X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=README.md;h=0e18940c5919fc37431fcecde5135f30e6dc0198;hb=cb1d79b05f9ab8660ddfdbedc56cf84447a9f27f;hp=40b7b01c8b04d2bf3a72cb82a2432de75bd744b0;hpb=2d76c21b4a1b96171f2abb50a35ec0b410c97178;p=kconfig-hardened-check.git

diff --git a/README.md b/README.md
index 40b7b01..0e18940 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,8 @@
 # kconfig-hardened-check
 
+![functional test](https://github.com/a13xp0p0v/kconfig-hardened-check/workflows/functional%20test/badge.svg)
+[![Coverage Status](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check/graph/badge.svg)](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check)
+
 ## Motivation
 
 There are plenty of Linux kernel hardening config options. A lot of them are
@@ -13,7 +16,9 @@ against my hardening preferences, which are based on the
 
   - [KSPP recommended settings][1],
   - [CLIP OS kernel configuration][2],
-  - last public [grsecurity][3] patch (options which they disable).
+  - last public [grsecurity][3] patch (options which they disable),
+  - [SECURITY_LOCKDOWN_LSM][5] patchset,
+  - direct feedback from Linux kernel maintainers (Daniel Vetter in [issue #38][6]).
 
 I also created [__Linux Kernel Defence Map__][4] that is a graphical representation of the
 relationships between these hardening features and the corresponding vulnerability classes
@@ -39,7 +44,7 @@ or simply run `./bin/kconfig-hardened-check` from the cloned repository.
 ## Usage
 ```
 usage: kconfig-hardened-check [-h] [-p {X86_64,X86_32,ARM64,ARM}] [-c CONFIG]
-                              [--debug] [--json]
+                              [--debug] [--json] [--version]
 
 Checks the hardening options in the Linux kernel config
 
@@ -51,6 +56,7 @@ optional arguments:
                         check the config_file against these preferences
   --debug               enable verbose debug mode
   --json                print results in JSON format
+  --version             show program's version number and exit
 ```
 
 ## Output for `Ubuntu 18.04 (Bionic Beaver with HWE)` kernel config
@@ -171,6 +177,9 @@ CONFIG_MEM_SOFT_DIRTY                        | is not set  |grsecurity| cut_atta
 CONFIG_DEVPORT                               | is not set  |grsecurity| cut_attack_surface |   FAIL: "y"
 CONFIG_DEBUG_FS                              | is not set  |grsecurity| cut_attack_surface |   FAIL: "y"
 CONFIG_NOTIFIER_ERROR_INJECTION              | is not set  |grsecurity| cut_attack_surface |   FAIL: "m"
+CONFIG_DRM_LEGACY                            | is not set  |maintainer| cut_attack_surface |   OK
+CONFIG_FB                                    | is not set  |maintainer| cut_attack_surface |   FAIL: "y"
+CONFIG_VT                                    | is not set  |maintainer| cut_attack_surface |   FAIL: "y"
 CONFIG_ACPI_TABLE_UPGRADE                    | is not set  | lockdown | cut_attack_surface |   FAIL: "y"
 CONFIG_X86_IOPL_IOPERM                       | is not set  | lockdown | cut_attack_surface |   OK: not found
 CONFIG_EFI_TEST                              | is not set  | lockdown | cut_attack_surface |   FAIL: "m"
@@ -195,10 +204,11 @@ CONFIG_IP_SCTP                               | is not set  |    my    | cut_atta
 CONFIG_FTRACE                                | is not set  |    my    | cut_attack_surface |   FAIL: "y"
 CONFIG_BPF_JIT                               | is not set  |    my    | cut_attack_surface |   FAIL: "y"
 CONFIG_VIDEO_VIVID                           | is not set  |    my    | cut_attack_surface |   FAIL: "m"
+CONFIG_INPUT_EVBUG                           | is not set  |    my    | cut_attack_surface |   FAIL: "m"
 CONFIG_INTEGRITY                             |      y      |defconfig |userspace_hardening |   OK
 CONFIG_ARCH_MMAP_RND_BITS                    |     32      |  clipos  |userspace_hardening |   FAIL: "28"
 
-[+] config check is finished: 'OK' - 55 / 'FAIL' - 77
+[+] config check is finished: 'OK' - 56 / 'FAIL' - 80
 ```
 
 ## kconfig-hardened-check versioning
@@ -207,9 +217,7 @@ I usually update the kernel hardening recommendations after each Linux kernel re
 
 So the version of `kconfig-hardened-check` is associated with the corresponding version of the kernel.
 
-The version format is: __[major_number].[kernel_version]__
-
-The current version of `kconfig-hardened-check` is __0.5.5__, it's marked with the git tag.
+The version format is: __[major_number].[kernel_version].[kernel_patchlevel]__
 
 
 ## Questions and answers
@@ -244,3 +252,5 @@ if we have a kernel oops in the process context, the offending/attacking process
 [2]: https://docs.clip-os.org/clipos/kernel.html#configuration
 [3]: https://grsecurity.net/
 [4]: https://github.com/a13xp0p0v/linux-kernel-defence-map
+[5]: https://lwn.net/Articles/791863/
+[6]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/38