X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=6ccea34b93beb36a8f6375123d06de4ea48b351f;hb=ef4a19b8a0ce5a6518e723764690d9fe7f853d90;hp=ae373d2241dcc8ad93b46bc3578465a6d13cf220;hpb=bbe60e75ac73b5513f86943775ac02285e0aecd0;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index ae373d2..6ccea34 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -11,24 +11,12 @@ # # # N.B Hardening command line parameters: -# slab_nomerge -# page_alloc.shuffle=1 # iommu=force (does it help against DMA attacks?) -# iommu.passthrough=0 -# iommu.strict=1 -# slub_debug=FZ (slow) -# init_on_alloc=1 (since v5.3) -# init_on_free=1 (since v5.3, otherwise slub_debug=P and page_poison=1) -# loadpin.enforce=1 -# debugfs=no-mount (or off if possible) -# randomize_kstack_offset=1 # # Mitigations of CPU vulnerabilities: # Аrch-independent: # mitigations=auto,nosmt (nosmt is slow) # X86: -# spectre_v2=on -# pti=on # spec_store_bypass_disable=on # l1tf=full,force # l1d_flush=on (a part of the l1tf option) @@ -39,9 +27,10 @@ # ssbd=force-on # # Should NOT be set: -# nokaslr +# sysrq_always_enabled # arm64.nobti # arm64.nopauth +# arm64.nomte # # Hardware tag-based KASAN with arm64 Memory Tagging Extension (MTE): # kasan=on @@ -58,11 +47,10 @@ # what about bpf_jit_enable? # kernel.unprivileged_bpf_disabled=1 # net.core.bpf_jit_harden=2 -# # vm.unprivileged_userfaultfd=0 # (at first, it disabled unprivileged userfaultfd, # and since v5.11 it enables unprivileged userfaultfd for user-mode only) -# +# vm.mmap_min_addr has a good value # dev.tty.ldisc_autoload=0 # fs.protected_symlinks=1 # fs.protected_hardlinks=1 @@ -70,6 +58,7 @@ # fs.protected_regular=2 # fs.suid_dumpable=0 # kernel.modules_disabled=1 +# kernel.randomize_va_space = 2 # pylint: disable=missing-module-docstring,missing-class-docstring,missing-function-docstring @@ -83,13 +72,13 @@ import re import json from .__about__ import __version__ -TYPES_OF_CHECKS = ('kconfig', 'version') +SIMPLE_OPTION_TYPES = ('kconfig', 'version', 'cmdline') class OptCheck: # Constructor without the 'expected' parameter is for option presence checks (any value is OK) def __init__(self, reason, decision, name, expected=None): - if not reason or not decision or not name: - sys.exit('[!] ERROR: invalid {} check for "{}"'.format(self.__class__.__name__, name)) + assert(reason and decision and name), \ + 'invalid {} check for "{}"'.format(self.__class__.__name__, name) self.name = name self.expected = expected self.decision = decision @@ -97,6 +86,10 @@ class OptCheck: self.state = None self.result = None + @property + def type(self): + return None + def check(self): # handle the option presence check if self.expected is None: @@ -126,6 +119,12 @@ class OptCheck: if with_results: print('| {}'.format(self.result), end='') + def json_dump(self, with_results): + dump = [self.name, self.type, self.expected, self.decision, self.reason] + if with_results: + dump.append(self.result) + return dump + class KconfigCheck(OptCheck): def __init__(self, *args, **kwargs): @@ -136,11 +135,11 @@ class KconfigCheck(OptCheck): def type(self): return 'kconfig' - def json_dump(self, with_results): - dump = [self.name, self.type, self.expected, self.decision, self.reason] - if with_results: - dump.append(self.result) - return dump + +class CmdlineCheck(OptCheck): + @property + def type(self): + return 'cmdline' class VersionCheck: @@ -175,33 +174,25 @@ class VersionCheck: class ComplexOptCheck: def __init__(self, *opts): self.opts = opts - if not self.opts: - sys.exit('[!] ERROR: empty {} check'.format(self.__class__.__name__)) - if len(self.opts) == 1: - sys.exit('[!] ERROR: useless {} check'.format(self.__class__.__name__)) - if not isinstance(opts[0], KconfigCheck): - sys.exit('[!] ERROR: invalid {} check: {}'.format(self.__class__.__name__, opts)) + assert(self.opts), \ + 'empty {} check'.format(self.__class__.__name__) + assert(len(self.opts) != 1), \ + 'useless {} check: {}'.format(self.__class__.__name__, opts) + assert(isinstance(opts[0], (KconfigCheck, CmdlineCheck))), \ + 'invalid {} check: {}'.format(self.__class__.__name__, opts) self.result = None - @property - def name(self): - return self.opts[0].name - @property def type(self): return 'complex' @property - def expected(self): - return self.opts[0].expected - - @property - def decision(self): - return self.opts[0].decision + def name(self): + return self.opts[0].name @property - def reason(self): - return self.opts[0].reason + def expected(self): + return self.opts[0].expected def table_print(self, mode, with_results): if mode == 'verbose': @@ -230,8 +221,6 @@ class OR(ComplexOptCheck): # OR(, ) # OR(, ) def check(self): - if not self.opts: - sys.exit('[!] ERROR: invalid OR check') for i, opt in enumerate(self.opts): opt.check() if opt.result.startswith('OK'): @@ -244,9 +233,10 @@ class OR(ComplexOptCheck): self.result = 'OK: {} not found'.format(opt.name) elif opt.result == 'OK: is present': self.result = 'OK: {} is present'.format(opt.name) - # VersionCheck provides enough info - elif not opt.result.startswith('OK: version'): - sys.exit('[!] ERROR: unexpected OK description "{}"'.format(opt.result)) + else: + # VersionCheck provides enough info + assert(opt.result.startswith('OK: version')), \ + 'unexpected OK description "{}"'.format(opt.result) return self.result = self.opts[0].result @@ -274,10 +264,9 @@ class AND(ComplexOptCheck): else: # VersionCheck provides enough info self.result = opt.result - if not opt.result.startswith('FAIL: version'): - sys.exit('[!] ERROR: unexpected FAIL description "{}"'.format(opt.result)) + assert(opt.result.startswith('FAIL: version')), \ + 'unexpected FAIL description "{}"'.format(opt.result) return - sys.exit('[!] ERROR: invalid AND check') def detect_arch(fname, archs): @@ -297,7 +286,7 @@ def detect_arch(fname, archs): return arch, 'OK' -def detect_version(fname): +def detect_kernel_version(fname): with open(fname, 'r') as f: ver_pattern = re.compile("# Linux/.* Kernel Configuration") for line in f.readlines(): @@ -313,21 +302,51 @@ def detect_version(fname): return None, 'no kernel version detected' +def detect_compiler(fname): + gcc_version = None + clang_version = None + with open(fname, 'r') as f: + gcc_version_pattern = re.compile("CONFIG_GCC_VERSION=[0-9]*") + clang_version_pattern = re.compile("CONFIG_CLANG_VERSION=[0-9]*") + for line in f.readlines(): + if gcc_version_pattern.match(line): + gcc_version = line[19:-1] + if clang_version_pattern.match(line): + clang_version = line[21:-1] + if not gcc_version or not clang_version: + return None, 'no CONFIG_GCC_VERSION or CONFIG_CLANG_VERSION' + if gcc_version == '0' and clang_version != '0': + return 'CLANG ' + clang_version, 'OK' + if gcc_version != '0' and clang_version == '0': + return 'GCC ' + gcc_version, 'OK' + sys.exit('[!] ERROR: invalid GCC_VERSION and CLANG_VERSION: {} {}'.format(gcc_version, clang_version)) + + def add_kconfig_checks(l, arch): # Calling the KconfigCheck class constructor: # KconfigCheck(reason, decision, name, expected) + # + # [!] Don't add CmdlineChecks in add_kconfig_checks() to avoid wrong results + # when the tool doesn't check the cmdline. + + efi_not_set = KconfigCheck('-', '-', 'EFI', 'is not set') + cc_is_gcc = KconfigCheck('-', '-', 'CC_IS_GCC', 'y') # exists since v4.18 + cc_is_clang = KconfigCheck('-', '-', 'CC_IS_CLANG', 'y') # exists since v4.18 modules_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set') devmem_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'DEVMEM', 'is not set') # refers to LOCKDOWN bpf_syscall_not_set = KconfigCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set') # refers to LOCKDOWN - efi_not_set = KconfigCheck('cut_attack_surface', 'my', 'EFI', 'is not set') # 'self_protection', 'defconfig' l += [KconfigCheck('self_protection', 'defconfig', 'BUG', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'SLUB_DEBUG', 'y')] - l += [KconfigCheck('self_protection', 'defconfig', 'GCC_PLUGINS', 'y')] + gcc_plugins_support_is_set = KconfigCheck('self_protection', 'defconfig', 'GCC_PLUGINS', 'y') + l += [gcc_plugins_support_is_set] l += [OR(KconfigCheck('self_protection', 'defconfig', 'STACKPROTECTOR', 'y'), - KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR', 'y'))] + KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR', 'y'), + KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR_REGULAR', 'y'), + KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR_AUTO', 'y'), + KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR_STRONG', 'y'))] l += [OR(KconfigCheck('self_protection', 'defconfig', 'STACKPROTECTOR_STRONG', 'y'), KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR_STRONG', 'y'))] l += [OR(KconfigCheck('self_protection', 'defconfig', 'STRICT_KERNEL_RWX', 'y'), @@ -345,9 +364,13 @@ def add_kconfig_checks(l, arch): if arch in ('X86_64', 'ARM64'): l += [KconfigCheck('self_protection', 'defconfig', 'VMAP_STACK', 'y')] if arch in ('X86_64', 'X86_32'): + l += [KconfigCheck('self_protection', 'defconfig', 'X86_MCE', 'y')] + l += [KconfigCheck('self_protection', 'defconfig', 'X86_MCE_INTEL', 'y')] + l += [KconfigCheck('self_protection', 'defconfig', 'X86_MCE_AMD', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'MICROCODE', 'y')] # is needed for mitigating CPU bugs l += [KconfigCheck('self_protection', 'defconfig', 'RETPOLINE', 'y')] - l += [KconfigCheck('self_protection', 'defconfig', 'X86_SMAP', 'y')] + l += [OR(KconfigCheck('self_protection', 'defconfig', 'X86_SMAP', 'y'), + VersionCheck((5, 19)))] # X86_SMAP is enabled by default since v5.19 l += [KconfigCheck('self_protection', 'defconfig', 'SYN_COOKIES', 'y')] # another reason? l += [OR(KconfigCheck('self_protection', 'defconfig', 'X86_UMIP', 'y'), KconfigCheck('self_protection', 'defconfig', 'X86_INTEL_UMIP', 'y'))] @@ -374,13 +397,13 @@ def add_kconfig_checks(l, arch): VersionCheck((5, 10)))] # HARDEN_BRANCH_PREDICTOR is enabled by default since v5.10 l += [KconfigCheck('self_protection', 'defconfig', 'MITIGATE_SPECTRE_BRANCH_HISTORY', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'ARM64_MTE', 'y')] + l += [KconfigCheck('self_protection', 'defconfig', 'RANDOMIZE_MODULE_REGION_FULL', 'y')] if arch == 'ARM': l += [KconfigCheck('self_protection', 'defconfig', 'CPU_SW_DOMAIN_PAN', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_HISTORY', 'y')] # 'self_protection', 'kspp' - l += [KconfigCheck('self_protection', 'kspp', 'SECURITY_DMESG_RESTRICT', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'BUG_ON_DATA_CORRUPTION', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_WX', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'SCHED_STACK_END_CHECK', 'y')] @@ -389,17 +412,26 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('self_protection', 'kspp', 'SHUFFLE_PAGE_ALLOCATOR', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'FORTIFY_SOURCE', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_LIST', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_VIRTUAL', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_SG', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_CREDENTIALS', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_NOTIFIERS', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y')] - l += [KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_LATENT_ENTROPY', 'y')] + l += [AND(KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_LATENT_ENTROPY', 'y'), + gcc_plugins_support_is_set)] l += [KconfigCheck('self_protection', 'kspp', 'KFENCE', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'WERROR', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_PASSTHROUGH', 'is not set')] # true if IOMMU_DEFAULT_DMA_STRICT is set l += [KconfigCheck('self_protection', 'kspp', 'ZERO_CALL_USED_REGS', 'y')] - randstruct_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT', 'y') + l += [KconfigCheck('self_protection', 'kspp', 'HW_RANDOM_TPM', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'STATIC_USERMODEHELPER', 'y')] # needs userspace support + randstruct_is_set = OR(KconfigCheck('self_protection', 'kspp', 'RANDSTRUCT_FULL', 'y'), + KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT', 'y')) l += [randstruct_is_set] + l += [AND(KconfigCheck('self_protection', 'kspp', 'RANDSTRUCT_PERFORMANCE', 'is not set'), + KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'), + randstruct_is_set)] hardened_usercopy_is_set = KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y') l += [hardened_usercopy_is_set] l += [AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'), @@ -423,9 +455,34 @@ def add_kconfig_checks(l, arch): # Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks # the 0xAA poison pattern on allocation. # That brings higher performance penalty. + l += [OR(KconfigCheck('self_protection', 'kspp', 'EFI_DISABLE_PCI_DMA', 'y'), + efi_not_set)] + l += [OR(KconfigCheck('self_protection', 'kspp', 'RESET_ATTACK_MITIGATION', 'y'), + efi_not_set)] # needs userspace support (systemd) + ubsan_bounds_is_set = KconfigCheck('self_protection', 'kspp', 'UBSAN_BOUNDS', 'y') + l += [ubsan_bounds_is_set] + l += [OR(KconfigCheck('self_protection', 'kspp', 'UBSAN_LOCAL_BOUNDS', 'y'), + AND(ubsan_bounds_is_set, + cc_is_gcc))] + l += [AND(KconfigCheck('self_protection', 'kspp', 'UBSAN_TRAP', 'y'), + ubsan_bounds_is_set, + KconfigCheck('self_protection', 'kspp', 'UBSAN_SHIFT', 'is not set'), + KconfigCheck('self_protection', 'kspp', 'UBSAN_DIV_ZERO', 'is not set'), + KconfigCheck('self_protection', 'kspp', 'UBSAN_UNREACHABLE', 'is not set'), + KconfigCheck('self_protection', 'kspp', 'UBSAN_BOOL', 'is not set'), + KconfigCheck('self_protection', 'kspp', 'UBSAN_ENUM', 'is not set'), + KconfigCheck('self_protection', 'kspp', 'UBSAN_ALIGNMENT', 'is not set'))] # only array index bounds checking with traps if arch in ('X86_64', 'ARM64', 'X86_32'): + l += [AND(KconfigCheck('self_protection', 'kspp', 'UBSAN_SANITIZE_ALL', 'y'), + ubsan_bounds_is_set)] # ARCH_HAS_UBSAN_SANITIZE_ALL is not enabled for ARM stackleak_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y') - l += [stackleak_is_set] + l += [AND(stackleak_is_set, gcc_plugins_support_is_set)] + l += [AND(KconfigCheck('self_protection', 'kspp', 'STACKLEAK_METRICS', 'is not set'), + stackleak_is_set, + gcc_plugins_support_is_set)] + l += [AND(KconfigCheck('self_protection', 'kspp', 'STACKLEAK_RUNTIME_DISABLE', 'is not set'), + stackleak_is_set, + gcc_plugins_support_is_set)] l += [KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y')] if arch in ('X86_64', 'X86_32'): l += [KconfigCheck('self_protection', 'kspp', 'SCHED_CORE', 'y')] @@ -440,30 +497,8 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('self_protection', 'kspp', 'HIGHMEM64G', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'X86_PAE', 'y')] - # 'self_protection', 'maintainer' - ubsan_bounds_is_set = KconfigCheck('self_protection', 'maintainer', 'UBSAN_BOUNDS', 'y') # only array index bounds checking - l += [ubsan_bounds_is_set] # recommended by Kees Cook in /issues/53 - if arch in ('X86_64', 'ARM64', 'X86_32'): # ARCH_HAS_UBSAN_SANITIZE_ALL is not enabled for ARM - l += [AND(KconfigCheck('self_protection', 'maintainer', 'UBSAN_SANITIZE_ALL', 'y'), - ubsan_bounds_is_set)] # recommended by Kees Cook in /issues/53 - l += [AND(KconfigCheck('self_protection', 'maintainer', 'UBSAN_TRAP', 'y'), - ubsan_bounds_is_set)] # recommended by Kees Cook in /issues/53 - # 'self_protection', 'clipos' - l += [KconfigCheck('self_protection', 'clipos', 'DEBUG_VIRTUAL', 'y')] - l += [KconfigCheck('self_protection', 'clipos', 'STATIC_USERMODEHELPER', 'y')] # needs userspace support - l += [OR(KconfigCheck('self_protection', 'clipos', 'EFI_DISABLE_PCI_DMA', 'y'), - efi_not_set)] - l += [KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set')] # slab_nomerge - l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_BOOTLOADER', 'is not set')] - l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_CPU', 'is not set')] - l += [AND(KconfigCheck('self_protection', 'clipos', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'), - randstruct_is_set)] - if arch in ('X86_64', 'ARM64', 'X86_32'): - l += [AND(KconfigCheck('self_protection', 'clipos', 'STACKLEAK_METRICS', 'is not set'), - stackleak_is_set)] - l += [AND(KconfigCheck('self_protection', 'clipos', 'STACKLEAK_RUNTIME_DISABLE', 'is not set'), - stackleak_is_set)] + l += [KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set')] if arch in ('X86_64', 'X86_32'): l += [AND(KconfigCheck('self_protection', 'clipos', 'INTEL_IOMMU_DEFAULT_ON', 'y'), iommu_support_is_set)] @@ -475,14 +510,12 @@ def add_kconfig_checks(l, arch): iommu_support_is_set)] # 'self_protection', 'my' - l += [OR(KconfigCheck('self_protection', 'my', 'RESET_ATTACK_MITIGATION', 'y'), - efi_not_set)] # needs userspace support (systemd) if arch == 'X86_64': l += [KconfigCheck('self_protection', 'my', 'SLS', 'y')] # vs CVE-2021-26341 in Straight-Line-Speculation l += [AND(KconfigCheck('self_protection', 'my', 'AMD_IOMMU_V2', 'y'), iommu_support_is_set)] if arch == 'ARM64': - l += [KconfigCheck('self_protection', 'my', 'SHADOW_CALL_STACK', 'y')] # depends on clang, maybe it's alternative to STACKPROTECTOR_STRONG + l += [KconfigCheck('self_protection', 'my', 'SHADOW_CALL_STACK', 'y')] # maybe it's alternative to STACKPROTECTOR_STRONG l += [KconfigCheck('self_protection', 'my', 'KASAN_HW_TAGS', 'y')] cfi_clang_is_set = KconfigCheck('self_protection', 'my', 'CFI_CLANG', 'y') l += [cfi_clang_is_set] @@ -495,16 +528,14 @@ def add_kconfig_checks(l, arch): if arch == 'ARM': l += [KconfigCheck('security_policy', 'kspp', 'SECURITY', 'y')] # and choose your favourite LSM l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_YAMA', 'y')] + l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_LANDLOCK', 'y')] l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_SELINUX_DISABLE', 'is not set')] - l += [KconfigCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM', 'y')] - l += [KconfigCheck('security_policy', 'clipos', 'SECURITY_LOCKDOWN_LSM_EARLY', 'y')] - l += [KconfigCheck('security_policy', 'clipos', 'LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y')] - l += [KconfigCheck('security_policy', 'my', 'SECURITY_WRITABLE_HOOKS', 'is not set')] # refers to SECURITY_SELINUX_DISABLE - l += [KconfigCheck('security_policy', 'my', 'SECURITY_SAFESETID', 'y')] - loadpin_is_set = KconfigCheck('security_policy', 'my', 'SECURITY_LOADPIN', 'y') - l += [loadpin_is_set] # needs userspace support - l += [AND(KconfigCheck('security_policy', 'my', 'SECURITY_LOADPIN_ENFORCE', 'y'), - loadpin_is_set)] + l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_SELINUX_BOOTPARAM', 'is not set')] + l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_SELINUX_DEVELOP', 'is not set')] + l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_LOCKDOWN_LSM', 'y')] + l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_LOCKDOWN_LSM_EARLY', 'y')] + l += [KconfigCheck('security_policy', 'kspp', 'LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y')] + l += [KconfigCheck('security_policy', 'kspp', 'SECURITY_WRITABLE_HOOKS', 'is not set')] # refers to SECURITY_SELINUX_DISABLE # 'cut_attack_surface', 'defconfig' l += [OR(KconfigCheck('cut_attack_surface', 'defconfig', 'BPF_UNPRIV_DEFAULT_OFF', 'y'), @@ -516,6 +547,7 @@ def add_kconfig_checks(l, arch): devmem_not_set)] # refers to LOCKDOWN # 'cut_attack_surface', 'kspp' + l += [KconfigCheck('cut_attack_surface', 'kspp', 'SECURITY_DMESG_RESTRICT', 'y')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'ACPI_CUSTOM_METHOD', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_BRK', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'DEVKMEM', 'is not set')] # refers to LOCKDOWN @@ -605,6 +637,7 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_IOPL_IOPERM', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'clipos', 'ACPI_TABLE_UPGRADE', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'clipos', 'EFI_CUSTOM_SSDT_OVERLAYS', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'clipos', 'COREDUMP', 'is not set')] # cut userspace attack surface l += [AND(KconfigCheck('cut_attack_surface', 'clipos', 'LDISC_AUTOLOAD', 'is not set'), KconfigCheck('cut_attack_surface', 'clipos', 'LDISC_AUTOLOAD'))] # option presence check if arch in ('X86_64', 'X86_32'): @@ -626,12 +659,16 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'my', 'FTRACE', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'my', 'VIDEO_VIVID', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger + l += [KconfigCheck('cut_attack_surface', 'my', 'KGDB', 'is not set')] # 'harden_userspace' if arch in ('X86_64', 'ARM64', 'X86_32'): l += [KconfigCheck('harden_userspace', 'defconfig', 'INTEGRITY', 'y')] if arch == 'ARM': l += [KconfigCheck('harden_userspace', 'my', 'INTEGRITY', 'y')] + if arch == 'ARM64': + l += [KconfigCheck('harden_userspace', 'defconfig', 'ARM64_PTR_AUTH', 'y')] + l += [KconfigCheck('harden_userspace', 'defconfig', 'ARM64_BTI', 'y')] if arch in ('ARM', 'X86_32'): l += [KconfigCheck('harden_userspace', 'defconfig', 'VMSPLIT_3G', 'y')] if arch in ('X86_64', 'ARM64'): @@ -639,7 +676,93 @@ def add_kconfig_checks(l, arch): if arch in ('X86_32', 'ARM'): l += [KconfigCheck('harden_userspace', 'my', 'ARCH_MMAP_RND_BITS', '16')] -# l += [KconfigCheck('feature_test', 'my', 'LKDTM', 'm')] # only for debugging! + +def add_cmdline_checks(l, arch): + # Calling the CmdlineCheck class constructor: + # CmdlineCheck(reason, decision, name, expected) + # + # [!] Don't add CmdlineChecks in add_kconfig_checks() to avoid wrong results + # when the tool doesn't check the cmdline. + # + # [!] Make sure that values of the options in CmdlineChecks need normalization. + # For more info see normalize_cmdline_options(). + # + # A common pattern for checking the 'param_x' cmdline parameter + # that __overrides__ the 'PARAM_X_DEFAULT' kconfig option: + # l += [OR(CmdlineCheck(reason, decision, 'param_x', '1'), + # AND(KconfigCheck(reason, decision, 'PARAM_X_DEFAULT_ON', 'y'), + # CmdlineCheck(reason, decision, 'param_x, 'is not set')))] + # + # Here we don't check the kconfig options or minimal kernel version + # required for the cmdline parameters. That would make the checks + # very complex and not give a 100% guarantee anyway. + + # 'self_protection', 'defconfig' + l += [CmdlineCheck('self_protection', 'defconfig', 'nosmep', 'is not set')] + l += [CmdlineCheck('self_protection', 'defconfig', 'nosmap', 'is not set')] + l += [CmdlineCheck('self_protection', 'defconfig', 'nokaslr', 'is not set')] + l += [CmdlineCheck('self_protection', 'defconfig', 'nopti', 'is not set')] + l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_v1', 'is not set')] + l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_v2', 'is not set')] + if arch == 'ARM64': + l += [OR(CmdlineCheck('self_protection', 'defconfig', 'rodata', 'full'), + AND(KconfigCheck('self_protection', 'defconfig', 'RODATA_FULL_DEFAULT_ENABLED', 'y'), + CmdlineCheck('self_protection', 'defconfig', 'rodata', 'is not set')))] + else: + l += [OR(CmdlineCheck('self_protection', 'defconfig', 'rodata', '1'), + CmdlineCheck('self_protection', 'defconfig', 'rodata', 'is not set'))] + + # 'self_protection', 'kspp' + l += [OR(CmdlineCheck('self_protection', 'kspp', 'init_on_alloc', '1'), + AND(KconfigCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y'), + CmdlineCheck('self_protection', 'kspp', 'init_on_alloc', 'is not set')))] + l += [OR(CmdlineCheck('self_protection', 'kspp', 'init_on_free', '1'), + AND(KconfigCheck('self_protection', 'kspp', 'INIT_ON_FREE_DEFAULT_ON', 'y'), + CmdlineCheck('self_protection', 'kspp', 'init_on_free', 'is not set')), + AND(CmdlineCheck('self_protection', 'kspp', 'page_poison', '1'), + KconfigCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'), + CmdlineCheck('self_protection', 'kspp', 'slub_debug', 'P')))] + l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_nomerge'), + AND(KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set'), + CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set')))] # option presence check + l += [OR(CmdlineCheck('self_protection', 'kspp', 'iommu.strict', '1'), + AND(KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y'), + CmdlineCheck('self_protection', 'kspp', 'iommu.strict', 'is not set')))] + l += [OR(CmdlineCheck('self_protection', 'kspp', 'iommu.passthrough', '0'), + AND(KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_PASSTHROUGH', 'is not set'), + CmdlineCheck('self_protection', 'kspp', 'iommu.passthrough', 'is not set')))] + # The cmdline checks compatible with the kconfig recommendations of the KSPP project... + l += [OR(CmdlineCheck('self_protection', 'kspp', 'hardened_usercopy', '1'), + AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y'), + CmdlineCheck('self_protection', 'kspp', 'hardened_usercopy', 'is not set')))] + l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', '0'), + AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'), + CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', 'is not set')))] + # ... the end + if arch in ('X86_64', 'ARM64', 'X86_32'): + l += [OR(CmdlineCheck('self_protection', 'kspp', 'randomize_kstack_offset', '1'), + AND(KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y'), + CmdlineCheck('self_protection', 'kspp', 'randomize_kstack_offset', 'is not set')))] + if arch in ('X86_64', 'X86_32'): + l += [AND(CmdlineCheck('self_protection', 'kspp', 'pti', 'on'), + CmdlineCheck('self_protection', 'defconfig', 'nopti', 'is not set'))] + + # 'self_protection', 'clipos' + l += [CmdlineCheck('self_protection', 'clipos', 'page_alloc.shuffle', '1')] + if arch in ('X86_64', 'X86_32'): + l += [AND(CmdlineCheck('self_protection', 'clipos', 'spectre_v2', 'on'), + CmdlineCheck('self_protection', 'defconfig', 'nospectre_v2', 'is not set'))] + + # 'cut_attack_surface', 'kspp' + if arch == 'X86_64': + l += [OR(CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'none'), + AND(KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y'), + CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'is not set')))] + + # 'cut_attack_surface', 'grsec' + # The cmdline checks compatible with the kconfig options disabled by grsecurity... + l += [OR(CmdlineCheck('cut_attack_surface', 'grsec', 'debugfs', 'off'), + KconfigCheck('cut_attack_surface', 'grsec', 'DEBUG_FS', 'is not set'))] # ... the end def print_unknown_options(checklist, parsed_options): @@ -655,8 +778,8 @@ def print_unknown_options(checklist, parsed_options): known_options.append(o2.name) continue for o3 in o2.opts: - if o3.type == 'complex': - sys.exit('[!] ERROR: unexpected ComplexOptCheck inside {}'.format(o2.name)) + assert(o3.type != 'complex'), \ + 'unexpected ComplexOptCheck inside {}'.format(o2.name) if hasattr(o3, 'name'): known_options.append(o3.name) @@ -714,20 +837,22 @@ def print_checklist(mode, checklist, with_results): def populate_simple_opt_with_data(opt, data, data_type): - if opt.type == 'complex': - sys.exit('[!] ERROR: unexpected ComplexOptCheck {}: {}'.format(opt.name, vars(opt))) - if data_type not in TYPES_OF_CHECKS: - sys.exit('[!] ERROR: invalid data type "{}"'.format(data_type)) + assert(opt.type != 'complex'), \ + 'unexpected ComplexOptCheck "{}"'.format(opt.name) + assert(opt.type in SIMPLE_OPTION_TYPES), \ + 'invalid opt type "{}"'.format(opt.type) + assert(data_type in SIMPLE_OPTION_TYPES), \ + 'invalid data type "{}"'.format(data_type) if data_type != opt.type: return - if data_type == 'kconfig': + if data_type in ('kconfig', 'cmdline'): opt.state = data.get(opt.name, None) - elif data_type == 'version': - opt.ver = data else: - sys.exit('[!] ERROR: unexpected data type "{}"'.format(data_type)) + assert(data_type == 'version'), \ + 'unexpected data type "{}"'.format(data_type) + opt.ver = data def populate_opt_with_data(opt, data, data_type): @@ -739,8 +864,8 @@ def populate_opt_with_data(opt, data, data_type): else: populate_simple_opt_with_data(o, data, data_type) else: - if opt.type != 'kconfig': - sys.exit('[!] ERROR: bad type "{}" for a simple check {}'.format(opt.type, opt.name)) + assert(opt.type in ('kconfig', 'cmdline')), \ + 'bad type "{}" for a simple check'.format(opt.type) populate_simple_opt_with_data(opt, data, data_type) @@ -766,6 +891,8 @@ def parse_kconfig_file(parsed_options, fname): if opt_is_on.match(line): option, value = line.split('=', 1) + if value == 'is not set': + sys.exit('[!] ERROR: bad enabled kconfig option "{}"'.format(line)) elif opt_is_off.match(line): option, value = line[2:].split(' ', 1) if value != 'is not set': @@ -778,6 +905,48 @@ def parse_kconfig_file(parsed_options, fname): parsed_options[option] = value +def normalize_cmdline_options(option, value): + # Don't normalize the cmdline option values if + # the Linux kernel doesn't use kstrtobool() for them + if option == 'pti': + # See pti_check_boottime_disable() in linux/arch/x86/mm/pti.c + return value + if option == 'spectre_v2': + # See spectre_v2_parse_cmdline() in linux/arch/x86/kernel/cpu/bugs.c + return value + if option == 'debugfs': + # See debugfs_kernel() in fs/debugfs/inode.c + return value + + # Implement a limited part of the kstrtobool() logic + if value in ('1', 'on', 'On', 'ON', 'y', 'Y', 'yes', 'Yes', 'YES'): + return '1' + if value in ('0', 'off', 'Off', 'OFF', 'n', 'N', 'no', 'No', 'NO'): + return '0' + + # Preserve unique values + return value + + +def parse_cmdline_file(parsed_options, fname): + with open(fname, 'r') as f: + line = f.readline() + opts = line.split() + + line = f.readline() + if line: + sys.exit('[!] ERROR: more than one line in "{}"'.format(fname)) + + for opt in opts: + if '=' in opt: + name, value = opt.split('=', 1) + else: + name = opt + value = '' # '' is not None + value = normalize_cmdline_options(name, value) + parsed_options[name] = value + + def main(): # Report modes: # * verbose mode for @@ -793,6 +962,8 @@ def main(): help='print security hardening preferences for the selected architecture') parser.add_argument('-c', '--config', help='check the kernel kconfig file against these preferences') + parser.add_argument('-l', '--cmdline', + help='check the kernel cmdline file against these preferences') parser.add_argument('-m', '--mode', choices=report_modes, help='choose the report mode') args = parser.parse_args() @@ -806,8 +977,13 @@ def main(): config_checklist = [] if args.config: + if args.print: + sys.exit('[!] ERROR: --config and --print can\'t be used together') + if mode != 'json': print('[+] Kconfig file to check: {}'.format(args.config)) + if args.cmdline: + print('[+] Kernel cmdline file to check: {}'.format(args.cmdline)) arch, msg = detect_arch(args.config, supported_archs) if not arch: @@ -815,21 +991,38 @@ def main(): if mode != 'json': print('[+] Detected architecture: {}'.format(arch)) - kernel_version, msg = detect_version(args.config) + kernel_version, msg = detect_kernel_version(args.config) if not kernel_version: sys.exit('[!] ERROR: {}'.format(msg)) if mode != 'json': print('[+] Detected kernel version: {}.{}'.format(kernel_version[0], kernel_version[1])) + compiler, msg = detect_compiler(args.config) + if mode != 'json': + if compiler: + print('[+] Detected compiler: {}'.format(compiler)) + else: + print('[-] Can\'t detect the compiler: {}'.format(msg)) + # add relevant kconfig checks to the checklist add_kconfig_checks(config_checklist, arch) + if args.cmdline: + # add relevant cmdline checks to the checklist + add_cmdline_checks(config_checklist, arch) + # populate the checklist with the parsed kconfig data parsed_kconfig_options = OrderedDict() parse_kconfig_file(parsed_kconfig_options, args.config) populate_with_data(config_checklist, parsed_kconfig_options, 'kconfig') populate_with_data(config_checklist, kernel_version, 'version') + if args.cmdline: + # populate the checklist with the parsed kconfig data + parsed_cmdline_options = OrderedDict() + parse_cmdline_file(parsed_cmdline_options, args.cmdline) + populate_with_data(config_checklist, parsed_cmdline_options, 'cmdline') + # now everything is ready for performing the checks perform_checks(config_checklist) @@ -839,12 +1032,15 @@ def main(): print_checklist(mode, config_checklist, True) sys.exit(0) + elif args.cmdline: + sys.exit('[!] ERROR: checking cmdline doesn\'t work without checking kconfig') if args.print: if mode in ('show_ok', 'show_fail'): sys.exit('[!] ERROR: wrong mode "{}" for --print'.format(mode)) arch = args.print add_kconfig_checks(config_checklist, arch) + add_cmdline_checks(config_checklist, arch) if mode != 'json': print('[+] Printing kernel security hardening preferences for {}...'.format(arch)) print_checklist(mode, config_checklist, False) @@ -852,6 +1048,3 @@ def main(): parser.print_help() sys.exit(0) - -if __name__ == '__main__': - main()