X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=9c709694c84910809b434865ed6d0a46f9f53477;hb=17d70c524dd90f6a1f7e13b730722c59c55d6be1;hp=d8d8f277eb3e32e6c9e4c31c94f045c03864441d;hpb=31767839bbfcd5ddb3eeabe029c587fe767b72a5;p=kconfig-hardened-check.git

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index d8d8f27..9c70969 100644
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -2,7 +2,7 @@
 
 #
 # This tool helps me to check the Linux kernel Kconfig option list
-# against my hardening preferences for X86_64, ARM64, X86_32, and ARM.
+# against my security hardening preferences for X86_64, ARM64, X86_32, and ARM.
 # Let the computers do their job!
 #
 # Author: Alexander Popov <alex.popov@linux.com>
@@ -19,6 +19,7 @@
 #    init_on_free=1 (since v5.3, otherwise slub_debug=P and page_poison=1)
 #    loadpin.enforce=1
 #    debugfs=no-mount (or off if possible)
+#    randomize_kstack_offset=1
 #
 #    Mitigations of CPU vulnerabilities:
 #       Аrch-independent:
@@ -34,6 +35,16 @@
 #           kpti=on
 #           ssbd=force-on
 #
+#    Should NOT be set:
+#           nokaslr
+#           arm64.nobti
+#           arm64.nopauth
+#
+#    Hardware tag-based KASAN with arm64 Memory Tagging Extension (MTE):
+#           kasan=on
+#           kasan.stacktrace=off
+#           kasan.fault=panic
+#
 # N.B. Hardening sysctls:
 #    kernel.kptr_restrict=2 (or 1?)
 #    kernel.dmesg_restrict=1 (also see the kconfig option)
@@ -46,6 +57,8 @@
 #    net.core.bpf_jit_harden=2
 #
 #    vm.unprivileged_userfaultfd=0
+#        (at first, it disabled unprivileged userfaultfd,
+#         and since v5.11 it enables unprivileged userfaultfd for user-mode only)
 #
 #    dev.tty.ldisc_autoload=0
 #    fs.protected_symlinks=1
@@ -313,6 +326,7 @@ def construct_checklist(l, arch):
                   iommu_support_is_set)]
     if arch == 'ARM64':
         l += [OptCheck('self_protection', 'defconfig', 'ARM64_PAN', 'y')]
+        l += [OptCheck('self_protection', 'defconfig', 'ARM64_EPAN', 'y')]
         l += [OptCheck('self_protection', 'defconfig', 'UNMAP_KERNEL_AT_EL0', 'y')]
         l += [OR(OptCheck('self_protection', 'defconfig', 'HARDEN_EL2_VECTORS', 'y'),
                  AND(OptCheck('self_protection', 'defconfig', 'RANDOMIZE_BASE', 'y'),
@@ -321,7 +335,8 @@ def construct_checklist(l, arch):
         l += [OptCheck('self_protection', 'defconfig', 'ARM64_PTR_AUTH', 'y')]
         l += [OptCheck('self_protection', 'defconfig', 'ARM64_BTI_KERNEL', 'y')]
         l += [OR(OptCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y'),
-             VerCheck((5, 10)))] # HARDEN_BRANCH_PREDICTOR is enabled by default since v5.10
+                 VerCheck((5, 10)))] # HARDEN_BRANCH_PREDICTOR is enabled by default since v5.10
+        l += [OptCheck('self_protection', 'defconfig', 'ARM64_MTE', 'y')]
     if arch == 'ARM':
         l += [OptCheck('self_protection', 'defconfig', 'CPU_SW_DOMAIN_PAN', 'y')]
         l += [OptCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y')]
@@ -358,7 +373,12 @@ def construct_checklist(l, arch):
     l += [OR(OptCheck('self_protection', 'kspp', 'INIT_STACK_ALL_ZERO', 'y'),
              OptCheck('self_protection', 'kspp', 'GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y'))]
     l += [OR(OptCheck('self_protection', 'kspp', 'INIT_ON_FREE_DEFAULT_ON', 'y'),
-             OptCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'))] # before v5.3
+             OptCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'))]
+             # CONFIG_INIT_ON_FREE_DEFAULT_ON was added in v5.3.
+             # CONFIG_PAGE_POISONING_ZERO was removed in v5.11.
+             # Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks
+             # the 0xAA poison pattern on allocation.
+             # That brings higher performance penalty.
     if arch in ('X86_64', 'ARM64', 'X86_32'):
         stackleak_is_set = OptCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y')
         l += [stackleak_is_set]
@@ -403,11 +423,18 @@ def construct_checklist(l, arch):
               OptCheck('self_protection', 'my', 'UBSAN_MISC', 'is not set'),
               OptCheck('self_protection', 'my', 'UBSAN_TRAP', 'y'))]
     l += [OptCheck('self_protection', 'my', 'RESET_ATTACK_MITIGATION', 'y')] # needs userspace support (systemd)
+    if arch in ('X86_64', 'ARM64', 'X86_32'):
+        l += [OptCheck('self_protection', 'my', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y')]
     if arch == 'X86_64':
         l += [AND(OptCheck('self_protection', 'my', 'AMD_IOMMU_V2', 'y'),
                   iommu_support_is_set)]
     if arch == 'ARM64':
-        l += [OptCheck('self_protection', 'my', 'SHADOW_CALL_STACK', 'y')] # maybe it should be alternative to STACKPROTECTOR_STRONG
+        l += [OptCheck('self_protection', 'my', 'SHADOW_CALL_STACK', 'y')] # depends on clang, maybe it's alternative to STACKPROTECTOR_STRONG
+        l += [OptCheck('self_protection', 'my', 'KASAN_HW_TAGS', 'y')]
+        cfi_clang_is_set = OptCheck('self_protection', 'my', 'CFI_CLANG', 'y')
+        l += [cfi_clang_is_set]
+        l += [AND(OptCheck('self_protection', 'my', 'CFI_PERMISSIVE', 'is not set'),
+                  cfi_clang_is_set)]
 
     # 'security_policy'
     if arch in ('X86_64', 'ARM64', 'X86_32'):
@@ -483,6 +510,7 @@ def construct_checklist(l, arch):
     l += [OptCheck('cut_attack_surface', 'maintainer', 'DRM_LEGACY', 'is not set')]
     l += [OptCheck('cut_attack_surface', 'maintainer', 'FB', 'is not set')]
     l += [OptCheck('cut_attack_surface', 'maintainer', 'VT', 'is not set')]
+    l += [OptCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD', 'is not set')]
 
     # 'cut_attack_surface', 'grapheneos'
     l += [OptCheck('cut_attack_surface', 'grapheneos', 'AIO', 'is not set')]
@@ -663,10 +691,10 @@ def main():
     report_modes = ['verbose', 'json', 'show_ok', 'show_fail']
     supported_archs = ['X86_64', 'X86_32', 'ARM64', 'ARM']
     parser = ArgumentParser(prog='kconfig-hardened-check',
-                            description='Checks the hardening options in the Linux kernel config')
+                            description='A tool for checking the security hardening options of the Linux kernel')
     parser.add_argument('--version', action='version', version='%(prog)s ' + __version__)
     parser.add_argument('-p', '--print', choices=supported_archs,
-                        help='print hardening preferences for selected architecture')
+                        help='print security hardening preferences for the selected architecture')
     parser.add_argument('-c', '--config',
                         help='check the kernel config file against these preferences')
     parser.add_argument('-m', '--mode', choices=report_modes,
@@ -714,7 +742,7 @@ def main():
         arch = args.print
         construct_checklist(config_checklist, arch)
         if mode != 'json':
-            print('[+] Printing kernel hardening preferences for {}...'.format(arch))
+            print('[+] Printing kernel security hardening preferences for {}...'.format(arch))
         print_checklist(mode, config_checklist, False)
         sys.exit(0)