X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=362a6e4dd4ac9408bd9b404211821be86c8e601d;hb=refs%2Fpull%2F51%2Fhead;hp=f75ebc6f20855ba1d47e24b51d772da2abb16044;hpb=5e4fba6623a686f4c4e86727b2e90df86dc340f0;p=kconfig-hardened-check.git

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index f75ebc6..362a6e4 100644
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -34,6 +34,16 @@
 #           kpti=on
 #           ssbd=force-on
 #
+#    Should NOT be set:
+#           nokaslr
+#           arm64.nobti
+#           arm64.nopauth
+#
+#    Hardware tag-based KASAN with arm64 Memory Tagging Extension (MTE):
+#           kasan=on
+#           kasan.stacktrace=off
+#           kasan.fault=panic
+#
 # N.B. Hardening sysctls:
 #    kernel.kptr_restrict=2 (or 1?)
 #    kernel.dmesg_restrict=1 (also see the kconfig option)
@@ -46,6 +56,8 @@
 #    net.core.bpf_jit_harden=2
 #
 #    vm.unprivileged_userfaultfd=0
+#        (at first, it disabled unprivileged userfaultfd,
+#         and since v5.11 it enables unprivileged userfaultfd for user-mode only)
 #
 #    dev.tty.ldisc_autoload=0
 #    fs.protected_symlinks=1
@@ -322,6 +334,7 @@ def construct_checklist(l, arch):
         l += [OptCheck('self_protection', 'defconfig', 'ARM64_BTI_KERNEL', 'y')]
         l += [OR(OptCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y'),
                  VerCheck((5, 10)))] # HARDEN_BRANCH_PREDICTOR is enabled by default since v5.10
+        l += [OptCheck('self_protection', 'defconfig', 'ARM64_MTE', 'y')]
     if arch == 'ARM':
         l += [OptCheck('self_protection', 'defconfig', 'CPU_SW_DOMAIN_PAN', 'y')]
         l += [OptCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y')]
@@ -358,7 +371,12 @@ def construct_checklist(l, arch):
     l += [OR(OptCheck('self_protection', 'kspp', 'INIT_STACK_ALL_ZERO', 'y'),
              OptCheck('self_protection', 'kspp', 'GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y'))]
     l += [OR(OptCheck('self_protection', 'kspp', 'INIT_ON_FREE_DEFAULT_ON', 'y'),
-             OptCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'))] # before v5.3
+             OptCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'))]
+             # CONFIG_INIT_ON_FREE_DEFAULT_ON was added in v5.3.
+             # CONFIG_PAGE_POISONING_ZERO was removed in v5.11.
+             # Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks
+             # the 0xAA poison pattern on allocation.
+             # That brings higher performance penalty.
     if arch in ('X86_64', 'ARM64', 'X86_32'):
         stackleak_is_set = OptCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y')
         l += [stackleak_is_set]
@@ -408,6 +426,7 @@ def construct_checklist(l, arch):
                   iommu_support_is_set)]
     if arch == 'ARM64':
         l += [OptCheck('self_protection', 'my', 'SHADOW_CALL_STACK', 'y')] # depends on clang, maybe it's alternative to STACKPROTECTOR_STRONG
+        l += [OptCheck('self_protection', 'my', 'KASAN_HW_TAGS', 'y')]
 
     # 'security_policy'
     if arch in ('X86_64', 'ARM64', 'X86_32'):