X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2Fchecks.py;h=31a5b12b8425a44fae29a43a33f741734d621cef;hb=0b1c6d98f075dffcc4d1729e00e04b0854f378eb;hp=cc71ef1dcaf030bae7f64f5135a459e084862fcd;hpb=7bb6a185ab3e68b25d24279466727c7ac69bd059;p=kconfig-hardened-check.git

diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py
index cc71ef1..31a5b12 100644
--- a/kconfig_hardened_check/checks.py
+++ b/kconfig_hardened_check/checks.py
@@ -1,9 +1,7 @@
 #!/usr/bin/python3
 
 """
-This tool helps me to check Linux kernel options against
-my security hardening preferences for X86_64, ARM64, X86_32, and ARM.
-Let the computers do their job!
+This tool is for checking the security hardening options of the Linux kernel.
 
 Author: Alexander Popov <alex.popov@linux.com>
 
@@ -16,7 +14,7 @@ This module contains knowledge for checks.
 #    kernel.perf_event_paranoid=2 (or 3 with a custom patch, see https://lwn.net/Articles/696216/)
 #    kernel.kexec_load_disabled=1
 #    kernel.yama.ptrace_scope=3
-#    user.max_user_namespaces=0
+#    user.max_user_namespaces=0 (for Debian, also see kernel.unprivileged_userns_clone)
 #    what about bpf_jit_enable?
 #    kernel.unprivileged_bpf_disabled=1
 #    net.core.bpf_jit_harden=2
@@ -36,6 +34,9 @@ This module contains knowledge for checks.
 #    dev.tty.legacy_tiocsti=0
 #    vm.mmap_rnd_bits=max (?)
 #    kernel.sysrq=0
+#    abi.vsyscall32 (any value except 2)
+#    kernel.oops_limit (think about a proper value)
+#    kernel.warn_limit (think about a proper value)
 #
 # Think of these boot params:
 #    module.sig_enforce=1
@@ -45,6 +46,7 @@ This module contains knowledge for checks.
 #    intel_iommu=on
 #    amd_iommu=on
 #    efi=disable_early_pci_dma
+#    cfi=
 
 # pylint: disable=missing-function-docstring,line-too-long,invalid-name
 # pylint: disable=too-many-branches,too-many-statements
@@ -113,6 +115,7 @@ def add_kconfig_checks(l, arch):
     if arch == 'X86_64':
         l += [KconfigCheck('self_protection', 'defconfig', 'PAGE_TABLE_ISOLATION', 'y')]
         l += [KconfigCheck('self_protection', 'defconfig', 'RANDOMIZE_MEMORY', 'y')]
+        l += [KconfigCheck('self_protection', 'defconfig', 'X86_KERNEL_IBT', 'y')]
         l += [AND(KconfigCheck('self_protection', 'defconfig', 'INTEL_IOMMU', 'y'),
                   iommu_support_is_set)]
         l += [AND(KconfigCheck('self_protection', 'defconfig', 'AMD_IOMMU', 'y'),
@@ -165,9 +168,9 @@ def add_kconfig_checks(l, arch):
     hardened_usercopy_is_set = KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y')
     l += [hardened_usercopy_is_set]
     l += [AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'),
-              hardened_usercopy_is_set)]
+              hardened_usercopy_is_set)] # usercopy whitelist violations should be prohibited
     l += [AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_PAGESPAN', 'is not set'),
-              hardened_usercopy_is_set)]
+              hardened_usercopy_is_set)] # this debugging for HARDENED_USERCOPY is not needed for security
     l += [AND(KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_LATENT_ENTROPY', 'y'),
               gcc_plugins_support_is_set)]
     l += [OR(KconfigCheck('self_protection', 'kspp', 'MODULE_SIG', 'y'),
@@ -288,7 +291,6 @@ def add_kconfig_checks(l, arch):
     l += [KconfigCheck('cut_attack_surface', 'kspp', 'ACPI_CUSTOM_METHOD', 'is not set')] # refers to LOCKDOWN
     l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_BRK', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'kspp', 'DEVKMEM', 'is not set')] # refers to LOCKDOWN
-    l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'kspp', 'BINFMT_MISC', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'kspp', 'INET_DIAG', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'kspp', 'KEXEC', 'is not set')] # refers to LOCKDOWN
@@ -308,6 +310,10 @@ def add_kconfig_checks(l, arch):
              devmem_not_set)] # refers to LOCKDOWN
     l += [AND(KconfigCheck('cut_attack_surface', 'kspp', 'LDISC_AUTOLOAD', 'is not set'),
               KconfigCheck('cut_attack_surface', 'kspp', 'LDISC_AUTOLOAD', 'is present'))]
+    if arch in ('X86_64', 'X86_32'):
+        l += [KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set')]
+              # CONFIG_COMPAT_VDSO disabled ASLR of vDSO only on X86_64 and X86_32;
+              # on ARM64 this option has different meaning
     if arch == 'ARM':
         l += [OR(KconfigCheck('cut_attack_surface', 'kspp', 'STRICT_DEVMEM', 'y'),
                  devmem_not_set)] # refers to LOCKDOWN
@@ -482,7 +488,7 @@ def add_cmdline_checks(l, arch):
                  AND(KconfigCheck('self_protection', 'defconfig', 'RODATA_FULL_DEFAULT_ENABLED', 'y'),
                      CmdlineCheck('self_protection', 'defconfig', 'rodata', 'is not set')))]
     else:
-        l += [OR(CmdlineCheck('self_protection', 'defconfig', 'rodata', '1'),
+        l += [OR(CmdlineCheck('self_protection', 'defconfig', 'rodata', 'on'),
                  CmdlineCheck('self_protection', 'defconfig', 'rodata', 'is not set'))]
 
     # 'self_protection', 'kspp'
@@ -542,6 +548,18 @@ def add_cmdline_checks(l, arch):
                  KconfigCheck('cut_attack_surface', 'clipos', 'X86_VSYSCALL_EMULATION', 'is not set'),
                  AND(KconfigCheck('cut_attack_surface', 'kspp', 'LEGACY_VSYSCALL_NONE', 'y'),
                      CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'is not set')))]
+        l += [OR(CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '1'),
+                 CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '0'),
+                 AND(KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set'),
+                     CmdlineCheck('cut_attack_surface', 'my', 'vdso32', 'is not set')))] # the vdso32 parameter must not be 2
+    if arch == 'X86_32':
+        l += [OR(CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '1'),
+                 CmdlineCheck('cut_attack_surface', 'my', 'vdso', '1'),
+                 CmdlineCheck('cut_attack_surface', 'my', 'vdso32', '0'),
+                 CmdlineCheck('cut_attack_surface', 'my', 'vdso', '0'),
+                 AND(KconfigCheck('cut_attack_surface', 'kspp', 'COMPAT_VDSO', 'is not set'),
+                     CmdlineCheck('cut_attack_surface', 'my', 'vdso32', 'is not set'),
+                     CmdlineCheck('cut_attack_surface', 'my', 'vdso', 'is not set')))] # the vdso and vdso32 parameters must not be 2
 
     # 'cut_attack_surface', 'grsec'
     # The cmdline checks compatible with the kconfig options disabled by grsecurity...
@@ -568,6 +586,13 @@ no_kstrtobool_options = [
     'srbds', # See srbds_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
     'mmio_stale_data', # See mmio_stale_data_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
     'retbleed', # See retbleed_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
+    'rodata', # See set_debug_rodata() in init/main.c
+    'ssbd', # See parse_spectre_v4_param() in arch/arm64/kernel/proton-pack.c
+    'slub_debug', # See setup_slub_debug() in mm/slub.c
+    'iommu', # See iommu_setup() in arch/x86/kernel/pci-dma.c
+    'vsyscall', # See vsyscall_setup() in arch/x86/entry/vsyscall/vsyscall_64.c
+    'vdso32', # See vdso32_setup() in arch/x86/entry/vdso/vdso32-setup.c
+    'vdso', # See vdso32_setup() in arch/x86/entry/vdso/vdso32-setup.c
     'tsx' # See tsx_init() in arch/x86/kernel/cpu/tsx.c
 ]
 
@@ -579,9 +604,9 @@ def normalize_cmdline_options(option, value):
         return value
 
     # Implement a limited part of the kstrtobool() logic
-    if value in ('1', 'on', 'On', 'ON', 'y', 'Y', 'yes', 'Yes', 'YES'):
+    if value.lower() in ('1', 'on', 'y', 'yes', 't', 'true'):
         return '1'
-    if value in ('0', 'off', 'Off', 'OFF', 'n', 'N', 'no', 'No', 'NO'):
+    if value.lower() in ('0', 'off', 'n', 'no', 'f', 'false'):
         return '0'
 
     # Preserve unique values