X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig-hardened-check.py;h=733106cb589bcac431d1084623e9c6b882175f83;hb=ecc71d7ae86358a769eac116b180ed66536799ab;hp=2ed79cda1113c015ab45af7d6f54b6397822fc52;hpb=8146802d168ec85ce256843c2d513f8a742322f2;p=kconfig-hardened-check.git diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py index 2ed79cd..733106c 100755 --- a/kconfig-hardened-check.py +++ b/kconfig-hardened-check.py @@ -14,9 +14,10 @@ # page_poison=1 # slub_debug=FZP # slab_nomerge -# pti=on # kernel.kptr_restrict=1 -# lockdown=1 +# lockdown=1 (is it changed?) +# page_alloc.shuffle=1 +# iommu=force (does it help against DMA attacks?) # # Mitigations of CPU vulnerabilities: # Аrch-independent: @@ -251,6 +252,10 @@ def construct_checklist(checklist, arch): checklist.append(OptCheck('SYN_COOKIES', 'y', 'kspp', 'self_protection')) # another reason? checklist.append(OptCheck('DEFAULT_MMAP_MIN_ADDR', '32768', 'kspp', 'self_protection')) + checklist.append(OR(OptCheck('INIT_STACK_ALL', 'y', 'clipos', 'self_protection'), \ + OptCheck('GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y', 'kspp', 'self_protection'))) + checklist.append(OptCheck('INIT_ON_ALLOC_DEFAULT_ON', 'y', 'clipos', 'self_protection')) + checklist.append(OptCheck('INIT_ON_FREE_DEFAULT_ON', 'y', 'clipos', 'self_protection')) checklist.append(OptCheck('SECURITY_DMESG_RESTRICT', 'y', 'clipos', 'self_protection')) checklist.append(OptCheck('DEBUG_VIRTUAL', 'y', 'clipos', 'self_protection')) checklist.append(OptCheck('STATIC_USERMODEHELPER', 'y', 'clipos', 'self_protection')) # needs userspace support (systemd) @@ -276,11 +281,7 @@ def construct_checklist(checklist, arch): checklist.append(AND(OptCheck('INTEL_IOMMU_DEFAULT_ON', 'y', 'clipos', 'self_protection'), \ iommu_support_is_set)) - checklist.append(OR(OptCheck('INIT_STACK_ALL', 'y', 'my', 'self_protection'), \ - OptCheck('GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y', 'kspp', 'self_protection'))) checklist.append(OptCheck('SLUB_DEBUG_ON', 'y', 'my', 'self_protection')) - checklist.append(OptCheck('INIT_ON_ALLOC_DEFAULT_ON', 'y', 'my', 'self_protection')) - checklist.append(OptCheck('INIT_ON_FREE_DEFAULT_ON', 'y', 'my', 'self_protection')) checklist.append(OptCheck('RESET_ATTACK_MITIGATION', 'y', 'my', 'self_protection')) # needs userspace support (systemd) checklist.append(AND(OptCheck('PAGE_POISONING_NO_SANITY', 'is not set', 'my', 'self_protection'), \ page_poisoning_is_set)) @@ -402,8 +403,8 @@ def print_checklist(checklist, with_results): return # header - print('{:^40}|{:^13}|{:^10}|{:^20}'.format('option name', 'desired val', 'decision', 'reason'), end='') - sep_line_len = 86 + print('{:^45}|{:^13}|{:^10}|{:^20}'.format('option name', 'desired val', 'decision', 'reason'), end='') + sep_line_len = 91 if with_results: print('||{:^28}'.format('check result'), end='') sep_line_len += 30 @@ -412,7 +413,7 @@ def print_checklist(checklist, with_results): print('=' * sep_line_len) for opt in checklist: - print('CONFIG_{:<33}|{:^13}|{:^10}|{:^20}'.format(opt.name, opt.expected, opt.decision, opt.reason), end='') + print('CONFIG_{:<38}|{:^13}|{:^10}|{:^20}'.format(opt.name, opt.expected, opt.decision, opt.reason), end='') if with_results: print('||{:^28}'.format(opt.result), end='') print()