X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=3b3b415ec12612ebef605dddd59cda786d094132;hb=b73ae3cf7ad0a85a72739bdf961605279fd45d1b;hp=b119df33b4d563bc10982e93cdb56f5e80bc4f46;hpb=3b2a9440bc003c5c44ba7b8bb30d419ee694c02f;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index b119df3..3b3b415 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -2,7 +2,7 @@ # # This tool helps me to check the Linux kernel Kconfig option list -# against my hardening preferences for X86_64, ARM64, X86_32, and ARM. +# against my security hardening preferences for X86_64, ARM64, X86_32, and ARM. # Let the computers do their job! # # Author: Alexander Popov @@ -19,6 +19,7 @@ # init_on_free=1 (since v5.3, otherwise slub_debug=P and page_poison=1) # loadpin.enforce=1 # debugfs=no-mount (or off if possible) +# randomize_kstack_offset=1 # # Mitigations of CPU vulnerabilities: # Аrch-independent: @@ -34,6 +35,16 @@ # kpti=on # ssbd=force-on # +# Should NOT be set: +# nokaslr +# arm64.nobti +# arm64.nopauth +# +# Hardware tag-based KASAN with arm64 Memory Tagging Extension (MTE): +# kasan=on +# kasan.stacktrace=off +# kasan.fault=panic +# # N.B. Hardening sysctls: # kernel.kptr_restrict=2 (or 1?) # kernel.dmesg_restrict=1 (also see the kconfig option) @@ -46,6 +57,8 @@ # net.core.bpf_jit_harden=2 # # vm.unprivileged_userfaultfd=0 +# (at first, it disabled unprivileged userfaultfd, +# and since v5.11 it enables unprivileged userfaultfd for user-mode only) # # dev.tty.ldisc_autoload=0 # fs.protected_symlinks=1 @@ -272,6 +285,9 @@ def detect_version(fname): def construct_checklist(l, arch): + # Calling the OptCheck class constructor: + # OptCheck(reason, decision, name, expected) + modules_not_set = OptCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set') devmem_not_set = OptCheck('cut_attack_surface', 'kspp', 'DEVMEM', 'is not set') # refers to LOCKDOWN @@ -302,6 +318,8 @@ def construct_checklist(l, arch): l += [OptCheck('self_protection', 'defconfig', 'SYN_COOKIES', 'y')] # another reason? l += [OR(OptCheck('self_protection', 'defconfig', 'X86_UMIP', 'y'), OptCheck('self_protection', 'defconfig', 'X86_INTEL_UMIP', 'y'))] + if arch in ('ARM64', 'ARM'): + l += [OptCheck('self_protection', 'defconfig', 'STACKPROTECTOR_PER_TASK', 'y')] if arch == 'X86_64': l += [OptCheck('self_protection', 'defconfig', 'PAGE_TABLE_ISOLATION', 'y')] l += [OptCheck('self_protection', 'defconfig', 'RANDOMIZE_MEMORY', 'y')] @@ -311,6 +329,7 @@ def construct_checklist(l, arch): iommu_support_is_set)] if arch == 'ARM64': l += [OptCheck('self_protection', 'defconfig', 'ARM64_PAN', 'y')] + l += [OptCheck('self_protection', 'defconfig', 'ARM64_EPAN', 'y')] l += [OptCheck('self_protection', 'defconfig', 'UNMAP_KERNEL_AT_EL0', 'y')] l += [OR(OptCheck('self_protection', 'defconfig', 'HARDEN_EL2_VECTORS', 'y'), AND(OptCheck('self_protection', 'defconfig', 'RANDOMIZE_BASE', 'y'), @@ -319,10 +338,10 @@ def construct_checklist(l, arch): l += [OptCheck('self_protection', 'defconfig', 'ARM64_PTR_AUTH', 'y')] l += [OptCheck('self_protection', 'defconfig', 'ARM64_BTI_KERNEL', 'y')] l += [OR(OptCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y'), - VerCheck((5, 10)))] # HARDEN_BRANCH_PREDICTOR is enabled by default since v5.10 + VerCheck((5, 10)))] # HARDEN_BRANCH_PREDICTOR is enabled by default since v5.10 + l += [OptCheck('self_protection', 'defconfig', 'ARM64_MTE', 'y')] if arch == 'ARM': l += [OptCheck('self_protection', 'defconfig', 'CPU_SW_DOMAIN_PAN', 'y')] - l += [OptCheck('self_protection', 'defconfig', 'STACKPROTECTOR_PER_TASK', 'y')] l += [OptCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y')] # 'self_protection', 'kspp' @@ -346,6 +365,8 @@ def construct_checklist(l, arch): l += [hardened_usercopy_is_set] l += [AND(OptCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'), hardened_usercopy_is_set)] + l += [AND(OptCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_PAGESPAN', 'is not set'), + hardened_usercopy_is_set)] l += [OR(OptCheck('self_protection', 'kspp', 'MODULE_SIG', 'y'), modules_not_set)] l += [OR(OptCheck('self_protection', 'kspp', 'MODULE_SIG_ALL', 'y'), @@ -357,10 +378,16 @@ def construct_checklist(l, arch): l += [OR(OptCheck('self_protection', 'kspp', 'INIT_STACK_ALL_ZERO', 'y'), OptCheck('self_protection', 'kspp', 'GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y'))] l += [OR(OptCheck('self_protection', 'kspp', 'INIT_ON_FREE_DEFAULT_ON', 'y'), - OptCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'))] # before v5.3 + OptCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'))] + # CONFIG_INIT_ON_FREE_DEFAULT_ON was added in v5.3. + # CONFIG_PAGE_POISONING_ZERO was removed in v5.11. + # Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks + # the 0xAA poison pattern on allocation. + # That brings higher performance penalty. if arch in ('X86_64', 'ARM64', 'X86_32'): stackleak_is_set = OptCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y') l += [stackleak_is_set] + l += [OptCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y')] if arch in ('X86_64', 'X86_32'): l += [OptCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '65536')] if arch in ('ARM64', 'ARM'): @@ -373,6 +400,14 @@ def construct_checklist(l, arch): l += [OptCheck('self_protection', 'kspp', 'HIGHMEM64G', 'y')] l += [OptCheck('self_protection', 'kspp', 'X86_PAE', 'y')] + # 'self_protection', 'maintainer' + ubsan_bounds_is_set = OptCheck('self_protection', 'maintainer', 'UBSAN_BOUNDS', 'y') # only array index bounds checking + l += [ubsan_bounds_is_set] # recommended by Kees Cook in /issues/53 + l += [AND(OptCheck('self_protection', 'maintainer', 'UBSAN_SANITIZE_ALL', 'y'), + ubsan_bounds_is_set)] # recommended by Kees Cook in /issues/53 + l += [AND(OptCheck('self_protection', 'maintainer', 'UBSAN_TRAP', 'y'), + ubsan_bounds_is_set)] # recommended by Kees Cook in /issues/53 + # 'self_protection', 'clipos' l += [OptCheck('self_protection', 'clipos', 'DEBUG_VIRTUAL', 'y')] l += [OptCheck('self_protection', 'clipos', 'STATIC_USERMODEHELPER', 'y')] # needs userspace support @@ -388,24 +423,27 @@ def construct_checklist(l, arch): l += [AND(OptCheck('self_protection', 'clipos', 'STACKLEAK_RUNTIME_DISABLE', 'is not set'), stackleak_is_set)] if arch in ('X86_64', 'X86_32'): - l += [AND(OptCheck('self_protection', 'clipos', 'INTEL_IOMMU_SVM', 'y'), - iommu_support_is_set)] l += [AND(OptCheck('self_protection', 'clipos', 'INTEL_IOMMU_DEFAULT_ON', 'y'), iommu_support_is_set)] + if arch == 'X86_64': + l += [AND(OptCheck('self_protection', 'clipos', 'INTEL_IOMMU_SVM', 'y'), + iommu_support_is_set)] if arch == 'X86_32': l += [AND(OptCheck('self_protection', 'clipos', 'INTEL_IOMMU', 'y'), iommu_support_is_set)] # 'self_protection', 'my' - l += [AND(OptCheck('self_protection', 'my', 'UBSAN_BOUNDS', 'y'), - OptCheck('self_protection', 'my', 'UBSAN_MISC', 'is not set'), - OptCheck('self_protection', 'my', 'UBSAN_TRAP', 'y'))] l += [OptCheck('self_protection', 'my', 'RESET_ATTACK_MITIGATION', 'y')] # needs userspace support (systemd) if arch == 'X86_64': l += [AND(OptCheck('self_protection', 'my', 'AMD_IOMMU_V2', 'y'), iommu_support_is_set)] if arch == 'ARM64': - l += [OptCheck('self_protection', 'my', 'SHADOW_CALL_STACK', 'y')] # maybe it should be alternative to STACKPROTECTOR_STRONG + l += [OptCheck('self_protection', 'my', 'SHADOW_CALL_STACK', 'y')] # depends on clang, maybe it's alternative to STACKPROTECTOR_STRONG + l += [OptCheck('self_protection', 'my', 'KASAN_HW_TAGS', 'y')] + cfi_clang_is_set = OptCheck('self_protection', 'my', 'CFI_CLANG', 'y') + l += [cfi_clang_is_set] + l += [AND(OptCheck('self_protection', 'my', 'CFI_PERMISSIVE', 'is not set'), + cfi_clang_is_set)] # 'security_policy' if arch in ('X86_64', 'ARM64', 'X86_32'): @@ -461,7 +499,6 @@ def construct_checklist(l, arch): l += [OptCheck('cut_attack_surface', 'grsecurity', 'PAGE_OWNER', 'is not set')] l += [OptCheck('cut_attack_surface', 'grsecurity', 'DEBUG_KMEMLEAK', 'is not set')] l += [OptCheck('cut_attack_surface', 'grsecurity', 'BINFMT_AOUT', 'is not set')] - l += [OptCheck('cut_attack_surface', 'grsecurity', 'KPROBES', 'is not set')] # refers to LOCKDOWN l += [OptCheck('cut_attack_surface', 'grsecurity', 'UPROBES', 'is not set')] l += [OptCheck('cut_attack_surface', 'grsecurity', 'GENERIC_TRACER', 'is not set')] # refers to LOCKDOWN l += [OptCheck('cut_attack_surface', 'grsecurity', 'PROC_VMCORE', 'is not set')] @@ -478,9 +515,10 @@ def construct_checklist(l, arch): OptCheck('cut_attack_surface', 'my', 'PTDUMP_DEBUGFS', 'is not set'))] # 'cut_attack_surface', 'maintainer' - l += [OptCheck('cut_attack_surface', 'maintainer', 'DRM_LEGACY', 'is not set')] - l += [OptCheck('cut_attack_surface', 'maintainer', 'FB', 'is not set')] - l += [OptCheck('cut_attack_surface', 'maintainer', 'VT', 'is not set')] + l += [OptCheck('cut_attack_surface', 'maintainer', 'DRM_LEGACY', 'is not set')] # recommended by Daniel Vetter in /issues/38 + l += [OptCheck('cut_attack_surface', 'maintainer', 'FB', 'is not set')] # recommended by Daniel Vetter in /issues/38 + l += [OptCheck('cut_attack_surface', 'maintainer', 'VT', 'is not set')] # recommended by Daniel Vetter in /issues/38 + l += [OptCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD', 'is not set')] # recommended by Denis Efremov in /pull/54 # 'cut_attack_surface', 'grapheneos' l += [OptCheck('cut_attack_surface', 'grapheneos', 'AIO', 'is not set')] @@ -509,6 +547,7 @@ def construct_checklist(l, arch): l += [OptCheck('cut_attack_surface', 'lockdown', 'EFI_TEST', 'is not set')] # refers to LOCKDOWN l += [OptCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set')] # refers to LOCKDOWN l += [OptCheck('cut_attack_surface', 'lockdown', 'MMIOTRACE_TEST', 'is not set')] # refers to LOCKDOWN + l += [OptCheck('cut_attack_surface', 'lockdown', 'KPROBES', 'is not set')] # refers to LOCKDOWN # 'cut_attack_surface', 'my' l += [OptCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y')] @@ -661,10 +700,10 @@ def main(): report_modes = ['verbose', 'json', 'show_ok', 'show_fail'] supported_archs = ['X86_64', 'X86_32', 'ARM64', 'ARM'] parser = ArgumentParser(prog='kconfig-hardened-check', - description='Checks the hardening options in the Linux kernel config') + description='A tool for checking the security hardening options of the Linux kernel') parser.add_argument('--version', action='version', version='%(prog)s ' + __version__) parser.add_argument('-p', '--print', choices=supported_archs, - help='print hardening preferences for selected architecture') + help='print security hardening preferences for the selected architecture') parser.add_argument('-c', '--config', help='check the kernel config file against these preferences') parser.add_argument('-m', '--mode', choices=report_modes, @@ -712,7 +751,7 @@ def main(): arch = args.print construct_checklist(config_checklist, arch) if mode != 'json': - print('[+] Printing kernel hardening preferences for {}...'.format(arch)) + print('[+] Printing kernel security hardening preferences for {}...'.format(arch)) print_checklist(mode, config_checklist, False) sys.exit(0)