X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kernel_hardening_checker%2Fchecks.py;h=d3d5a8338e534596c5f485f04f7b932f053f2ba6;hb=480c6df60ad7256eb28c49af06a1afeee4207d24;hp=8940149ad2f6749c29748bb667612164ad0b226e;hpb=da9b9115004ada8fa1f10860a973d2147c968b7c;p=kconfig-hardened-check.git diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index 8940149..d3d5a83 100644 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -93,6 +93,8 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: KconfigCheck('self_protection', 'defconfig', 'RETPOLINE', 'y'))] l += [OR(KconfigCheck('self_protection', 'defconfig', 'MITIGATION_RFDS', 'y'), cpu_sup_intel_not_set)] + l += [OR(KconfigCheck('self_protection', 'defconfig', 'MITIGATION_SPECTRE_BHI', 'y'), + cpu_sup_intel_not_set)] if arch in ('ARM64', 'ARM'): l += [KconfigCheck('self_protection', 'defconfig', 'HW_RANDOM_TPM', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'IOMMU_DEFAULT_DMA_STRICT', 'y')] @@ -133,6 +135,8 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: l += [KconfigCheck('self_protection', 'defconfig', 'DEBUG_ALIGN_RODATA', 'y')] # 'self_protection', 'kspp' + l += [KconfigCheck('self_protection', 'kspp', 'PAGE_TABLE_CHECK', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'PAGE_TABLE_CHECK_ENFORCED', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'BUG_ON_DATA_CORRUPTION', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'SLAB_FREELIST_HARDENED', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'SLAB_FREELIST_RANDOM', 'y')] @@ -249,6 +253,7 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None: if arch == 'ARM64': l += [KconfigCheck('self_protection', 'kspp', 'ARM64_SW_TTBR0_PAN', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'SHADOW_CALL_STACK', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'UNWIND_PATCH_PAC_INTO_SCS', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'KASAN_HW_TAGS', 'y')] # see also: kasan=on, kasan.stacktrace=off, kasan.fault=panic if arch == 'X86_32': l += [KconfigCheck('self_protection', 'kspp', 'HIGHMEM64G', 'y')] @@ -473,6 +478,10 @@ def add_cmdline_checks(l: List[ChecklistObjType], arch: str) -> None: l += [OR(CmdlineCheck('self_protection', 'defconfig', 'spectre_v2_user', 'is not off'), AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'), CmdlineCheck('self_protection', 'defconfig', 'spectre_v2_user', 'is not set')))] + l += [OR(CmdlineCheck('self_protection', 'defconfig', 'spectre_bhi', 'is not off'), + AND(KconfigCheck('self_protection', 'defconfig', 'MITIGATION_SPECTRE_BHI', 'y'), + CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'), + CmdlineCheck('self_protection', 'defconfig', 'spectre_bhi', 'is not set')))] l += [OR(CmdlineCheck('self_protection', 'defconfig', 'spec_store_bypass_disable', 'is not off'), AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'), CmdlineCheck('self_protection', 'defconfig', 'spec_store_bypass_disable', 'is not set')))] @@ -623,6 +632,7 @@ no_kstrtobool_options = [ 'pti', # See pti_check_boottime_disable() in arch/x86/mm/pti.c 'spectre_v2', # See spectre_v2_parse_cmdline() in arch/x86/kernel/cpu/bugs.c 'spectre_v2_user', # See spectre_v2_parse_user_cmdline() in arch/x86/kernel/cpu/bugs.c + 'spectre_bhi', # See spectre_bhi_parse_cmdline() in arch/x86/kernel/cpu/bugs.c 'spec_store_bypass_disable', # See ssb_parse_cmdline() in arch/x86/kernel/cpu/bugs.c 'l1tf', # See l1tf_cmdline() in arch/x86/kernel/cpu/bugs.c 'mds', # See mds_cmdline() in arch/x86/kernel/cpu/bugs.c