X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig-hardened-check.py;h=5df4997224b55737424f0da9536e77964cce63bd;hb=refs%2Ftags%2Fv0.5.5;hp=c5dcb06a1b67f9f8f1e292f14aaa8ca82aae9db0;hpb=1e2a12519efdb70fd5456f08b1726eaa75d6913f;p=kconfig-hardened-check.git

diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py
index c5dcb06..5df4997 100755
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -13,7 +13,6 @@
 # N.B Hardening command line parameters:
 #    slub_debug=FZP
 #    slab_nomerge
-#    kernel.kptr_restrict=1
 #    page_alloc.shuffle=1
 #    iommu=force (does it help against DMA attacks?)
 #    page_poison=1 (if enabled)
@@ -30,22 +29,30 @@
 #           spec_store_bypass_disable=on
 #           l1tf=full,force
 #           mds=full,nosmt
+#           tsx=off
 #       ARM64:
 #           kpti=on
 #           ssbd=force-on
 #
 # N.B. Hardening sysctls:
-#    net.core.bpf_jit_harden=2
-#    kptr_restrict=2
-#    vm.unprivileged_userfaultfd=0
+#    kernel.kptr_restrict=2
+#    kernel.dmesg_restrict=1
 #    kernel.perf_event_paranoid=3
-#    kernel.yama.ptrace_scope=1 (or even 3?)
+#    kernel.kexec_load_disabled=1
+#    kernel.yama.ptrace_scope=3
+#    user.max_user_namespaces=0
 #    kernel.unprivileged_bpf_disabled=1
+#    net.core.bpf_jit_harden=2
+#
+#    vm.unprivileged_userfaultfd=0
+#
+#    dev.tty.ldisc_autoload=0
+#    fs.protected_symlinks=1
+#    fs.protected_hardlinks=1
+#    fs.protected_fifos=2
+#    fs.protected_regular=2
 #    fs.suid_dumpable=0
-#    fs.protected_symlinks = 1
-#    fs.protected_hardlinks = 1
-#    fs.protected_fifos = 2
-#    fs.protected_regular = 2
+#    kernel.modules_disabled=1
 
 import sys
 from argparse import ArgumentParser
@@ -413,6 +420,8 @@ def construct_checklist(checklist, arch):
     checklist.append(OptCheck('BPF_SYSCALL',          'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN
     checklist.append(OptCheck('MMIOTRACE_TEST',       'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN
 
+    if arch == 'X86_64' or arch == 'X86_32':
+        checklist.append(OptCheck('X86_INTEL_TSX_MODE_OFF',   'y', 'clipos', 'cut_attack_surface')) # tsx=off
     checklist.append(OptCheck('STAGING',                  'is not set', 'clipos', 'cut_attack_surface'))
     checklist.append(OptCheck('KSM',                      'is not set', 'clipos', 'cut_attack_surface')) # to prevent FLUSH+RELOAD attack
 #   checklist.append(OptCheck('IKCONFIG',                 'is not set', 'clipos', 'cut_attack_surface')) # no, this info is needed for this check :)
@@ -426,7 +435,7 @@ def construct_checklist(checklist, arch):
     checklist.append(AND(OptCheck('LDISC_AUTOLOAD',           'is not set', 'clipos', 'cut_attack_surface'), \
                          VerCheck((5, 1)))) # LDISC_AUTOLOAD can be disabled since v5.1
 
-    checklist.append(OptCheck('AIO',                  'is not set', 'copperhead', 'cut_attack_surface'))
+    checklist.append(OptCheck('AIO',                  'is not set', 'grapheneos', 'cut_attack_surface'))
 
     checklist.append(OptCheck('MMIOTRACE',            'is not set', 'my', 'cut_attack_surface')) # refers to LOCKDOWN (permissive)
     checklist.append(OptCheck('LIVEPATCH',            'is not set', 'my', 'cut_attack_surface'))