X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=7db4f5db98815a14e475a61fd7a40831ad897542;hb=b68df4d3611bc9f2a4c501191616c2b92f38c80c;hp=32b3198e065eebf6da0e245b36ac93ac47ce28a3;hpb=70975c3993bd256a8ea0044c836a78ae0aafd7ab;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 32b3198..7db4f5d 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -81,6 +81,7 @@ import re import json from .__about__ import __version__ +TYPES_OF_CHECKS = ('kconfig', 'version') class OptCheck: def __init__(self, reason, decision, name, expected): @@ -122,12 +123,16 @@ class KconfigCheck(OptCheck): return 'kconfig' -class VerCheck: +class VersionCheck: def __init__(self, ver_expected): self.ver_expected = ver_expected self.ver = () self.result = None + @property + def type(self): + return 'version' + def check(self): if self.ver[0] > self.ver_expected[0]: self.result = 'OK: version >= ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1]) @@ -150,10 +155,11 @@ class VerCheck: class PresenceCheck: def __init__(self, name, type): - if type == 'kconfig': + self.type = type + if self.type == 'kconfig': self.name = 'CONFIG_' + name else: - self.name = name + sys.exit('[!] ERROR: unsupported type "{}" for {}'.format(type, self.__class__.__name__)) self.state = None self.result = None @@ -175,6 +181,8 @@ class ComplexOptCheck: self.opts = opts if not self.opts: sys.exit('[!] ERROR: empty {} check'.format(self.__class__.__name__)) + if len(self.opts) == 1: + sys.exit('[!] ERROR: useless {} check'.format(self.__class__.__name__)) if not isinstance(opts[0], KconfigCheck): sys.exit('[!] ERROR: invalid {} check: {}'.format(self.__class__.__name__, opts)) self.result = None @@ -185,7 +193,7 @@ class ComplexOptCheck: @property def type(self): - return self.opts[0].type + return 'complex' @property def expected(self): @@ -318,7 +326,7 @@ def add_kconfig_checks(l, arch): KconfigCheck('self_protection', 'defconfig', 'DEBUG_SET_MODULE_RONX', 'y'), modules_not_set)] # DEBUG_SET_MODULE_RONX was before v4.11 l += [OR(KconfigCheck('self_protection', 'defconfig', 'REFCOUNT_FULL', 'y'), - VerCheck((5, 5)))] # REFCOUNT_FULL is enabled by default since v5.5 + VersionCheck((5, 5)))] # REFCOUNT_FULL is enabled by default since v5.5 iommu_support_is_set = KconfigCheck('self_protection', 'defconfig', 'IOMMU_SUPPORT', 'y') l += [iommu_support_is_set] # is needed for mitigating DMA attacks if arch in ('X86_64', 'ARM64', 'X86_32'): @@ -348,12 +356,12 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('self_protection', 'defconfig', 'UNMAP_KERNEL_AT_EL0', 'y')] l += [OR(KconfigCheck('self_protection', 'defconfig', 'HARDEN_EL2_VECTORS', 'y'), AND(KconfigCheck('self_protection', 'defconfig', 'RANDOMIZE_BASE', 'y'), - VerCheck((5, 9))))] # HARDEN_EL2_VECTORS was included in RANDOMIZE_BASE in v5.9 + VersionCheck((5, 9))))] # HARDEN_EL2_VECTORS was included in RANDOMIZE_BASE in v5.9 l += [KconfigCheck('self_protection', 'defconfig', 'RODATA_FULL_DEFAULT_ENABLED', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'ARM64_PTR_AUTH_KERNEL', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'ARM64_BTI_KERNEL', 'y')] l += [OR(KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y'), - VerCheck((5, 10)))] # HARDEN_BRANCH_PREDICTOR is enabled by default since v5.10 + VersionCheck((5, 10)))] # HARDEN_BRANCH_PREDICTOR is enabled by default since v5.10 l += [KconfigCheck('self_protection', 'defconfig', 'ARM64_MTE', 'y')] if arch == 'ARM': l += [KconfigCheck('self_protection', 'defconfig', 'CPU_SW_DOMAIN_PAN', 'y')] @@ -614,16 +622,25 @@ def add_kconfig_checks(l, arch): def print_unknown_options(checklist, parsed_options): known_options = [] - for opt in checklist: - if hasattr(opt, 'opts'): - for o in opt.opts: - if hasattr(o, 'name'): - known_options.append(o.name) - else: - known_options.append(opt.name) + + for o1 in checklist: + if not hasattr(o1, 'opts'): + known_options.append(o1.name) + continue + for o2 in o1.opts: + if not hasattr(o2, 'opts'): + if hasattr(o2, 'name'): + known_options.append(o2.name) + continue + for o3 in o2.opts: + if hasattr(o3, 'opts'): + sys.exit('[!] ERROR: unexpected ComplexOptCheck inside {}'.format(o2.name)) + if hasattr(o3, 'name'): + known_options.append(o3.name) + for option, value in parsed_options.items(): if option not in known_options: - print('[?] No rule for option {} ({})'.format(option, value)) + print('[?] No check for option {} ({})'.format(option, value)) def print_checklist(mode, checklist, with_results): @@ -677,27 +694,37 @@ def print_checklist(mode, checklist, with_results): print('[+] Config check is finished: \'OK\' - {}{} / \'FAIL\' - {}{}'.format(ok_count, ok_suppressed, fail_count, fail_suppressed)) -def populate_opt_with_data(opt, parsed_options, kernel_version): +def populate_simple_opt_with_data(opt, data, data_type): + if hasattr(opt, 'opts'): + sys.exit('[!] ERROR: unexpected ComplexOptCheck {}: {}'.format(opt.name, vars(opt))) + if data_type not in TYPES_OF_CHECKS: + sys.exit('[!] ERROR: invalid data type "{}"'.format(data_type)) + if data_type != opt.type: + return + if data_type == 'kconfig': + opt.state = data.get(opt.name, None) + elif data_type == 'version': + opt.ver = data + + +def populate_opt_with_data(opt, data, data_type): if hasattr(opt, 'opts'): - # prepare ComplexOptCheck for o in opt.opts: if hasattr(o, 'opts'): - # Recursion for nested ComplexOptChecks - populate_opt_with_data(o, parsed_options, kernel_version) - if hasattr(o, 'state'): - o.state = parsed_options.get(o.name, None) - if hasattr(o, 'ver'): - o.ver = kernel_version + # Recursion for nested ComplexOptCheck objects + populate_opt_with_data(o, data, data_type) + else: + populate_simple_opt_with_data(o, data, data_type) else: - # prepare simple check, opt.state is mandatory + # The 'state' is mandatory for simple checks if not hasattr(opt, 'state'): sys.exit('[!] ERROR: bad simple check {}'.format(vars(opt))) - opt.state = parsed_options.get(opt.name, None) + populate_simple_opt_with_data(opt, data, data_type) -def populate_with_data(checklist, parsed_options, kernel_version): +def populate_with_data(checklist, data, data_type): for opt in checklist: - populate_opt_with_data(opt, parsed_options, kernel_version) + populate_opt_with_data(opt, data, data_type) def perform_checks(checklist): @@ -780,7 +807,8 @@ def main(): # populate the checklist with the parsed kconfig data parsed_kconfig_options = OrderedDict() parse_kconfig_file(parsed_kconfig_options, args.config) - populate_with_data(config_checklist, parsed_kconfig_options, kernel_version) + populate_with_data(config_checklist, parsed_kconfig_options, 'kconfig') + populate_with_data(config_checklist, kernel_version, 'version') # now everything is ready for performing the checks perform_checks(config_checklist)