X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=a3fdf0784a950e01ab1b9176efc678842a174cc0;hb=4839f6d57e5c2c181765d57ec11eea74e8c722f1;hp=793e7d31be6137ca90d825b2bd74fa7fb6f1ed2d;hpb=bcca50f59061b45809150debc40490795c167124;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 793e7d3..a3fdf07 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -14,6 +14,8 @@ # slab_nomerge # page_alloc.shuffle=1 # iommu=force (does it help against DMA attacks?) +# iommu.passthrough=0 +# iommu.strict=1 # slub_debug=FZ (slow) # init_on_alloc=1 (since v5.3) # init_on_free=1 (since v5.3, otherwise slub_debug=P and page_poison=1) @@ -314,6 +316,7 @@ def add_kconfig_checks(l, arch): modules_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set') devmem_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'DEVMEM', 'is not set') # refers to LOCKDOWN + bpf_syscall_not_set = KconfigCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set') # refers to LOCKDOWN efi_not_set = KconfigCheck('cut_attack_surface', 'my', 'EFI', 'is not set') # 'self_protection', 'defconfig' @@ -386,6 +389,9 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_NOTIFIERS', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_LATENT_ENTROPY', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'KFENCE', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'WERROR', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y')] randstruct_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT', 'y') l += [randstruct_is_set] hardened_usercopy_is_set = KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y') @@ -430,8 +436,9 @@ def add_kconfig_checks(l, arch): # 'self_protection', 'maintainer' ubsan_bounds_is_set = KconfigCheck('self_protection', 'maintainer', 'UBSAN_BOUNDS', 'y') # only array index bounds checking l += [ubsan_bounds_is_set] # recommended by Kees Cook in /issues/53 - l += [AND(KconfigCheck('self_protection', 'maintainer', 'UBSAN_SANITIZE_ALL', 'y'), - ubsan_bounds_is_set)] # recommended by Kees Cook in /issues/53 + if arch in ('X86_64', 'ARM64', 'X86_32'): # ARCH_HAS_UBSAN_SANITIZE_ALL is not enabled for ARM + l += [AND(KconfigCheck('self_protection', 'maintainer', 'UBSAN_SANITIZE_ALL', 'y'), + ubsan_bounds_is_set)] # recommended by Kees Cook in /issues/53 l += [AND(KconfigCheck('self_protection', 'maintainer', 'UBSAN_TRAP', 'y'), ubsan_bounds_is_set)] # recommended by Kees Cook in /issues/53 @@ -493,7 +500,8 @@ def add_kconfig_checks(l, arch): loadpin_is_set)] # 'cut_attack_surface', 'defconfig' - l += [KconfigCheck('cut_attack_surface', 'defconfig', 'BPF_UNPRIV_DEFAULT_OFF', 'y')] # see unprivileged_bpf_disabled + l += [OR(KconfigCheck('cut_attack_surface', 'defconfig', 'BPF_UNPRIV_DEFAULT_OFF', 'y'), + bpf_syscall_not_set)] # see unprivileged_bpf_disabled l += [KconfigCheck('cut_attack_surface', 'defconfig', 'SECCOMP', 'y')] l += [KconfigCheck('cut_attack_surface', 'defconfig', 'SECCOMP_FILTER', 'y')] if arch in ('X86_64', 'ARM64', 'X86_32'): @@ -595,8 +603,8 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_INTEL_TSX_MODE_OFF', 'y')] # tsx=off # 'cut_attack_surface', 'lockdown' + l += [bpf_syscall_not_set] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'lockdown', 'EFI_TEST', 'is not set')] # refers to LOCKDOWN - l += [KconfigCheck('cut_attack_surface', 'lockdown', 'BPF_SYSCALL', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'lockdown', 'MMIOTRACE_TEST', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'lockdown', 'KPROBES', 'is not set')] # refers to LOCKDOWN