X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=README.md;h=d8a43a6d09bf38e2b4ef3cf5bdcb4f37ea5c825a;hb=4de80103b72ee3d7842b032c5513ab1aee5b6129;hp=3f661fd4cbc95d1d4e30163db068195328a56713;hpb=76f37eeca5b5d9d9c8801e588abe2951a5aabc99;p=kconfig-hardened-check.git

diff --git a/README.md b/README.md
index 3f661fd..d8a43a6 100644
--- a/README.md
+++ b/README.md
@@ -28,8 +28,8 @@ Please don't cry if my Python code looks like C. I'm just a kernel developer.
 
 ### Usage
 ```
-#usage: kconfig-hardened-check.py [-h] [-p {X86_64,X86_32,ARM64,ARM}]
-                                 [-c CONFIG] [--debug]
+usage: kconfig-hardened-check.py [-h] [-p {X86_64,X86_32,ARM64,ARM}]
+                                 [-c CONFIG] [--debug] [--json]
 
 Checks the hardening options in the Linux kernel config
 
@@ -40,6 +40,7 @@ optional arguments:
   -c CONFIG, --config CONFIG
                         check the config_file against these preferences
   --debug               enable internal debug mode
+  --json                print results in JSON format
 
 ```
 
@@ -70,11 +71,10 @@ CONFIG_DEBUG_WX                         |      y      |   kspp   |  self_protect
 CONFIG_SCHED_STACK_END_CHECK            |      y      |   kspp   |  self_protection   ||             OK             
 CONFIG_SLAB_FREELIST_HARDENED           |      y      |   kspp   |  self_protection   ||             OK             
 CONFIG_SLAB_FREELIST_RANDOM             |      y      |   kspp   |  self_protection   ||             OK             
+CONFIG_SHUFFLE_PAGE_ALLOCATOR           |      y      |   kspp   |  self_protection   ||      FAIL: not found       
 CONFIG_FORTIFY_SOURCE                   |      y      |   kspp   |  self_protection   ||             OK             
 CONFIG_GCC_PLUGINS                      |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
 CONFIG_GCC_PLUGIN_RANDSTRUCT            |      y      |   kspp   |  self_protection   ||      FAIL: not found       
-CONFIG_GCC_PLUGIN_STRUCTLEAK            |      y      |   kspp   |  self_protection   ||      FAIL: not found       
-CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL  |      y      |   kspp   |  self_protection   ||      FAIL: not found       
 CONFIG_GCC_PLUGIN_LATENT_ENTROPY        |      y      |   kspp   |  self_protection   ||      FAIL: not found       
 CONFIG_DEBUG_LIST                       |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
 CONFIG_DEBUG_SG                         |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
@@ -100,18 +100,18 @@ CONFIG_STACKLEAK_METRICS                | is not set  |  clipos  |  self_protect
 CONFIG_STACKLEAK_RUNTIME_DISABLE        | is not set  |  clipos  |  self_protection   ||FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is needed
 CONFIG_RANDOM_TRUST_CPU                 | is not set  |  clipos  |  self_protection   ||       OK: not found        
 CONFIG_MICROCODE                        |      y      |  clipos  |  self_protection   ||             OK             
-CONFIG_X86_MSR                          |      y      |  clipos  |  self_protection   ||         FAIL: "m"          
 CONFIG_IOMMU_SUPPORT                    |      y      |  clipos  |  self_protection   ||             OK             
 CONFIG_INTEL_IOMMU                      |      y      |  clipos  |  self_protection   ||             OK             
 CONFIG_INTEL_IOMMU_SVM                  |      y      |  clipos  |  self_protection   ||             OK             
 CONFIG_INTEL_IOMMU_DEFAULT_ON           |      y      |  clipos  |  self_protection   ||     FAIL: "is not set"     
-CONFIG_AMD_IOMMU                        |      y      |    my    |  self_protection   ||             OK             
-CONFIG_AMD_IOMMU_V2                     |      y      |    my    |  self_protection   ||         FAIL: "m"          
+CONFIG_INIT_STACK_ALL                   |      y      |    my    |  self_protection   ||      FAIL: not found       
 CONFIG_SLUB_DEBUG_ON                    |      y      |    my    |  self_protection   ||     FAIL: "is not set"     
 CONFIG_SECURITY_LOADPIN                 |      y      |    my    |  self_protection   ||     FAIL: "is not set"     
 CONFIG_RESET_ATTACK_MITIGATION          |      y      |    my    |  self_protection   ||             OK             
 CONFIG_PAGE_POISONING_NO_SANITY         | is not set  |    my    |  self_protection   ||FAIL: CONFIG_PAGE_POISONING is needed
 CONFIG_PAGE_POISONING_ZERO              | is not set  |    my    |  self_protection   ||FAIL: CONFIG_PAGE_POISONING is needed
+CONFIG_AMD_IOMMU                        |      y      |    my    |  self_protection   ||             OK             
+CONFIG_AMD_IOMMU_V2                     |      y      |    my    |  self_protection   ||         FAIL: "m"          
 CONFIG_SECURITY                         |      y      |defconfig |  security_policy   ||             OK             
 CONFIG_SECURITY_YAMA                    |      y      |   kspp   |  security_policy   ||             OK             
 CONFIG_SECCOMP                          |      y      |defconfig | cut_attack_surface ||             OK             
@@ -173,11 +173,21 @@ CONFIG_FTRACE                           | is not set  |    my    | cut_attack_su
 CONFIG_BPF_JIT                          | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
 CONFIG_ARCH_MMAP_RND_BITS               |     32      |  clipos  |userspace_protection||         FAIL: "28"         
 
-[+] config check is finished: 'OK' - 50 / 'FAIL' - 71
+[+] config check is finished: 'OK' - 50 / 'FAIL' - 70
 ```
 
+## kconfig-hardened-check versioning
+
+I usually update the kernel hardening recommendations after each Linux kernel release.
+
+So the version of `kconfig-hardened-check` is associated with the corresponding version of the kernel.
+
+The version format is: __[major_number].[kernel_version]__
+
+The current version of `kconfig-hardened-check` is __0.5.2__, it's marked with the git tag.
+
 
-### Questions and answers
+## Questions and answers
 
 __Q:__ How disabling `CONFIG_USER_NS` cuts the attack surface? It's needed for containers!