X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=9434c68fc5b200e5028e783a43fa95d0b2bc01c8;hb=f1b6218bc2997e54b408a46e7cc3083c3fb0ecff;hp=673cb5224c9f8e02845859ce542f57dd0a835ac2;hpb=145f48a093338f00273e4a21477dddc34284ddd6;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 673cb52..9434c68 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -10,31 +10,9 @@ # Please don't cry if my Python code looks like C. # # -# N.B Hardening command line parameters: +# N.B Missing hardening command line parameters: # iommu=force (does it help against DMA attacks?) # -# The list of disabled mitigations of CPU vulnerabilities: -# mitigations=off -# pti=off -# spectre_v2=off -# spectre_v2_user=off -# spec_store_bypass_disable=off -# l1tf=off -# mds=off -# tsx_async_abort=off -# srbds=off -# mmio_stale_data=off -# retbleed=off -# nopti -# nokaslr -# nospectre_v1 -# nospectre_v2 -# nospectre_bhb -# nospec_store_bypass_disable -# kpti=0 -# ssbd=force-off -# nosmt (enabled) -# # Hardware tag-based KASAN with arm64 Memory Tagging Extension (MTE): # kasan=on # kasan.stacktrace=off @@ -62,6 +40,7 @@ # fs.suid_dumpable=0 # kernel.modules_disabled=1 # kernel.randomize_va_space = 2 +# nosmt sysfs control file # pylint: disable=missing-module-docstring,missing-class-docstring,missing-function-docstring @@ -402,6 +381,8 @@ def add_kconfig_checks(l, arch): if arch in ('X86_64', 'ARM64'): l += [KconfigCheck('self_protection', 'defconfig', 'VMAP_STACK', 'y')] if arch in ('X86_64', 'X86_32'): + l += [KconfigCheck('self_protection', 'defconfig', 'DEBUG_WX', 'y')] + l += [KconfigCheck('self_protection', 'defconfig', 'WERROR', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'X86_MCE', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'X86_MCE_INTEL', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'X86_MCE_AMD', 'y')] @@ -444,7 +425,6 @@ def add_kconfig_checks(l, arch): # 'self_protection', 'kspp' l += [KconfigCheck('self_protection', 'kspp', 'BUG_ON_DATA_CORRUPTION', 'y')] - l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_WX', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'SCHED_STACK_END_CHECK', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'SLAB_FREELIST_HARDENED', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'SLAB_FREELIST_RANDOM', 'y')] @@ -457,7 +437,6 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_NOTIFIERS', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'KFENCE', 'y')] - l += [KconfigCheck('self_protection', 'kspp', 'WERROR', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_PASSTHROUGH', 'is not set')] # true if IOMMU_DEFAULT_DMA_STRICT is set l += [KconfigCheck('self_protection', 'kspp', 'ZERO_CALL_USED_REGS', 'y')] @@ -534,6 +513,8 @@ def add_kconfig_checks(l, arch): l += [AND(KconfigCheck('self_protection', 'kspp', 'INTEL_IOMMU_DEFAULT_ON', 'y'), iommu_support_is_set)] if arch in ('ARM64', 'ARM'): + l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_WX', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'WERROR', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '32768')] l += [KconfigCheck('self_protection', 'kspp', 'SYN_COOKIES', 'y')] # another reason? if arch == 'X86_64': @@ -659,9 +640,6 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD', 'is not set')] # recommended by Denis Efremov in /pull/54 l += [KconfigCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD_RAWCMD', 'is not set')] # recommended by Denis Efremov in /pull/62 - # 'cut_attack_surface', 'grapheneos' - l += [KconfigCheck('cut_attack_surface', 'grapheneos', 'AIO', 'is not set')] - # 'cut_attack_surface', 'clipos' l += [KconfigCheck('cut_attack_surface', 'clipos', 'STAGING', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'clipos', 'KSM', 'is not set')] # to prevent FLUSH+RELOAD attack