X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2Fchecks.py;h=c20f096baa0dc74a28b2750e631e620d00f0c637;hb=3c73a2e8f379fb1bcb9342688d83dba06fe0a419;hp=5b917bfbfd41d5cc0f8dc781df6f512c0de51ea6;hpb=328a89c7703915bc9c8eb6e66eebb6944caf94bb;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py index 5b917bf..c20f096 100644 --- a/kconfig_hardened_check/checks.py +++ b/kconfig_hardened_check/checks.py @@ -1,5 +1,15 @@ #!/usr/bin/python3 +""" +This tool helps me to check Linux kernel options against +my security hardening preferences for X86_64, ARM64, X86_32, and ARM. +Let the computers do their job! + +Author: Alexander Popov + +This module contains knowledge for checks. +""" + # N.B. Hardening sysctls: # kernel.kptr_restrict=2 (or 1?) # kernel.dmesg_restrict=1 (also see the kconfig option) @@ -33,8 +43,8 @@ # amd_iommu=on # efi=disable_early_pci_dma -# pylint: disable=missing-module-docstring,missing-class-docstring,missing-function-docstring -# pylint: disable=line-too-long,invalid-name,too-many-branches,too-many-statements +# pylint: disable=missing-function-docstring,line-too-long,invalid-name +# pylint: disable=too-many-branches,too-many-statements,too-many-return-statements from .engine import KconfigCheck, CmdlineCheck, VersionCheck, OR, AND @@ -429,31 +439,43 @@ def add_cmdline_checks(l, arch): l += [CmdlineCheck('self_protection', 'defconfig', 'arm64.nopauth', 'is not set')] l += [CmdlineCheck('self_protection', 'defconfig', 'arm64.nomte', 'is not set')] l += [OR(CmdlineCheck('self_protection', 'defconfig', 'spectre_v2', 'is not off'), - CmdlineCheck('self_protection', 'defconfig', 'spectre_v2', 'is not set'))] + AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'), + CmdlineCheck('self_protection', 'defconfig', 'spectre_v2', 'is not set')))] l += [OR(CmdlineCheck('self_protection', 'defconfig', 'spectre_v2_user', 'is not off'), - CmdlineCheck('self_protection', 'defconfig', 'spectre_v2_user', 'is not set'))] + AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'), + CmdlineCheck('self_protection', 'defconfig', 'spectre_v2_user', 'is not set')))] l += [OR(CmdlineCheck('self_protection', 'defconfig', 'spec_store_bypass_disable', 'is not off'), - CmdlineCheck('self_protection', 'defconfig', 'spec_store_bypass_disable', 'is not set'))] + AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'), + CmdlineCheck('self_protection', 'defconfig', 'spec_store_bypass_disable', 'is not set')))] l += [OR(CmdlineCheck('self_protection', 'defconfig', 'l1tf', 'is not off'), - CmdlineCheck('self_protection', 'defconfig', 'l1tf', 'is not set'))] + AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'), + CmdlineCheck('self_protection', 'defconfig', 'l1tf', 'is not set')))] l += [OR(CmdlineCheck('self_protection', 'defconfig', 'mds', 'is not off'), - CmdlineCheck('self_protection', 'defconfig', 'mds', 'is not set'))] + AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'), + CmdlineCheck('self_protection', 'defconfig', 'mds', 'is not set')))] l += [OR(CmdlineCheck('self_protection', 'defconfig', 'tsx_async_abort', 'is not off'), - CmdlineCheck('self_protection', 'defconfig', 'tsx_async_abort', 'is not set'))] + AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'), + CmdlineCheck('self_protection', 'defconfig', 'tsx_async_abort', 'is not set')))] l += [OR(CmdlineCheck('self_protection', 'defconfig', 'srbds', 'is not off'), - CmdlineCheck('self_protection', 'defconfig', 'srbds', 'is not set'))] + AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'), + CmdlineCheck('self_protection', 'defconfig', 'srbds', 'is not set')))] l += [OR(CmdlineCheck('self_protection', 'defconfig', 'mmio_stale_data', 'is not off'), - CmdlineCheck('self_protection', 'defconfig', 'mmio_stale_data', 'is not set'))] + AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'), + CmdlineCheck('self_protection', 'defconfig', 'mmio_stale_data', 'is not set')))] l += [OR(CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not off'), - CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not set'))] + AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'), + CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not set')))] l += [OR(CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not off'), - CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not set'))] + AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'), + CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not set')))] l += [OR(CmdlineCheck('self_protection', 'defconfig', 'kvm.nx_huge_pages', 'is not off'), - CmdlineCheck('self_protection', 'defconfig', 'kvm.nx_huge_pages', 'is not set'))] + AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'), + CmdlineCheck('self_protection', 'defconfig', 'kvm.nx_huge_pages', 'is not set')))] if arch == 'ARM64': l += [OR(CmdlineCheck('self_protection', 'defconfig', 'ssbd', 'kernel'), CmdlineCheck('self_protection', 'my', 'ssbd', 'force-on'), - CmdlineCheck('self_protection', 'defconfig', 'ssbd', 'is not set'))] + AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'), + CmdlineCheck('self_protection', 'defconfig', 'ssbd', 'is not set')))] l += [OR(CmdlineCheck('self_protection', 'defconfig', 'rodata', 'full'), AND(KconfigCheck('self_protection', 'defconfig', 'RODATA_FULL_DEFAULT_ENABLED', 'y'), CmdlineCheck('self_protection', 'defconfig', 'rodata', 'is not set')))] @@ -464,6 +486,12 @@ def add_cmdline_checks(l, arch): # 'self_protection', 'kspp' l += [CmdlineCheck('self_protection', 'kspp', 'nosmt', 'is present')] l += [CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt')] # 'nosmt' by kspp + 'auto' by defconfig + l += [CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set')] # consequence of 'slab_nomerge' by kspp + l += [CmdlineCheck('self_protection', 'kspp', 'slub_merge', 'is not set')] # consequence of 'slab_nomerge' by kspp + l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_nomerge', 'is present'), + AND(KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set'), + CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set'), + CmdlineCheck('self_protection', 'kspp', 'slub_merge', 'is not set')))] l += [OR(CmdlineCheck('self_protection', 'kspp', 'init_on_alloc', '1'), AND(KconfigCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y'), CmdlineCheck('self_protection', 'kspp', 'init_on_alloc', 'is not set')))] @@ -473,10 +501,6 @@ def add_cmdline_checks(l, arch): AND(CmdlineCheck('self_protection', 'kspp', 'page_poison', '1'), KconfigCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'), CmdlineCheck('self_protection', 'kspp', 'slub_debug', 'P')))] - l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_nomerge', 'is present'), - AND(KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set'), - CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set'), - CmdlineCheck('self_protection', 'clipos', 'slub_merge', 'is not set')))] l += [OR(CmdlineCheck('self_protection', 'kspp', 'iommu.strict', '1'), AND(KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y'), CmdlineCheck('self_protection', 'kspp', 'iommu.strict', 'is not set')))]