X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=e1b5a5e82b5ee3bb87914a5337ba1b459d45087e;hb=b7d33ca9a9c8d324d8da9d9bc652febb063fb7be;hp=da45867b1782b289c9693d9439e3176b9d00be71;hpb=f8b1263331fe6d0d94ff0d1f9ff460220447694c;p=kconfig-hardened-check.git

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index da45867..e1b5a5e 100644
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -2,7 +2,7 @@
 
 #
 # This tool helps me to check the Linux kernel Kconfig option list
-# against my hardening preferences for X86_64, ARM64, X86_32, and ARM.
+# against my security hardening preferences for X86_64, ARM64, X86_32, and ARM.
 # Let the computers do their job!
 #
 # Author: Alexander Popov <alex.popov@linux.com>
@@ -46,6 +46,8 @@
 #    net.core.bpf_jit_harden=2
 #
 #    vm.unprivileged_userfaultfd=0
+#        (at first, it disabled unprivileged userfaultfd,
+#         and since v5.11 it enables unprivileged userfaultfd for user-mode only)
 #
 #    dev.tty.ldisc_autoload=0
 #    fs.protected_symlinks=1
@@ -302,6 +304,8 @@ def construct_checklist(l, arch):
         l += [OptCheck('self_protection', 'defconfig', 'SYN_COOKIES', 'y')] # another reason?
         l += [OR(OptCheck('self_protection', 'defconfig', 'X86_UMIP', 'y'),
                  OptCheck('self_protection', 'defconfig', 'X86_INTEL_UMIP', 'y'))]
+    if arch in ('ARM64', 'ARM'):
+        l += [OptCheck('self_protection', 'defconfig', 'STACKPROTECTOR_PER_TASK', 'y')]
     if arch == 'X86_64':
         l += [OptCheck('self_protection', 'defconfig', 'PAGE_TABLE_ISOLATION', 'y')]
         l += [OptCheck('self_protection', 'defconfig', 'RANDOMIZE_MEMORY', 'y')]
@@ -319,10 +323,9 @@ def construct_checklist(l, arch):
         l += [OptCheck('self_protection', 'defconfig', 'ARM64_PTR_AUTH', 'y')]
         l += [OptCheck('self_protection', 'defconfig', 'ARM64_BTI_KERNEL', 'y')]
         l += [OR(OptCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y'),
-             VerCheck((5, 10)))] # HARDEN_BRANCH_PREDICTOR is enabled by default since v5.10
+                 VerCheck((5, 10)))] # HARDEN_BRANCH_PREDICTOR is enabled by default since v5.10
     if arch == 'ARM':
         l += [OptCheck('self_protection', 'defconfig', 'CPU_SW_DOMAIN_PAN', 'y')]
-        l += [OptCheck('self_protection', 'defconfig', 'STACKPROTECTOR_PER_TASK', 'y')]
         l += [OptCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y')]
 
     # 'self_protection', 'kspp'
@@ -357,7 +360,12 @@ def construct_checklist(l, arch):
     l += [OR(OptCheck('self_protection', 'kspp', 'INIT_STACK_ALL_ZERO', 'y'),
              OptCheck('self_protection', 'kspp', 'GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y'))]
     l += [OR(OptCheck('self_protection', 'kspp', 'INIT_ON_FREE_DEFAULT_ON', 'y'),
-             OptCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'))] # before v5.3
+             OptCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'))]
+             # CONFIG_INIT_ON_FREE_DEFAULT_ON was added in v5.3.
+             # CONFIG_PAGE_POISONING_ZERO was removed in v5.11.
+             # Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks
+             # the 0xAA poison pattern on allocation.
+             # That brings higher performance penalty.
     if arch in ('X86_64', 'ARM64', 'X86_32'):
         stackleak_is_set = OptCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y')
         l += [stackleak_is_set]
@@ -406,7 +414,7 @@ def construct_checklist(l, arch):
         l += [AND(OptCheck('self_protection', 'my', 'AMD_IOMMU_V2', 'y'),
                   iommu_support_is_set)]
     if arch == 'ARM64':
-        l += [OptCheck('self_protection', 'my', 'SHADOW_CALL_STACK', 'y')] # maybe it should be alternative to STACKPROTECTOR_STRONG
+        l += [OptCheck('self_protection', 'my', 'SHADOW_CALL_STACK', 'y')] # depends on clang, maybe it's alternative to STACKPROTECTOR_STRONG
 
     # 'security_policy'
     if arch in ('X86_64', 'ARM64', 'X86_32'):
@@ -662,10 +670,10 @@ def main():
     report_modes = ['verbose', 'json', 'show_ok', 'show_fail']
     supported_archs = ['X86_64', 'X86_32', 'ARM64', 'ARM']
     parser = ArgumentParser(prog='kconfig-hardened-check',
-                            description='Checks the hardening options in the Linux kernel config')
+                            description='A tool for checking the security hardening options of the Linux kernel')
     parser.add_argument('--version', action='version', version='%(prog)s ' + __version__)
     parser.add_argument('-p', '--print', choices=supported_archs,
-                        help='print hardening preferences for selected architecture')
+                        help='print security hardening preferences for the selected architecture')
     parser.add_argument('-c', '--config',
                         help='check the kernel config file against these preferences')
     parser.add_argument('-m', '--mode', choices=report_modes,
@@ -713,7 +721,7 @@ def main():
         arch = args.print
         construct_checklist(config_checklist, arch)
         if mode != 'json':
-            print('[+] Printing kernel hardening preferences for {}...'.format(arch))
+            print('[+] Printing kernel security hardening preferences for {}...'.format(arch))
         print_checklist(mode, config_checklist, False)
         sys.exit(0)