X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=41d6520fc4a0594a8d531d291956c63b0343635b;hb=6ae70f5e1b058b05245f033abf507a8017862372;hp=27362cce25f7fd878e0b0abcec30eff430584016;hpb=34469ca1cd291fc75577eab81f1099f2abfc91b9;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 27362cc..41d6520 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -12,7 +12,6 @@ # # N.B Hardening command line parameters: # iommu=force (does it help against DMA attacks?) -# slub_debug=FZ (slow) # loadpin.enforce=1 # # Mitigations of CPU vulnerabilities: @@ -30,7 +29,6 @@ # ssbd=force-on # # Should NOT be set: -# nokaslr # sysrq_always_enabled # arm64.nobti # arm64.nopauth @@ -313,15 +311,19 @@ def add_kconfig_checks(l, arch): # [!] Don't add CmdlineChecks in add_kconfig_checks() to avoid wrong results # when the tool doesn't check the cmdline. + efi_not_set = KconfigCheck('-', '-', 'EFI', 'is not set') + cc_is_gcc = KconfigCheck('-', '-', 'CC_IS_GCC', 'y') + cc_is_clang = KconfigCheck('-', '-', 'CC_IS_CLANG', 'y') + modules_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set') devmem_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'DEVMEM', 'is not set') # refers to LOCKDOWN bpf_syscall_not_set = KconfigCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set') # refers to LOCKDOWN - efi_not_set = KconfigCheck('cut_attack_surface', 'my', 'EFI', 'is not set') # 'self_protection', 'defconfig' l += [KconfigCheck('self_protection', 'defconfig', 'BUG', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'SLUB_DEBUG', 'y')] - l += [KconfigCheck('self_protection', 'defconfig', 'GCC_PLUGINS', 'y')] + l += [AND(KconfigCheck('self_protection', 'defconfig', 'GCC_PLUGINS', 'y'), + cc_is_gcc)] l += [OR(KconfigCheck('self_protection', 'defconfig', 'STACKPROTECTOR', 'y'), KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR', 'y'), KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR_REGULAR', 'y'), @@ -392,13 +394,15 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_CREDENTIALS', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_NOTIFIERS', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y')] - l += [KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_LATENT_ENTROPY', 'y')] + l += [AND(KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_LATENT_ENTROPY', 'y'), + cc_is_gcc)] l += [KconfigCheck('self_protection', 'kspp', 'KFENCE', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'WERROR', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_PASSTHROUGH', 'is not set')] # true if IOMMU_DEFAULT_DMA_STRICT is set l += [KconfigCheck('self_protection', 'kspp', 'ZERO_CALL_USED_REGS', 'y')] - randstruct_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT', 'y') + randstruct_is_set = OR(KconfigCheck('self_protection', 'kspp', 'RANDSTRUCT_FULL', 'y'), + KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT', 'y')) l += [randstruct_is_set] hardened_usercopy_is_set = KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y') l += [hardened_usercopy_is_set] @@ -425,7 +429,7 @@ def add_kconfig_checks(l, arch): # That brings higher performance penalty. if arch in ('X86_64', 'ARM64', 'X86_32'): stackleak_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y') - l += [stackleak_is_set] + l += [AND(stackleak_is_set, cc_is_gcc)] l += [KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y')] if arch in ('X86_64', 'X86_32'): l += [KconfigCheck('self_protection', 'kspp', 'SCHED_CORE', 'y')] @@ -457,13 +461,16 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set')] l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_BOOTLOADER', 'is not set')] l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_CPU', 'is not set')] - l += [AND(KconfigCheck('self_protection', 'clipos', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'), + l += [AND(KconfigCheck('self_protection', 'clipos', 'RANDSTRUCT_PERFORMANCE', 'is not set'), + KconfigCheck('self_protection', 'clipos', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'), randstruct_is_set)] if arch in ('X86_64', 'ARM64', 'X86_32'): l += [AND(KconfigCheck('self_protection', 'clipos', 'STACKLEAK_METRICS', 'is not set'), - stackleak_is_set)] + stackleak_is_set, + cc_is_gcc)] l += [AND(KconfigCheck('self_protection', 'clipos', 'STACKLEAK_RUNTIME_DISABLE', 'is not set'), - stackleak_is_set)] + stackleak_is_set, + cc_is_gcc)] if arch in ('X86_64', 'X86_32'): l += [AND(KconfigCheck('self_protection', 'clipos', 'INTEL_IOMMU_DEFAULT_ON', 'y'), iommu_support_is_set)] @@ -482,7 +489,7 @@ def add_kconfig_checks(l, arch): l += [AND(KconfigCheck('self_protection', 'my', 'AMD_IOMMU_V2', 'y'), iommu_support_is_set)] if arch == 'ARM64': - l += [KconfigCheck('self_protection', 'my', 'SHADOW_CALL_STACK', 'y')] # depends on clang, maybe it's alternative to STACKPROTECTOR_STRONG + l += [KconfigCheck('self_protection', 'my', 'SHADOW_CALL_STACK', 'y')] # maybe it's alternative to STACKPROTECTOR_STRONG l += [KconfigCheck('self_protection', 'my', 'KASAN_HW_TAGS', 'y')] cfi_clang_is_set = KconfigCheck('self_protection', 'my', 'CFI_CLANG', 'y') l += [cfi_clang_is_set] @@ -495,6 +502,7 @@ def add_kconfig_checks(l, arch): if arch == 'ARM': l += [KconfigCheck('security_policy', 'kspp', 'SECURITY', 'y')] # and choose your favourite LSM l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_YAMA', 'y')] + l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_LANDLOCK', 'y')] l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_SELINUX_DISABLE', 'is not set')] l += [KconfigCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM', 'y')] l += [KconfigCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM_EARLY', 'y')] @@ -694,15 +702,13 @@ def add_cmdline_checks(l, arch): AND(KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_PASSTHROUGH', 'is not set'), CmdlineCheck('self_protection', 'kspp', 'iommu.passthrough', 'is not set')))] # The cmdline checks compatible with the kconfig recommendations of the KSPP project... + l += [CmdlineCheck('self_protection', 'kspp', 'nokaslr', 'is not set')] l += [OR(CmdlineCheck('self_protection', 'kspp', 'hardened_usercopy', '1'), AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y'), CmdlineCheck('self_protection', 'kspp', 'hardened_usercopy', 'is not set')))] l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', '0'), AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'), - CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', 'is not set')))] - l += [OR(CmdlineCheck('self_protection', 'kspp', 'page_alloc.shuffle', '1'), - AND(KconfigCheck('self_protection', 'kspp', 'SHUFFLE_PAGE_ALLOCATOR', 'y'), - CmdlineCheck('self_protection', 'kspp', 'page_alloc.shuffle', 'is not set')))] # ... the end + CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', 'is not set')))] # ... the end if arch in ('X86_64', 'ARM64', 'X86_32'): l += [OR(CmdlineCheck('self_protection', 'kspp', 'randomize_kstack_offset', '1'), AND(KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y'), @@ -710,6 +716,9 @@ def add_cmdline_checks(l, arch): if arch in ('X86_64', 'X86_32'): l += [CmdlineCheck('self_protection', 'kspp', 'pti', 'on')] + # 'self_protection', 'clipos' + l += [CmdlineCheck('self_protection', 'clipos', 'page_alloc.shuffle', '1')] + # 'cut_attack_surface', 'kspp' if arch == 'X86_64': l += [OR(CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'none'),