X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=README.md;h=3eb5ee5f5ae6453bfb2bfbc668a8a29dda6ede27;hb=fbaf5df462dd9e5efa6325158c47f415b38b10b5;hp=08f57838a92852c9f05bb62d14b815f8526a0771;hpb=01cd4043d041d1922e71e78766f03d1d95bad614;p=kconfig-hardened-check.git diff --git a/README.md b/README.md index 08f5783..3eb5ee5 100644 --- a/README.md +++ b/README.md @@ -116,12 +116,13 @@ CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | kspp | self_pr CONFIG_SECURITY_DMESG_RESTRICT | y | clipos | self_protection | FAIL: "is not set" CONFIG_DEBUG_VIRTUAL | y | clipos | self_protection | FAIL: "is not set" CONFIG_STATIC_USERMODEHELPER | y | clipos | self_protection | FAIL: "is not set" +CONFIG_EFI_DISABLE_PCI_DMA | y | clipos | self_protection | FAIL: not found CONFIG_SLAB_MERGE_DEFAULT | is not set | clipos | self_protection | FAIL: "y" CONFIG_RANDOM_TRUST_BOOTLOADER | is not set | clipos | self_protection | FAIL: "y" CONFIG_RANDOM_TRUST_CPU | is not set | clipos | self_protection | FAIL: "y" -CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_RANDSTRUCT is needed -CONFIG_STACKLEAK_METRICS | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is needed -CONFIG_STACKLEAK_RUNTIME_DISABLE | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is needed +CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_RANDSTRUCT not "y" +CONFIG_STACKLEAK_METRICS | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y" +CONFIG_STACKLEAK_RUNTIME_DISABLE | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y" CONFIG_INTEL_IOMMU_SVM | y | clipos | self_protection | OK CONFIG_INTEL_IOMMU_DEFAULT_ON | y | clipos | self_protection | FAIL: "is not set" CONFIG_SLUB_DEBUG_ON | y | my | self_protection | FAIL: "is not set" @@ -135,7 +136,7 @@ CONFIG_SECURITY_LOCKDOWN_LSM_EARLY | y | clipos | securit CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY| y | clipos | security_policy | FAIL: "is not set" CONFIG_SECURITY_SAFESETID | y | my | security_policy | OK CONFIG_SECURITY_LOADPIN | y | my | security_policy | FAIL: "is not set" -CONFIG_SECURITY_LOADPIN_ENFORCE | y | my | security_policy | FAIL: CONFIG_SECURITY_LOADPIN is needed +CONFIG_SECURITY_LOADPIN_ENFORCE | y | my | security_policy | FAIL: CONFIG_SECURITY_LOADPIN not "y" CONFIG_SECCOMP | y |defconfig | cut_attack_surface | OK CONFIG_SECCOMP_FILTER | y |defconfig | cut_attack_surface | OK CONFIG_STRICT_DEVMEM | y |defconfig | cut_attack_surface | OK @@ -157,7 +158,6 @@ CONFIG_MODULES | is not set | kspp | cut_atta CONFIG_DEVMEM | is not set | kspp | cut_attack_surface | FAIL: "y" CONFIG_IO_STRICT_DEVMEM | y | kspp | cut_attack_surface | FAIL: "is not set" CONFIG_LEGACY_VSYSCALL_NONE | y | kspp | cut_attack_surface | FAIL: "is not set" -CONFIG_X86_PTDUMP | is not set |grsecurity| cut_attack_surface | OK CONFIG_ZSMALLOC_STAT | is not set |grsecurity| cut_attack_surface | OK CONFIG_PAGE_OWNER | is not set |grsecurity| cut_attack_surface | OK CONFIG_DEBUG_KMEMLEAK | is not set |grsecurity| cut_attack_surface | OK @@ -175,14 +175,11 @@ CONFIG_MEM_SOFT_DIRTY | is not set |grsecurity| cut_atta CONFIG_DEVPORT | is not set |grsecurity| cut_attack_surface | FAIL: "y" CONFIG_DEBUG_FS | is not set |grsecurity| cut_attack_surface | FAIL: "y" CONFIG_NOTIFIER_ERROR_INJECTION | is not set |grsecurity| cut_attack_surface | FAIL: "m" +CONFIG_X86_PTDUMP | is not set |grsecurity| cut_attack_surface | OK CONFIG_DRM_LEGACY | is not set |maintainer| cut_attack_surface | OK CONFIG_FB | is not set |maintainer| cut_attack_surface | FAIL: "y" CONFIG_VT | is not set |maintainer| cut_attack_surface | FAIL: "y" -CONFIG_ACPI_TABLE_UPGRADE | is not set | lockdown | cut_attack_surface | FAIL: "y" -CONFIG_X86_IOPL_IOPERM | is not set | lockdown | cut_attack_surface | OK: not found -CONFIG_EFI_TEST | is not set | lockdown | cut_attack_surface | FAIL: "m" -CONFIG_BPF_SYSCALL | is not set | lockdown | cut_attack_surface | FAIL: "y" -CONFIG_MMIOTRACE_TEST | is not set | lockdown | cut_attack_surface | OK +CONFIG_AIO | is not set |grapheneos| cut_attack_surface | FAIL: "y" CONFIG_STAGING | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_KSM | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_KALLSYMS | is not set | clipos | cut_attack_surface | FAIL: "y" @@ -192,9 +189,14 @@ CONFIG_KEXEC_FILE | is not set | clipos | cut_atta CONFIG_USER_NS | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_X86_MSR | is not set | clipos | cut_attack_surface | FAIL: "m" CONFIG_X86_CPUID | is not set | clipos | cut_attack_surface | FAIL: "m" +CONFIG_IO_URING | is not set | clipos | cut_attack_surface | FAIL: "y" +CONFIG_X86_IOPL_IOPERM | is not set | clipos | cut_attack_surface | OK: not found CONFIG_LDISC_AUTOLOAD | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_X86_INTEL_TSX_MODE_OFF | y | clipos | cut_attack_surface | OK -CONFIG_AIO | is not set |grapheneos| cut_attack_surface | FAIL: "y" +CONFIG_ACPI_TABLE_UPGRADE | is not set | lockdown | cut_attack_surface | FAIL: "y" +CONFIG_EFI_TEST | is not set | lockdown | cut_attack_surface | FAIL: "m" +CONFIG_BPF_SYSCALL | is not set | lockdown | cut_attack_surface | FAIL: "y" +CONFIG_MMIOTRACE_TEST | is not set | lockdown | cut_attack_surface | OK CONFIG_MMIOTRACE | is not set | my | cut_attack_surface | FAIL: "y" CONFIG_LIVEPATCH | is not set | my | cut_attack_surface | FAIL: "y" CONFIG_IP_DCCP | is not set | my | cut_attack_surface | FAIL: "m" @@ -206,7 +208,7 @@ CONFIG_INPUT_EVBUG | is not set | my | cut_atta CONFIG_INTEGRITY | y |defconfig |userspace_hardening | OK CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos |userspace_hardening | FAIL: "28" -[+] Config check is finished: 'OK' - 57 / 'FAIL' - 79 +[+] Config check is finished: 'OK' - 57 / 'FAIL' - 81 ``` ## kconfig-hardened-check versioning @@ -264,6 +266,13 @@ __A:__ Linux kernel usermode helpers can be used for privilege escalation in ker requires the corresponding support in the userspace: see the [example implementation][11] by Tycho Andersen [@tych0][12]. +
+ +__Q:__ Does my kernel have all those mitigations of Transient Execution Vulnerabilities in my hardware? + +__A:__ Checking the kernel config is not enough to answer this question. +I highly recommend using [spectre-meltdown-checker][13] tool maintained by Stéphane Lesimple [@speed47][14]. + [1]: http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings [2]: https://docs.clip-os.org/clipos/kernel.html#configuration @@ -277,3 +286,5 @@ Tycho Andersen [@tych0][12]. [10]: https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html [11]: https://github.com/tych0/huldufolk [12]: https://github.com/tych0 +[13]: https://github.com/speed47/spectre-meltdown-checker +[14]: https://github.com/speed47