X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=README.md;h=81f04f4f3e31c52716def6e5de0f3a62abaf299b;hb=361e571e1926ee172f22f9aad990158e2c03651d;hp=5cb2d1ab33cc352406eb4cd5691bbfe292028f22;hpb=eeb0b9ee58eec087b0bd7b5b3428b4c9d1078c4a;p=kconfig-hardened-check.git diff --git a/README.md b/README.md index 5cb2d1a..81f04f4 100644 --- a/README.md +++ b/README.md @@ -44,7 +44,8 @@ or simply run `./bin/kconfig-hardened-check` from the cloned repository. ## Usage ``` usage: kconfig-hardened-check [-h] [--version] [-p {X86_64,X86_32,ARM64,ARM}] - [-c CONFIG] [-m {verbose,json}] + [-c CONFIG] + [-m {verbose,json,show_ok,show_fail}] Checks the hardening options in the Linux kernel config @@ -54,8 +55,8 @@ optional arguments: -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM} print hardening preferences for selected architecture -c CONFIG, --config CONFIG - check the config_file against these preferences - -m {verbose,json}, --mode {verbose,json} + check the kernel config file against these preferences + -m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail} choose the report mode ``` @@ -108,21 +109,23 @@ CONFIG_MODULE_SIG | y | kspp | self_pr CONFIG_MODULE_SIG_ALL | y | kspp | self_protection | OK CONFIG_MODULE_SIG_SHA512 | y | kspp | self_protection | OK CONFIG_MODULE_SIG_FORCE | y | kspp | self_protection | FAIL: "is not set" -CONFIG_INIT_STACK_ALL | y | kspp | self_protection | FAIL: not found -CONFIG_INIT_ON_FREE_DEFAULT_ON | y | kspp | self_protection | OK: CONFIG_PAGE_POISONING "y" +CONFIG_INIT_STACK_ALL_ZERO | y | kspp | self_protection | FAIL: not found +CONFIG_INIT_ON_FREE_DEFAULT_ON | y | kspp | self_protection | OK: CONFIG_PAGE_POISONING_ZERO "y" CONFIG_GCC_PLUGIN_STACKLEAK | y | kspp | self_protection | FAIL: not found CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | kspp | self_protection | OK CONFIG_SECURITY_DMESG_RESTRICT | y | clipos | self_protection | FAIL: "is not set" CONFIG_DEBUG_VIRTUAL | y | clipos | self_protection | FAIL: "is not set" CONFIG_STATIC_USERMODEHELPER | y | clipos | self_protection | FAIL: "is not set" +CONFIG_EFI_DISABLE_PCI_DMA | y | clipos | self_protection | FAIL: not found CONFIG_SLAB_MERGE_DEFAULT | is not set | clipos | self_protection | FAIL: "y" CONFIG_RANDOM_TRUST_BOOTLOADER | is not set | clipos | self_protection | FAIL: "y" CONFIG_RANDOM_TRUST_CPU | is not set | clipos | self_protection | FAIL: "y" -CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_RANDSTRUCT is needed -CONFIG_STACKLEAK_METRICS | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is needed -CONFIG_STACKLEAK_RUNTIME_DISABLE | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is needed +CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_RANDSTRUCT not "y" +CONFIG_STACKLEAK_METRICS | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y" +CONFIG_STACKLEAK_RUNTIME_DISABLE | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y" CONFIG_INTEL_IOMMU_SVM | y | clipos | self_protection | OK CONFIG_INTEL_IOMMU_DEFAULT_ON | y | clipos | self_protection | FAIL: "is not set" +CONFIG_UBSAN_BOUNDS | y | my | self_protection | FAIL: CONFIG_UBSAN_TRAP not "y" CONFIG_SLUB_DEBUG_ON | y | my | self_protection | FAIL: "is not set" CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection | OK CONFIG_AMD_IOMMU_V2 | y | my | self_protection | FAIL: "m" @@ -134,7 +137,7 @@ CONFIG_SECURITY_LOCKDOWN_LSM_EARLY | y | clipos | securit CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY| y | clipos | security_policy | FAIL: "is not set" CONFIG_SECURITY_SAFESETID | y | my | security_policy | OK CONFIG_SECURITY_LOADPIN | y | my | security_policy | FAIL: "is not set" -CONFIG_SECURITY_LOADPIN_ENFORCE | y | my | security_policy | FAIL: CONFIG_SECURITY_LOADPIN is needed +CONFIG_SECURITY_LOADPIN_ENFORCE | y | my | security_policy | FAIL: CONFIG_SECURITY_LOADPIN not "y" CONFIG_SECCOMP | y |defconfig | cut_attack_surface | OK CONFIG_SECCOMP_FILTER | y |defconfig | cut_attack_surface | OK CONFIG_STRICT_DEVMEM | y |defconfig | cut_attack_surface | OK @@ -156,7 +159,6 @@ CONFIG_MODULES | is not set | kspp | cut_atta CONFIG_DEVMEM | is not set | kspp | cut_attack_surface | FAIL: "y" CONFIG_IO_STRICT_DEVMEM | y | kspp | cut_attack_surface | FAIL: "is not set" CONFIG_LEGACY_VSYSCALL_NONE | y | kspp | cut_attack_surface | FAIL: "is not set" -CONFIG_X86_PTDUMP | is not set |grsecurity| cut_attack_surface | OK CONFIG_ZSMALLOC_STAT | is not set |grsecurity| cut_attack_surface | OK CONFIG_PAGE_OWNER | is not set |grsecurity| cut_attack_surface | OK CONFIG_DEBUG_KMEMLEAK | is not set |grsecurity| cut_attack_surface | OK @@ -174,14 +176,11 @@ CONFIG_MEM_SOFT_DIRTY | is not set |grsecurity| cut_atta CONFIG_DEVPORT | is not set |grsecurity| cut_attack_surface | FAIL: "y" CONFIG_DEBUG_FS | is not set |grsecurity| cut_attack_surface | FAIL: "y" CONFIG_NOTIFIER_ERROR_INJECTION | is not set |grsecurity| cut_attack_surface | FAIL: "m" +CONFIG_X86_PTDUMP | is not set |grsecurity| cut_attack_surface | OK CONFIG_DRM_LEGACY | is not set |maintainer| cut_attack_surface | OK CONFIG_FB | is not set |maintainer| cut_attack_surface | FAIL: "y" CONFIG_VT | is not set |maintainer| cut_attack_surface | FAIL: "y" -CONFIG_ACPI_TABLE_UPGRADE | is not set | lockdown | cut_attack_surface | FAIL: "y" -CONFIG_X86_IOPL_IOPERM | is not set | lockdown | cut_attack_surface | OK: not found -CONFIG_EFI_TEST | is not set | lockdown | cut_attack_surface | FAIL: "m" -CONFIG_BPF_SYSCALL | is not set | lockdown | cut_attack_surface | FAIL: "y" -CONFIG_MMIOTRACE_TEST | is not set | lockdown | cut_attack_surface | OK +CONFIG_AIO | is not set |grapheneos| cut_attack_surface | FAIL: "y" CONFIG_STAGING | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_KSM | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_KALLSYMS | is not set | clipos | cut_attack_surface | FAIL: "y" @@ -191,21 +190,27 @@ CONFIG_KEXEC_FILE | is not set | clipos | cut_atta CONFIG_USER_NS | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_X86_MSR | is not set | clipos | cut_attack_surface | FAIL: "m" CONFIG_X86_CPUID | is not set | clipos | cut_attack_surface | FAIL: "m" +CONFIG_IO_URING | is not set | clipos | cut_attack_surface | FAIL: "y" +CONFIG_X86_IOPL_IOPERM | is not set | clipos | cut_attack_surface | OK: not found +CONFIG_ACPI_TABLE_UPGRADE | is not set | clipos | cut_attack_surface | FAIL: "y" +CONFIG_EFI_CUSTOM_SSDT_OVERLAYS | is not set | clipos | cut_attack_surface | OK: not found CONFIG_LDISC_AUTOLOAD | is not set | clipos | cut_attack_surface | FAIL: "y" CONFIG_X86_INTEL_TSX_MODE_OFF | y | clipos | cut_attack_surface | OK -CONFIG_AIO | is not set |grapheneos| cut_attack_surface | FAIL: "y" +CONFIG_EFI_TEST | is not set | lockdown | cut_attack_surface | FAIL: "m" +CONFIG_BPF_SYSCALL | is not set | lockdown | cut_attack_surface | FAIL: "y" +CONFIG_MMIOTRACE_TEST | is not set | lockdown | cut_attack_surface | OK +CONFIG_TRIM_UNUSED_KSYMS | y | my | cut_attack_surface | FAIL: not found CONFIG_MMIOTRACE | is not set | my | cut_attack_surface | FAIL: "y" CONFIG_LIVEPATCH | is not set | my | cut_attack_surface | FAIL: "y" CONFIG_IP_DCCP | is not set | my | cut_attack_surface | FAIL: "m" CONFIG_IP_SCTP | is not set | my | cut_attack_surface | FAIL: "m" CONFIG_FTRACE | is not set | my | cut_attack_surface | FAIL: "y" -CONFIG_BPF_JIT | is not set | my | cut_attack_surface | FAIL: "y" CONFIG_VIDEO_VIVID | is not set | my | cut_attack_surface | FAIL: "m" CONFIG_INPUT_EVBUG | is not set | my | cut_attack_surface | FAIL: "m" CONFIG_INTEGRITY | y |defconfig |userspace_hardening | OK CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos |userspace_hardening | FAIL: "28" -[+] Config check is finished: 'OK' - 57 / 'FAIL' - 79 +[+] Config check is finished: 'OK' - 58 / 'FAIL' - 82 ``` ## kconfig-hardened-check versioning @@ -263,6 +268,13 @@ __A:__ Linux kernel usermode helpers can be used for privilege escalation in ker requires the corresponding support in the userspace: see the [example implementation][11] by Tycho Andersen [@tych0][12]. +
+ +__Q:__ Does my kernel have all those mitigations of Transient Execution Vulnerabilities in my hardware? + +__A:__ Checking the kernel config is not enough to answer this question. +I highly recommend using [spectre-meltdown-checker][13] tool maintained by Stéphane Lesimple [@speed47][14]. + [1]: http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings [2]: https://docs.clip-os.org/clipos/kernel.html#configuration @@ -276,3 +288,5 @@ Tycho Andersen [@tych0][12]. [10]: https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html [11]: https://github.com/tych0/huldufolk [12]: https://github.com/tych0 +[13]: https://github.com/speed47/spectre-meltdown-checker +[14]: https://github.com/speed47