projects
/
kconfig-hardened-check.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (from parent 1:
c6db991
)
Update the README
author
Alexander Popov
<alex.popov@linux.com>
Mon, 12 Jun 2023 14:46:25 +0000
(17:46 +0300)
committer
Alexander Popov
<alex.popov@linux.com>
Mon, 12 Jun 2023 14:46:25 +0000
(17:46 +0300)
Refers to #67.
README.md
patch
|
blob
|
history
diff --git
a/README.md
b/README.md
index dbdc1f3b72ae1911268aaceffc8c29823795e2fa..735a89120ca51692f42c1606bfa271dc87344546 100644
(file)
--- a/
README.md
+++ b/
README.md
@@
-63,24
+63,28
@@
Some Linux distributions also provide `kconfig-hardened-check` as a package.
## Usage
```
## Usage
```
-usage: kconfig-hardened-check [-h] [--version] [-p {X86_64,X86_32,ARM64,ARM}] [-c CONFIG]
- [-l CMDLINE] [-m {verbose,json,show_ok,show_fail}]
+usage: kconfig-hardened-check [-h] [--version] [-m {verbose,json,show_ok,show_fail}]
+ [-c CONFIG] [-l CMDLINE] [-p {X86_64,X86_32,ARM64,ARM}]
+ [-g {X86_64,X86_32,ARM64,ARM}]
A tool for checking the security hardening options of the Linux kernel
options:
-h, --help show this help message and exit
--version show program's version number and exit
A tool for checking the security hardening options of the Linux kernel
options:
-h, --help show this help message and exit
--version show program's version number and exit
- -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM}
- print the security hardening recommendations for the selected
- microarchitecture
+ -m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail}
+ choose the report mode
-c CONFIG, --config CONFIG
-c CONFIG, --config CONFIG
- check the security hardening options in the kernel
kconfig file (also
- supports *.gz files)
+ check the security hardening options in the kernel
Kconfig file
+
(also
supports *.gz files)
-l CMDLINE, --cmdline CMDLINE
check the security hardening options in the kernel cmdline file
-l CMDLINE, --cmdline CMDLINE
check the security hardening options in the kernel cmdline file
- -m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail}
- choose the report mode
+ -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM}
+ print the security hardening recommendations for the selected
+ microarchitecture
+ -g {X86_64,X86_32,ARM64,ARM}, --generate {X86_64,X86_32,ARM64,ARM}
+ generate a Kconfig fragment with the security hardening options for
+ the selected microarchitecture
```
## Output modes
```
## Output modes
@@
-338,14
+342,22
@@
sysrq_always_enabled |cmdline| is not set | my |cut_att
[+] Config check is finished: 'OK' - 122 / 'FAIL' - 101
```
[+] Config check is finished: 'OK' - 122 / 'FAIL' - 101
```
-## kconfig-hardened-check versioning
-
-I usually update the kernel security hardening recommendations every few kernel releases.
+## Generating a Kconfig fragment with the security hardening options
-So the version of `kconfig-hardened-check` is associated with the corresponding version of the kernel.
-
-The version format is: __[major_number].[kernel_version].[kernel_patchlevel]__
+With the `-g` argument the tool generates a Kconfig fragment with the security hardening options for the selected microarchitecture.
+This Kconfig fragment can be merged with the existing Linux kernel config:
+```
+$ ./bin/kconfig-hardened-check -g X86_64 > /tmp/fragment
+$ cd ~/linux-src/
+$ ./scripts/kconfig/merge_config.sh .config /tmp/fragment
+Using .config as base
+Merging /tmp/fragment
+Value of CONFIG_BUG_ON_DATA_CORRUPTION is redefined by fragment /tmp/fragment:
+Previous value: # CONFIG_BUG_ON_DATA_CORRUPTION is not set
+New value: CONFIG_BUG_ON_DATA_CORRUPTION=y
+ ...
+```
## Questions and answers
## Questions and answers