X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=fa06f8ecf169e388e931301bd47ad3c0fbab9dde;hb=4d49d01a415302bada63bca52d69a18d57b70189;hp=565503e2f5e77bc881e4972db90903cf25713ed5;hpb=aa073c2c186a1257fea935d8ecd54adf88775d6f;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 565503e..fa06f8e 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -11,7 +11,6 @@ # # # N.B Hardening command line parameters: -# slab_nomerge # page_alloc.shuffle=1 # iommu=force (does it help against DMA attacks?) # iommu.passthrough=0 @@ -21,7 +20,6 @@ # init_on_free=1 (since v5.3, otherwise slub_debug=P and page_poison=1) # loadpin.enforce=1 # debugfs=no-mount (or off if possible) -# randomize_kstack_offset=1 # # Mitigations of CPU vulnerabilities: # Аrch-independent: @@ -39,6 +37,7 @@ # ssbd=force-on # # Should NOT be set: +# slab_merge # nokaslr # rodata=off # sysrq_always_enabled @@ -439,7 +438,8 @@ def add_kconfig_checks(l, arch): if arch in ('X86_64', 'ARM64', 'X86_32'): stackleak_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y') l += [stackleak_is_set] - l += [KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y')] + l += [OR(KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y'), + CmdlineCheck('self_protection', 'kspp', 'randomize_kstack_offset', '1'))] if arch in ('X86_64', 'X86_32'): l += [KconfigCheck('self_protection', 'kspp', 'SCHED_CORE', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '65536')] @@ -467,7 +467,8 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('self_protection', 'clipos', 'STATIC_USERMODEHELPER', 'y')] # needs userspace support l += [OR(KconfigCheck('self_protection', 'clipos', 'EFI_DISABLE_PCI_DMA', 'y'), efi_not_set)] - l += [KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set')] # slab_nomerge + l += [OR(KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set'), + CmdlineCheck('self_protection', 'kspp', 'slab_nomerge'))] # option presence check l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_BOOTLOADER', 'is not set')] l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_CPU', 'is not set')] l += [AND(KconfigCheck('self_protection', 'clipos', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'), @@ -660,7 +661,6 @@ def add_cmdline_checks(l, arch): # Calling the CmdlineCheck class constructor: # CmdlineCheck(reason, decision, name, expected) - l += [CmdlineCheck('self_protection', 'kspp', 'randomize_kstack_offset', 'on')] # TODO: add other @@ -804,9 +804,20 @@ def parse_kconfig_file(parsed_options, fname): def parse_cmdline_file(parsed_options, fname): with open(fname, 'r') as f: - print('FIXME! cmdline file:') - for line in f.readlines(): - print(line) + line = f.readline() + opts = line.split() + + line = f.readline() + if line: + sys.exit('[!] ERROR: more than one line in "{}"'.format(fname)) + + for opt in opts: + if '=' in opt: + name, value = opt.split('=', 1) + else: + name = opt + value = '' # '' is not None + parsed_options[name] = value def main():