set"
CONFIG_IOMMU_DEFAULT_DMA_STRICT |kconfig| y | kspp | self_protection | FAIL: "is not set"
+CONFIG_IOMMU_DEFAULT_PASSTHROUGH |kconfig| is not set | kspp | self_protection | OK
CONFIG_ZERO_CALL_USED_REGS |kconfig| y | kspp | self_protection | FAIL: "is not set"
-CONFIG_GCC_PLUGIN_RANDSTRUCT |kconfig| y | kspp | self_protection | FAIL: "is not set"
+CONFIG_RANDSTRUCT_FULL |kconfig| y | kspp | self_protection | FAIL: "is not set"
CONFIG_HARDENED_USERCOPY |kconfig| y | kspp | self_protection | OK
CONFIG_HARDENED_USERCOPY_FALLBACK |kconfig| is not set | kspp | self_protection | OK: not found
CONFIG_HARDENED_USERCOPY_PAGESPAN |kconfig| is not set | kspp | self_protection | OK: not found
@@ -143,10 +145,10 @@ CONFIG_MODULE_SIG |kconfig| y | kspp | self_p
CONFIG_MODULE_SIG_ALL |kconfig| y | kspp | self_protection | OK
CONFIG_MODULE_SIG_SHA512 |kconfig| y | kspp | self_protection | OK
CONFIG_MODULE_SIG_FORCE |kconfig| y | kspp | self_protection | FAIL: "is not set"
-CONFIG_INIT_STACK_ALL_ZERO |kconfig| y | kspp | self_protection | FAIL: not found
+CONFIG_INIT_STACK_ALL_ZERO |kconfig| y | kspp | self_protection | FAIL: "is not set"
CONFIG_INIT_ON_FREE_DEFAULT_ON |kconfig| y | kspp | self_protection | FAIL: "is not set"
CONFIG_GCC_PLUGIN_STACKLEAK |kconfig| y | kspp | self_protection | FAIL: "is not set"
-CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT |kconfig| y | kspp | self_protection | FAIL: "is not set"
+CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT |kconfig| y | kspp | self_protection | OK
CONFIG_SCHED_CORE |kconfig| y | kspp | self_protection | OK
CONFIG_DEFAULT_MMAP_MIN_ADDR |kconfig| 65536 | kspp | self_protection | OK
CONFIG_UBSAN_BOUNDS |kconfig| y |maintainer| self_protection | FAIL: not found
@@ -156,18 +158,20 @@ CONFIG_DEBUG_VIRTUAL |kconfig| y | clipos | self_p
CONFIG_STATIC_USERMODEHELPER |kconfig| y | clipos | self_protection | FAIL: "is not set"
CONFIG_EFI_DISABLE_PCI_DMA |kconfig| y | clipos | self_protection | FAIL: "is not set"
CONFIG_SLAB_MERGE_DEFAULT |kconfig| is not set | clipos | self_protection | OK
-CONFIG_RANDOM_TRUST_BOOTLOADER |kconfig| is not set | clipos | self_protection | OK
+CONFIG_RANDOM_TRUST_BOOTLOADER |kconfig| is not set | clipos | self_protection | FAIL: "y"
CONFIG_RANDOM_TRUST_CPU |kconfig| is not set | clipos | self_protection | FAIL: "y"
-CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE|kconfig| is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_RANDSTRUCT not "y"
+CONFIG_RANDSTRUCT_PERFORMANCE |kconfig| is not set | clipos | self_protection | FAIL: CONFIG_RANDSTRUCT_FULL not "y"
CONFIG_STACKLEAK_METRICS |kconfig| is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y"
CONFIG_STACKLEAK_RUNTIME_DISABLE |kconfig| is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y"
CONFIG_INTEL_IOMMU_DEFAULT_ON |kconfig| y | clipos | self_protection | FAIL: "is not set"
CONFIG_INTEL_IOMMU_SVM |kconfig| y | clipos | self_protection | OK
CONFIG_RESET_ATTACK_MITIGATION |kconfig| y | my | self_protection | FAIL: "is not set"
-CONFIG_SLS |kconfig| y | my | self_protection | FAIL: not found
+CONFIG_UBSAN_LOCAL_BOUNDS |kconfig| y | my | self_protection | FAIL: not found
+CONFIG_SLS |kconfig| y | my | self_protection | OK
CONFIG_AMD_IOMMU_V2 |kconfig| y | my | self_protection | FAIL: "m"
CONFIG_SECURITY |kconfig| y |defconfig | security_policy | OK
CONFIG_SECURITY_YAMA |kconfig| y | kspp | security_policy | OK
+CONFIG_SECURITY_LANDLOCK |kconfig| y | kspp | security_policy | OK
CONFIG_SECURITY_SELINUX_DISABLE |kconfig| is not set | kspp | security_policy | OK
CONFIG_SECURITY_LOCKDOWN_LSM |kconfig| y | clipos | security_policy | OK
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY |kconfig| y | clipos | security_policy | OK
@@ -180,6 +184,7 @@ CONFIG_BPF_UNPRIV_DEFAULT_OFF |kconfig| y |defconfig |cut_att
CONFIG_SECCOMP |kconfig| y |defconfig |cut_attack_surface| OK
CONFIG_SECCOMP_FILTER |kconfig| y |defconfig |cut_attack_surface| OK
CONFIG_STRICT_DEVMEM |kconfig| y |defconfig |cut_attack_surface| OK
+CONFIG_SECURITY_DMESG_RESTRICT |kconfig| y | kspp |cut_attack_surface| FAIL: "is not set"
CONFIG_ACPI_CUSTOM_METHOD |kconfig| is not set | kspp |cut_attack_surface| OK
CONFIG_COMPAT_BRK |kconfig| is not set | kspp |cut_attack_surface| OK
CONFIG_DEVKMEM |kconfig| is not set | kspp |cut_attack_surface| OK: not found
@@ -191,7 +196,7 @@ CONFIG_PROC_KCORE |kconfig| is not set | kspp |cut_att
CONFIG_LEGACY_PTYS |kconfig| is not set | kspp |cut_attack_surface| OK
CONFIG_HIBERNATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
CONFIG_IA32_EMULATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
-CONFIG_X86_X32 |kconfig| is not set | kspp |cut_attack_surface| OK
+CONFIG_X86_X32 |kconfig| is not set | kspp |cut_attack_surface| OK: not found
CONFIG_MODIFY_LDT_SYSCALL |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
CONFIG_OABI_COMPAT |kconfig| is not set | kspp |cut_attack_surface| OK: not found
CONFIG_X86_MSR |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
@@ -241,7 +246,7 @@ CONFIG_DRM_LEGACY |kconfig| is not set |maintainer|cut_att
CONFIG_FB |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
CONFIG_VT |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
CONFIG_BLK_DEV_FD |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "m"
-CONFIG_BLK_DEV_FD_RAWCMD |kconfig| is not set |maintainer|cut_attack_surface| OK: not found
+CONFIG_BLK_DEV_FD_RAWCMD |kconfig| is not set |maintainer|cut_attack_surface| OK
CONFIG_AIO |kconfig| is not set |grapheneos|cut_attack_surface| FAIL: "y"
CONFIG_STAGING |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
CONFIG_KSM |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
@@ -271,14 +276,33 @@ CONFIG_INPUT_EVBUG |kconfig| is not set | my |cut_att
CONFIG_KGDB |kconfig| is not set | my |cut_attack_surface| FAIL: "y"
CONFIG_INTEGRITY |kconfig| y |defconfig | harden_userspace | OK
CONFIG_ARCH_MMAP_RND_BITS |kconfig| 32 | clipos | harden_userspace | FAIL: "28"
+nosmep |cmdline| is not set |defconfig | self_protection | OK: not found
+nosmap |cmdline| is not set |defconfig | self_protection | OK: not found
+nokaslr |cmdline| is not set |defconfig | self_protection | OK: not found
+nopti |cmdline| is not set |defconfig | self_protection | OK: not found
+nospectre_v1 |cmdline| is not set |defconfig | self_protection | OK: not found
+nospectre_v2 |cmdline| is not set |defconfig | self_protection | OK: not found
+rodata |cmdline| 1 |defconfig | self_protection | OK: rodata not found
+init_on_alloc |cmdline| 1 | kspp | self_protection | FAIL: not found
+init_on_free |cmdline| 1 | kspp | self_protection | FAIL: not found
+slab_nomerge |cmdline| | kspp | self_protection | OK: CONFIG_SLAB_MERGE_DEFAULT "is not set"
+iommu.strict |cmdline| 1 | kspp | self_protection | FAIL: not found
+iommu.passthrough |cmdline| 0 | kspp | self_protection | OK: CONFIG_IOMMU_DEFAULT_PASSTHROUGH "is not set"
+hardened_usercopy |cmdline| 1 | kspp | self_protection | OK: CONFIG_HARDENED_USERCOPY "y"
+slab_common.usercopy_fallback |cmdline| 0 | kspp | self_protection | OK: CONFIG_HARDENED_USERCOPY_FALLBACK not found
+randomize_kstack_offset |cmdline| 1 | kspp | self_protection | OK: CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT "y"
pti |cmdline| on | kspp | self_protection | FAIL: not found
+page_alloc.shuffle |cmdline| 1 | clipos | self_protection | FAIL: not found
+spectre_v2 |cmdline| on | clipos | self_protection | FAIL: not found
+vsyscall |cmdline| none | kspp |cut_attack_surface| FAIL: not found
+debugfs |cmdline| off | grsec |cut_attack_surface| FAIL: not found
-[+] Config check is finished: 'OK' - 82 / 'FAIL' - 94
+[+] Config check is finished: 'OK' - 97 / 'FAIL' - 101
```
## kconfig-hardened-check versioning
-I usually update the kernel security hardening recommendations after each Linux kernel release.
+I usually update the kernel security hardening recommendations every few kernel releases.
So the version of `kconfig-hardened-check` is associated with the corresponding version of the kernel.
@@ -294,7 +318,7 @@ but the tool recommends disabling it to cut the attack surface __of the kernel__
The rationale:
- - A nice LWN article about the corresponding LKML discussion: https://lwn.net/Articles/673597/
+ - An LWN article about the corresponding LKML discussion: https://lwn.net/Articles/673597/
- A twitter thread about `CONFIG_USER_NS` and security: https://twitter.com/robertswiecki/status/1095447678949953541
@@ -311,15 +335,27 @@ try to install `gcc-7-plugin-dev` package, it should help.
__Q:__ KSPP and CLIP OS recommend `CONFIG_PANIC_ON_OOPS=y`. Why doesn't this tool do the same?
-__A:__ I personally don't support this recommendation because it provides easy denial-of-service
-attacks for the whole system (kernel oops is not a rare situation). I think having `CONFIG_BUG` is enough here --
-if we have a kernel oops in the process context, the offending/attacking process is killed.
+__A:__ I personally don't support this recommendation because:
+ - It decreases system safety (kernel oops is still not a rare situation)
+ - It allows easier denial-of-service attacks for the whole system
+
+I think having `CONFIG_BUG` is enough here.
+If a kernel oops happens in the process context, the offending/attacking process is killed.
+In other cases, the kernel panics, which is similar to `CONFIG_PANIC_ON_OOPS=y`.
__Q:__ What about performance impact of these security hardening options?
__A:__ Ike Devolder [@BlackIkeEagle][7] made some performance tests and described the results in [this article][8].
+A more detailed evaluation is in the TODO list (the issue [#66][21]).
+
+
+
+__Q:__ Can I easily check which kernel versions support some Kconfig option?
+
+__A:__ Yes. See the [LKDDb][18] project (Linux Kernel Driver Database) by Giacomo Catenazzi [@cateee][19].
+You can use it for the `mainline` or `stable` tree from [kernel.org][20] or for your custom kernel sources.
@@ -356,3 +392,9 @@ I highly recommend using [spectre-meltdown-checker][13] tool maintained by Stép
[15]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/53
[16]: https://github.com/a13xp0p0v/kconfig-hardened-check/pull/54
[17]: https://github.com/a13xp0p0v/kconfig-hardened-check/pull/62
+[18]: https://cateee.net/lkddb/web-lkddb/
+[19]: https://github.com/cateee/lkddb
+[20]: https://kernel.org/
+[21]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/66
+[22]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/56
+[23]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues?q=label%3Akernel_maintainer_feedback