X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2Fchecks.py;h=e8e89b9898813c901add423ab0fb253ecde094d3;hb=a6732ba512e963eba7ab3f8af494508a49c92613;hp=1bb1de205498bf11d25935a870fa623586ef3582;hpb=e84011fddceecda2d3d678ec3db08d3732d96ac2;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py index 1bb1de2..e8e89b9 100644 --- a/kconfig_hardened_check/checks.py +++ b/kconfig_hardened_check/checks.py @@ -31,8 +31,9 @@ This module contains knowledge for checks. # fs.protected_regular=2 # fs.suid_dumpable=0 # kernel.modules_disabled=1 -# kernel.randomize_va_space = 2 +# kernel.randomize_va_space=2 # nosmt sysfs control file +# dev.tty.legacy_tiocsti=0 # # Think of these boot params: # module.sig_enforce=1 @@ -44,7 +45,7 @@ This module contains knowledge for checks. # efi=disable_early_pci_dma # pylint: disable=missing-function-docstring,line-too-long,invalid-name -# pylint: disable=too-many-branches,too-many-statements,too-many-return-statements +# pylint: disable=too-many-branches,too-many-statements from .engine import KconfigCheck, CmdlineCheck, VersionCheck, OR, AND @@ -134,6 +135,7 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('self_protection', 'defconfig', 'CPU_SW_DOMAIN_PAN', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_HISTORY', 'y')] + l += [KconfigCheck('self_protection', 'defconfig', 'DEBUG_ALIGN_RODATA', 'y')] # 'self_protection', 'kspp' l += [KconfigCheck('self_protection', 'kspp', 'BUG_ON_DATA_CORRUPTION', 'y')] @@ -378,6 +380,7 @@ def add_kconfig_checks(l, arch): l += [bpf_syscall_not_set] # refers to LOCKDOWN # 'cut_attack_surface', 'my' + l += [KconfigCheck('cut_attack_surface', 'my', 'LEGACY_TIOCSTI', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'my', 'MMIOTRACE', 'is not set')] # refers to LOCKDOWN (permissive) l += [KconfigCheck('cut_attack_surface', 'my', 'LIVEPATCH', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'my', 'IP_DCCP', 'is not set')] @@ -387,14 +390,11 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger l += [KconfigCheck('cut_attack_surface', 'my', 'KGDB', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'my', 'AIO', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'my', 'CORESIGHT', 'is not set')] l += [OR(KconfigCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y'), modules_not_set)] # 'harden_userspace' - if arch in ('X86_64', 'ARM64', 'X86_32'): - l += [KconfigCheck('harden_userspace', 'defconfig', 'INTEGRITY', 'y')] - if arch == 'ARM': - l += [KconfigCheck('harden_userspace', 'my', 'INTEGRITY', 'y')] if arch == 'ARM64': l += [KconfigCheck('harden_userspace', 'defconfig', 'ARM64_PTR_AUTH', 'y')] l += [KconfigCheck('harden_userspace', 'defconfig', 'ARM64_BTI', 'y')] @@ -545,48 +545,31 @@ def add_cmdline_checks(l, arch): # 'cut_attack_surface', 'my' l += [CmdlineCheck('cut_attack_surface', 'my', 'sysrq_always_enabled', 'is not set')] + # 'harden_userspace' + l += [CmdlineCheck('harden_userspace', 'defconfig', 'norandmaps', 'is not set')] + + +no_kstrtobool_options = [ + 'debugfs', # See debugfs_kernel() in fs/debugfs/inode.c + 'mitigations', # See mitigations_parse_cmdline() in kernel/cpu.c + 'pti', # See pti_check_boottime_disable() in arch/x86/mm/pti.c + 'spectre_v2', # See spectre_v2_parse_cmdline() in arch/x86/kernel/cpu/bugs.c + 'spectre_v2_user', # See spectre_v2_parse_user_cmdline() in arch/x86/kernel/cpu/bugs.c + 'spec_store_bypass_disable', # See ssb_parse_cmdline() in arch/x86/kernel/cpu/bugs.c + 'l1tf', # See l1tf_cmdline() in arch/x86/kernel/cpu/bugs.c + 'mds', # See mds_cmdline() in arch/x86/kernel/cpu/bugs.c + 'tsx_async_abort', # See tsx_async_abort_parse_cmdline() in arch/x86/kernel/cpu/bugs.c + 'srbds', # See srbds_parse_cmdline() in arch/x86/kernel/cpu/bugs.c + 'mmio_stale_data', # See mmio_stale_data_parse_cmdline() in arch/x86/kernel/cpu/bugs.c + 'retbleed', # See retbleed_parse_cmdline() in arch/x86/kernel/cpu/bugs.c + 'tsx' # See tsx_init() in arch/x86/kernel/cpu/tsx.c +] + def normalize_cmdline_options(option, value): # Don't normalize the cmdline option values if # the Linux kernel doesn't use kstrtobool() for them - if option == 'debugfs': - # See debugfs_kernel() in fs/debugfs/inode.c - return value - if option == 'mitigations': - # See mitigations_parse_cmdline() in kernel/cpu.c - return value - if option == 'pti': - # See pti_check_boottime_disable() in arch/x86/mm/pti.c - return value - if option == 'spectre_v2': - # See spectre_v2_parse_cmdline() in arch/x86/kernel/cpu/bugs.c - return value - if option == 'spectre_v2_user': - # See spectre_v2_parse_user_cmdline() in arch/x86/kernel/cpu/bugs.c - return value - if option == 'spec_store_bypass_disable': - # See ssb_parse_cmdline() in arch/x86/kernel/cpu/bugs.c - return value - if option == 'l1tf': - # See l1tf_cmdline() in arch/x86/kernel/cpu/bugs.c - return value - if option == 'mds': - # See mds_cmdline() in arch/x86/kernel/cpu/bugs.c - return value - if option == 'tsx_async_abort': - # See tsx_async_abort_parse_cmdline() in arch/x86/kernel/cpu/bugs.c - return value - if option == 'srbds': - # See srbds_parse_cmdline() in arch/x86/kernel/cpu/bugs.c - return value - if option == 'mmio_stale_data': - # See mmio_stale_data_parse_cmdline() in arch/x86/kernel/cpu/bugs.c - return value - if option == 'retbleed': - # See retbleed_parse_cmdline() in arch/x86/kernel/cpu/bugs.c - return value - if option == 'tsx': - # See tsx_init() in arch/x86/kernel/cpu/tsx.c + if option in no_kstrtobool_options: return value # Implement a limited part of the kstrtobool() logic