X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=5cfa2b3406d7c99f2b4cba4da687092137fe762f;hb=9a19ae15617b214eb5400b631ae6c8db08873e43;hp=c4214a1410d4ee659259203c92276dab855418c4;hpb=a47bed83770d59987ae270d059a59e4a8fe81117;p=kconfig-hardened-check.git

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index c4214a1..5cfa2b3 100644
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -98,8 +98,8 @@ class OptCheck:
             self.result = 'FAIL: "' + self.state + '"'
 
         if self.result.startswith('OK'):
-            return True, self.result
-        return False, self.result
+            return True
+        return False
 
     def table_print(self, with_results):
         print('CONFIG_{:<38}|{:^13}|{:^10}|{:^20}'.format(self.name, self.expected, self.decision, self.reason), end='')
@@ -115,15 +115,15 @@ class VerCheck:
     def check(self):
         if kernel_version[0] > self.ver_expected[0]:
             self.result = 'OK: version >= ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
-            return True, self.result
+            return True
         if kernel_version[0] < self.ver_expected[0]:
             self.result = 'FAIL: version < ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
-            return False, self.result
+            return False
         if kernel_version[1] >= self.ver_expected[1]:
             self.result = 'OK: version >= ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
-            return True, self.result
+            return True
         self.result = 'FAIL: version < ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
-        return False, self.result
+        return False
 
     def table_print(self, with_results):
         ver_req = 'kernel version >= ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
@@ -141,9 +141,9 @@ class PresenceCheck:
     def check(self):
         if self.state is None:
             self.result = 'FAIL: not present'
-            return False, self.result
+            return False
         self.result = 'OK: is present'
-        return True, self.result
+        return True
 
     def table_print(self, with_results):
         print('CONFIG_{:<84}'.format(self.name + ' is present'), end='')
@@ -164,10 +164,6 @@ class ComplexOptCheck:
     def expected(self):
         return self.opts[0].expected
 
-    @property
-    def state(self):
-        return self.opts[0].state
-
     @property
     def decision(self):
         return self.opts[0].decision
@@ -202,15 +198,15 @@ class OR(ComplexOptCheck):
             sys.exit('[!] ERROR: invalid OR check')
 
         for i, opt in enumerate(self.opts):
-            ret, _ = opt.check()
+            ret = opt.check()
             if ret:
                 if i == 0 or not hasattr(opt, 'expected'):
                     self.result = opt.result
                 else:
                     self.result = 'OK: CONFIG_{} "{}"'.format(opt.name, opt.expected)
-                return True, self.result
+                return True
         self.result = self.opts[0].result
-        return False, self.result
+        return False
 
 
 class AND(ComplexOptCheck):
@@ -220,16 +216,16 @@ class AND(ComplexOptCheck):
 
     def check(self):
         for i, opt in reversed(list(enumerate(self.opts))):
-            ret, _ = opt.check()
+            ret = opt.check()
             if i == 0:
                 self.result = opt.result
-                return ret, self.result
+                return ret
             if not ret:
                 if hasattr(opt, 'expected'):
                     self.result = 'FAIL: CONFIG_{} is needed'.format(opt.name)
                 else:
                     self.result = opt.result
-                return False, self.result
+                return False
 
         sys.exit('[!] ERROR: invalid AND check')
 
@@ -309,6 +305,7 @@ def construct_checklist(checklist, arch):
         checklist.append(OptCheck('UNMAP_KERNEL_AT_EL0',         'y', 'defconfig', 'self_protection'))
         checklist.append(OptCheck('HARDEN_EL2_VECTORS',          'y', 'defconfig', 'self_protection'))
         checklist.append(OptCheck('RODATA_FULL_DEFAULT_ENABLED', 'y', 'defconfig', 'self_protection'))
+        checklist.append(OptCheck('ARM64_PTR_AUTH',              'y', 'defconfig', 'self_protection'))
     if arch in ('X86_64', 'ARM64'):
         checklist.append(OptCheck('VMAP_STACK',                  'y', 'defconfig', 'self_protection'))
     if arch in ('X86_64', 'ARM64', 'X86_32'):
@@ -492,10 +489,9 @@ def construct_checklist(checklist, arch):
     checklist.append(OptCheck('FTRACE',               'is not set', 'my', 'cut_attack_surface')) # refers to LOCKDOWN
     checklist.append(OptCheck('BPF_JIT',              'is not set', 'my', 'cut_attack_surface'))
     checklist.append(OptCheck('VIDEO_VIVID',          'is not set', 'my', 'cut_attack_surface'))
+    checklist.append(OptCheck('INPUT_EVBUG',          'is not set', 'my', 'cut_attack_surface')) # Can be used as a keylogger
 
     checklist.append(OptCheck('INTEGRITY',       'y', 'defconfig', 'userspace_hardening'))
-    if arch == 'ARM64':
-        checklist.append(OptCheck('ARM64_PTR_AUTH',       'y', 'defconfig', 'userspace_hardening'))
     if arch in ('ARM', 'X86_32'):
         checklist.append(OptCheck('VMSPLIT_3G',           'y', 'defconfig', 'userspace_hardening'))
     if arch in ('X86_64', 'ARM64'):