X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=fe06bc951136aa8baa1d836631a9558faf27d0a2;hb=29700a52a2622c6e5076e0b3be2642b337ebc37b;hp=8ba238c4a43e66783d45b54518877a869236a9b2;hpb=4e739dbfbda89c8f0d30f81da453400cf1688c6a;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 8ba238c..fe06bc9 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -225,9 +225,11 @@ class AND(ComplexOptCheck): if not ret: # This FAIL is caused by additional checks, # and not by the main option that this AND-check is about. - if opt.result.startswith('FAIL: \"'): - # Describe the reason of the FAIL. + # Describe the reason of the FAIL. + if opt.result.startswith('FAIL: \"') or opt.result == 'FAIL: not found': self.result = 'FAIL: CONFIG_{} not "{}"'.format(opt.name, opt.expected) + elif opt.result == 'FAIL: not present': + self.result = 'FAIL: CONFIG_{} not present'.format(opt.name) else: # This FAIL message is self-explaining. self.result = opt.result @@ -306,9 +308,11 @@ def construct_checklist(l, arch): l += [OptCheck('self_protection', 'defconfig', 'ARM64_PAN', 'y')] l += [OptCheck('self_protection', 'defconfig', 'UNMAP_KERNEL_AT_EL0', 'y')] l += [OR(OptCheck('self_protection', 'defconfig', 'HARDEN_EL2_VECTORS', 'y'), - VerCheck((5,9)))] # HARDEN_EL2_VECTORS was removed in v5.9 + AND(OptCheck('self_protection', 'defconfig', 'RANDOMIZE_BASE', 'y'), + VerCheck((5, 9))))] # HARDEN_EL2_VECTORS was included in RANDOMIZE_BASE in v5.9 l += [OptCheck('self_protection', 'defconfig', 'RODATA_FULL_DEFAULT_ENABLED', 'y')] l += [OptCheck('self_protection', 'defconfig', 'ARM64_PTR_AUTH', 'y')] + l += [OptCheck('self_protection', 'defconfig', 'ARM64_BTI_KERNEL', 'y')] if arch in ('X86_64', 'ARM64'): l += [OptCheck('self_protection', 'defconfig', 'VMAP_STACK', 'y')] if arch in ('X86_64', 'ARM64', 'X86_32'): @@ -351,7 +355,7 @@ def construct_checklist(l, arch): l += [OR(OptCheck('self_protection', 'kspp', 'INIT_STACK_ALL', 'y'), OptCheck('self_protection', 'kspp', 'GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y'))] l += [OR(OptCheck('self_protection', 'kspp', 'INIT_ON_FREE_DEFAULT_ON', 'y'), - OptCheck('self_protection', 'kspp', 'PAGE_POISONING', 'y'))] # before v5.3 + OptCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'))] # before v5.3 if arch in ('X86_64', 'ARM64', 'X86_32'): stackleak_is_set = OptCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y') l += [stackleak_is_set] @@ -392,11 +396,16 @@ def construct_checklist(l, arch): iommu_support_is_set)] # 'self_protection', 'my' + l += [AND(OptCheck('self_protection', 'my', 'UBSAN_BOUNDS', 'y'), + OptCheck('self_protection', 'my', 'UBSAN_MISC', 'is not set'), + OptCheck('self_protection', 'my', 'UBSAN_TRAP', 'y'))] l += [OptCheck('self_protection', 'my', 'SLUB_DEBUG_ON', 'y')] # TODO: is it better to set that via kernel cmd? l += [OptCheck('self_protection', 'my', 'RESET_ATTACK_MITIGATION', 'y')] # needs userspace support (systemd) if arch == 'X86_64': l += [AND(OptCheck('self_protection', 'my', 'AMD_IOMMU_V2', 'y'), iommu_support_is_set)] + if arch == 'ARM64': + l += [OptCheck('self_protection', 'my', 'SHADOW_CALL_STACK', 'y')] # 'security_policy' if arch in ('X86_64', 'ARM64', 'X86_32'): @@ -502,6 +511,7 @@ def construct_checklist(l, arch): l += [OptCheck('cut_attack_surface', 'lockdown', 'MMIOTRACE_TEST', 'is not set')] # refers to LOCKDOWN # 'cut_attack_surface', 'my' + l += [OptCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y')] l += [OptCheck('cut_attack_surface', 'my', 'MMIOTRACE', 'is not set')] # refers to LOCKDOWN (permissive) l += [OptCheck('cut_attack_surface', 'my', 'LIVEPATCH', 'is not set')] l += [OptCheck('cut_attack_surface', 'my', 'IP_DCCP', 'is not set')]