X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig-hardened-check.py;h=1d979c89bf835941171fb4b5ff7f1decf5f17bc6;hb=84ba20a34fefed996b96b42d6c34a17c4279cdc9;hp=55e46a34f05a4922c7084b0e71a5256c1fd43775;hpb=f4f3414d16171ac1acbe20bb55a77001b60c16ef;p=kconfig-hardened-check.git diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py index 55e46a3..1d979c8 100755 --- a/kconfig-hardened-check.py +++ b/kconfig-hardened-check.py @@ -14,7 +14,6 @@ # slub_debug=FZP # slab_nomerge # kernel.kptr_restrict=1 -# lockdown=1 (is it changed?) # page_alloc.shuffle=1 # iommu=force (does it help against DMA attacks?) # page_poison=1 (if enabled) @@ -327,8 +326,8 @@ def construct_checklist(checklist, arch): checklist.append(AND(OptCheck('GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set', 'clipos', 'self_protection'), \ randstruct_is_set)) checklist.append(OptCheck('CONFIG_RANDOM_TRUST_BOOTLOADER', 'is not set', 'clipos', 'self_protection')) + checklist.append(OptCheck('RANDOM_TRUST_CPU', 'is not set', 'clipos', 'self_protection')) if arch == 'X86_64' or arch == 'X86_32': - checklist.append(OptCheck('RANDOM_TRUST_CPU', 'is not set', 'clipos', 'self_protection')) checklist.append(AND(OptCheck('INTEL_IOMMU_SVM', 'y', 'clipos', 'self_protection'), \ iommu_support_is_set)) checklist.append(AND(OptCheck('INTEL_IOMMU_DEFAULT_ON', 'y', 'clipos', 'self_protection'), \ @@ -347,13 +346,13 @@ def construct_checklist(checklist, arch): if arch == 'ARM': checklist.append(OptCheck('SECURITY', 'y', 'kspp', 'security_policy')) # and choose your favourite LSM checklist.append(OptCheck('SECURITY_YAMA', 'y', 'kspp', 'security_policy')) + checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM', 'y', 'clipos', 'security_policy')) + checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM_EARLY', 'y', 'clipos', 'security_policy')) + checklist.append(OptCheck('LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y', 'clipos', 'security_policy')) loadpin_is_set = OptCheck('SECURITY_LOADPIN', 'y', 'my', 'security_policy') # needs userspace support checklist.append(loadpin_is_set) checklist.append(AND(OptCheck('SECURITY_LOADPIN_ENFORCE', 'y', 'my', 'security_policy'), \ loadpin_is_set)) - checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM', 'y', 'my', 'security_policy')) - checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM_EARLY', 'y', 'my', 'security_policy')) - checklist.append(OptCheck('LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y', 'my', 'security_policy')) checklist.append(OptCheck('SECURITY_SAFESETID', 'y', 'my', 'security_policy')) checklist.append(OptCheck('SECURITY_WRITABLE_HOOKS', 'is not set', 'my', 'security_policy')) @@ -371,6 +370,8 @@ def construct_checklist(checklist, arch): checklist.append(OR(OptCheck('STRICT_DEVMEM', 'y', 'kspp', 'cut_attack_surface'), \ devmem_not_set)) # refers to LOCK_DOWN_KERNEL checklist.append(OptCheck('ACPI_CUSTOM_METHOD', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL + if arch == 'X86_64': + checklist.append(OptCheck('LEGACY_VSYSCALL_NONE', 'y', 'kspp', 'cut_attack_surface')) # 'vsyscall=none' checklist.append(OptCheck('COMPAT_BRK', 'is not set', 'kspp', 'cut_attack_surface')) checklist.append(OptCheck('DEVKMEM', 'is not set', 'kspp', 'cut_attack_surface')) checklist.append(OptCheck('COMPAT_VDSO', 'is not set', 'kspp', 'cut_attack_surface')) @@ -380,13 +381,10 @@ def construct_checklist(checklist, arch): checklist.append(OptCheck('PROC_KCORE', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL checklist.append(OptCheck('LEGACY_PTYS', 'is not set', 'kspp', 'cut_attack_surface')) checklist.append(OptCheck('HIBERNATION', 'is not set', 'kspp', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL - if arch == 'X86_64': - checklist.append(OptCheck('LEGACY_VSYSCALL_NONE', 'y', 'kspp', 'cut_attack_surface')) # 'vsyscall=none' - checklist.append(OptCheck('IA32_EMULATION', 'is not set', 'kspp', 'cut_attack_surface')) - checklist.append(OptCheck('X86_X32', 'is not set', 'kspp', 'cut_attack_surface')) - checklist.append(OptCheck('MODIFY_LDT_SYSCALL', 'is not set', 'kspp', 'cut_attack_surface')) - if arch == 'ARM': - checklist.append(OptCheck('OABI_COMPAT', 'is not set', 'kspp', 'cut_attack_surface')) + checklist.append(OptCheck('IA32_EMULATION', 'is not set', 'kspp', 'cut_attack_surface')) + checklist.append(OptCheck('X86_X32', 'is not set', 'kspp', 'cut_attack_surface')) + checklist.append(OptCheck('MODIFY_LDT_SYSCALL', 'is not set', 'kspp', 'cut_attack_surface')) + checklist.append(OptCheck('OABI_COMPAT', 'is not set', 'kspp', 'cut_attack_surface')) checklist.append(OptCheck('X86_PTDUMP', 'is not set', 'grsecurity', 'cut_attack_surface')) checklist.append(OptCheck('ZSMALLOC_STAT', 'is not set', 'grsecurity', 'cut_attack_surface')) @@ -431,9 +429,8 @@ def construct_checklist(checklist, arch): checklist.append(OptCheck('FTRACE', 'is not set', 'my', 'cut_attack_surface')) checklist.append(OptCheck('BPF_JIT', 'is not set', 'my', 'cut_attack_surface')) checklist.append(OptCheck('VIDEO_VIVID', 'is not set', 'my', 'cut_attack_surface')) - if arch == 'X86_32': - checklist.append(OptCheck('MODIFY_LDT_SYSCALL', 'is not set', 'my', 'cut_attack_surface')) + checklist.append(OptCheck('INTEGRITY', 'y', 'defconfig', 'userspace_hardening')) if arch == 'ARM64': checklist.append(OptCheck('ARM64_PTR_AUTH', 'y', 'defconfig', 'userspace_hardening')) if arch == 'X86_64' or arch == 'ARM64':