X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=5855cf0756aca75e42a6af0e08e641f41cae1856;hb=86ca20532410ee24ff332b158a50aea99ee007d3;hp=a13f0f84ecc4d48d3d8ba25695812af5478c6f15;hpb=0a21c2cc7a6425855cc73f056511a6271b389ab5;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index a13f0f8..5855cf0 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -12,7 +12,6 @@ # # N.B Hardening command line parameters: # iommu=force (does it help against DMA attacks?) -# loadpin.enforce=1 # # Mitigations of CPU vulnerabilities: # Аrch-independent: @@ -482,8 +481,12 @@ def add_kconfig_checks(l, arch): l += [OR(KconfigCheck('self_protection', 'clipos', 'EFI_DISABLE_PCI_DMA', 'y'), efi_not_set)] l += [KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set')] - l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_BOOTLOADER', 'is not set')] - l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_CPU', 'is not set')] + hw_random_tpm_is_set = KconfigCheck('self_protection', 'clipos', 'HW_RANDOM_TPM', 'y') + l += [hw_random_tpm_is_set] + l += [AND(KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_BOOTLOADER', 'is not set'), + hw_random_tpm_is_set)] + l += [AND(KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_CPU', 'is not set'), + hw_random_tpm_is_set)] l += [AND(KconfigCheck('self_protection', 'clipos', 'RANDSTRUCT_PERFORMANCE', 'is not set'), KconfigCheck('self_protection', 'clipos', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'), randstruct_is_set)] @@ -530,15 +533,12 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_YAMA', 'y')] l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_LANDLOCK', 'y')] l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_SELINUX_DISABLE', 'is not set')] + l += [KconfigCheck('security_policy', 'clipos', 'SECURITY_SELINUX_BOOTPARAM', 'is not set')] + l += [KconfigCheck('security_policy', 'clipos', 'SECURITY_SELINUX_DEVELOP', 'is not set')] l += [KconfigCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM', 'y')] l += [KconfigCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM_EARLY', 'y')] l += [KconfigCheck('security_policy', 'clipos', 'LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y')] l += [KconfigCheck('security_policy', 'my', 'SECURITY_WRITABLE_HOOKS', 'is not set')] # refers to SECURITY_SELINUX_DISABLE - l += [KconfigCheck('security_policy', 'my', 'SECURITY_SAFESETID', 'y')] - loadpin_is_set = KconfigCheck('security_policy', 'my', 'SECURITY_LOADPIN', 'y') - l += [loadpin_is_set] # needs userspace support - l += [AND(KconfigCheck('security_policy', 'my', 'SECURITY_LOADPIN_ENFORCE', 'y'), - loadpin_is_set)] # 'cut_attack_surface', 'defconfig' l += [OR(KconfigCheck('cut_attack_surface', 'defconfig', 'BPF_UNPRIV_DEFAULT_OFF', 'y'), @@ -640,6 +640,7 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_IOPL_IOPERM', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'clipos', 'ACPI_TABLE_UPGRADE', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'clipos', 'EFI_CUSTOM_SSDT_OVERLAYS', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'clipos', 'COREDUMP', 'is not set')] # cut userspace attack surface l += [AND(KconfigCheck('cut_attack_surface', 'clipos', 'LDISC_AUTOLOAD', 'is not set'), KconfigCheck('cut_attack_surface', 'clipos', 'LDISC_AUTOLOAD'))] # option presence check if arch in ('X86_64', 'X86_32'):