X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=b2893d104f4946ff110d7e28f0a0480ba82c5065;hb=d1a8bb6a7388899f0e593fdafb0bd2dcca11187a;hp=28ab04e105d342f201f51a2986619e739460f8b4;hpb=4c4f25270de55449874e018879652d2fd4668663;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 28ab04e..b2893d1 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -15,15 +15,14 @@ # page_alloc.shuffle=1 # iommu=force (does it help against DMA attacks?) # slub_debug=FZ (slow) -# page_poison=1 (if enabled) -# init_on_alloc=1 -# init_on_free=1 +# init_on_alloc=1 (since v5.3) +# init_on_free=1 (since v5.3, otherwise slub_debug=P and page_poison=1) # loadpin.enforce=1 # debugfs=no-mount (or off if possible) # # Mitigations of CPU vulnerabilities: # Аrch-independent: -# mitigations=auto,nosmt +# mitigations=auto,nosmt (nosmt is slow) # X86: # spectre_v2=on # pti=on @@ -36,8 +35,8 @@ # ssbd=force-on # # N.B. Hardening sysctls: -# kernel.kptr_restrict=2 -# kernel.dmesg_restrict=1 +# kernel.kptr_restrict=2 (or 1?) +# kernel.dmesg_restrict=1 (also see the kconfig option) # kernel.perf_event_paranoid=3 # kernel.kexec_load_disabled=1 # kernel.yama.ptrace_scope=3 @@ -329,6 +328,7 @@ def construct_checklist(l, arch): l += [OptCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y')] # 'self_protection', 'kspp' + l += [OptCheck('self_protection', 'kspp', 'SECURITY_DMESG_RESTRICT', 'y')] l += [OptCheck('self_protection', 'kspp', 'BUG_ON_DATA_CORRUPTION', 'y')] l += [OptCheck('self_protection', 'kspp', 'DEBUG_WX', 'y')] l += [OptCheck('self_protection', 'kspp', 'SCHED_STACK_END_CHECK', 'y')] @@ -376,7 +376,6 @@ def construct_checklist(l, arch): l += [OptCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '32768')] # 'self_protection', 'clipos' - l += [OptCheck('self_protection', 'clipos', 'SECURITY_DMESG_RESTRICT', 'y')] l += [OptCheck('self_protection', 'clipos', 'DEBUG_VIRTUAL', 'y')] l += [OptCheck('self_protection', 'clipos', 'STATIC_USERMODEHELPER', 'y')] # needs userspace support l += [OptCheck('self_protection', 'clipos', 'EFI_DISABLE_PCI_DMA', 'y')]