X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=673cb5224c9f8e02845859ce542f57dd0a835ac2;hb=145f48a093338f00273e4a21477dddc34284ddd6;hp=71840aa321092e6dff2a211de60973044c105efd;hpb=35fa2ccf84d5eba5a5a4f21c93aeda9d498b574b;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 71840aa..673cb52 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -13,18 +13,27 @@ # N.B Hardening command line parameters: # iommu=force (does it help against DMA attacks?) # -# Mitigations of CPU vulnerabilities: -# Аrch-independent: -# X86: -# l1d_flush=on (a part of the l1tf option) -# tsx=off -# ARM64: -# kpti=on -# -# Should NOT be set: -# arm64.nobti -# arm64.nopauth -# arm64.nomte +# The list of disabled mitigations of CPU vulnerabilities: +# mitigations=off +# pti=off +# spectre_v2=off +# spectre_v2_user=off +# spec_store_bypass_disable=off +# l1tf=off +# mds=off +# tsx_async_abort=off +# srbds=off +# mmio_stale_data=off +# retbleed=off +# nopti +# nokaslr +# nospectre_v1 +# nospectre_v2 +# nospectre_bhb +# nospec_store_bypass_disable +# kpti=0 +# ssbd=force-off +# nosmt (enabled) # # Hardware tag-based KASAN with arm64 Memory Tagging Extension (MTE): # kasan=on @@ -116,6 +125,8 @@ class OptCheck: if self.expected == 'is not off': if self.state == 'off': self.result = 'FAIL: is off' + if self.state == '0': + self.result = 'FAIL: is off, "0"' elif self.state is None: self.result = 'FAIL: is off, not found' else: @@ -284,7 +295,7 @@ class AND(ComplexOptCheck): self.result = 'FAIL: {} is not "{}"'.format(opt.name, opt.expected) elif opt.result == 'FAIL: is not present': self.result = 'FAIL: {} is not present'.format(opt.name) - elif opt.result == 'FAIL: is off': + elif opt.result == 'FAIL: is off' or opt.result == 'FAIL: is off, "0"': self.result = 'FAIL: {} is off'.format(opt.name) elif opt.result == 'FAIL: is off, not found': self.result = 'FAIL: {} is off, not found'.format(opt.name) @@ -568,6 +579,8 @@ def add_kconfig_checks(l, arch): if arch in ('X86_64', 'ARM64', 'X86_32'): l += [OR(KconfigCheck('cut_attack_surface', 'defconfig', 'STRICT_DEVMEM', 'y'), devmem_not_set)] # refers to LOCKDOWN + if arch in ('X86_64', 'X86_32'): + l += [KconfigCheck('cut_attack_surface', 'defconfig', 'X86_INTEL_TSX_MODE_OFF', 'y')] # tsx=off # 'cut_attack_surface', 'kspp' l += [KconfigCheck('cut_attack_surface', 'kspp', 'SECURITY_DMESG_RESTRICT', 'y')] @@ -663,8 +676,6 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'clipos', 'EFI_CUSTOM_SSDT_OVERLAYS', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'clipos', 'COREDUMP', 'is not set')] # cut userspace attack surface # l += [KconfigCheck('cut_attack_surface', 'clipos', 'IKCONFIG', 'is not set')] # no, IKCONFIG is needed for this check :) - if arch in ('X86_64', 'X86_32'): - l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_INTEL_TSX_MODE_OFF', 'y')] # tsx=off # 'cut_attack_surface', 'lockdown' l += [KconfigCheck('cut_attack_surface', 'lockdown', 'EFI_TEST', 'is not set')] # refers to LOCKDOWN @@ -727,7 +738,11 @@ def add_cmdline_checks(l, arch): l += [CmdlineCheck('self_protection', 'defconfig', 'nopti', 'is not set')] l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_v1', 'is not set')] l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_v2', 'is not set')] + l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_bhb', 'is not set')] l += [CmdlineCheck('self_protection', 'defconfig', 'nospec_store_bypass_disable', 'is not set')] + l += [CmdlineCheck('self_protection', 'defconfig', 'arm64.nobti', 'is not set')] + l += [CmdlineCheck('self_protection', 'defconfig', 'arm64.nopauth', 'is not set')] + l += [CmdlineCheck('self_protection', 'defconfig', 'arm64.nomte', 'is not set')] l += [OR(CmdlineCheck('self_protection', 'defconfig', 'mitigations', 'is not off'), CmdlineCheck('self_protection', 'defconfig', 'mitigations', 'is not set'))] l += [OR(CmdlineCheck('self_protection', 'defconfig', 'spectre_v2', 'is not off'), @@ -748,6 +763,8 @@ def add_cmdline_checks(l, arch): CmdlineCheck('self_protection', 'defconfig', 'mmio_stale_data', 'is not set'))] l += [OR(CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not off'), CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not set'))] + l += [OR(CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not off'), + CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not set'))] if arch == 'ARM64': l += [OR(CmdlineCheck('self_protection', 'defconfig', 'ssbd', 'kernel'), CmdlineCheck('self_protection', 'my', 'ssbd', 'force-on'), @@ -798,6 +815,12 @@ def add_cmdline_checks(l, arch): # 'self_protection', 'clipos' l += [CmdlineCheck('self_protection', 'clipos', 'page_alloc.shuffle', '1')] + # 'cut_attack_surface', 'defconfig' + if arch in ('X86_64', 'X86_32'): + l += [OR(CmdlineCheck('cut_attack_surface', 'defconfig', 'tsx', 'off'), + AND(KconfigCheck('cut_attack_surface', 'defconfig', 'X86_INTEL_TSX_MODE_OFF', 'y'), + CmdlineCheck('cut_attack_surface', 'defconfig', 'tsx', 'is not set')))] + # 'cut_attack_surface', 'kspp' if arch == 'X86_64': l += [OR(CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'none'), @@ -991,6 +1014,9 @@ def normalize_cmdline_options(option, value): if option == 'retbleed': # See retbleed_parse_cmdline() in arch/x86/kernel/cpu/bugs.c return value + if option == 'tsx': + # See tsx_init() in arch/x86/kernel/cpu/tsx.c + return value # Implement a limited part of the kstrtobool() logic if value in ('1', 'on', 'On', 'ON', 'y', 'Y', 'yes', 'Yes', 'YES'):