From: Alexander Popov Date: Tue, 4 Jun 2019 22:04:07 +0000 (+0300) Subject: Drop CONFIG_X86_MSR from the recommendations X-Git-Tag: v0.5.2~10 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=a5535b23fad7cd21010c890bcb7322fc7abfe0c1;p=kconfig-hardened-check.git Drop CONFIG_X86_MSR from the recommendations It exposes MSRs to the userspace, IMO it is not needed for mitigating X86 CPU bugs. Refers to the issue #19 (comment by @Bernhard40) --- diff --git a/README.md b/README.md index 3f661fd..c69a5e7 100644 --- a/README.md +++ b/README.md @@ -100,7 +100,6 @@ CONFIG_STACKLEAK_METRICS | is not set | clipos | self_protect CONFIG_STACKLEAK_RUNTIME_DISABLE | is not set | clipos | self_protection ||FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is needed CONFIG_RANDOM_TRUST_CPU | is not set | clipos | self_protection || OK: not found CONFIG_MICROCODE | y | clipos | self_protection || OK -CONFIG_X86_MSR | y | clipos | self_protection || FAIL: "m" CONFIG_IOMMU_SUPPORT | y | clipos | self_protection || OK CONFIG_INTEL_IOMMU | y | clipos | self_protection || OK CONFIG_INTEL_IOMMU_SVM | y | clipos | self_protection || OK @@ -173,7 +172,7 @@ CONFIG_FTRACE | is not set | my | cut_attack_su CONFIG_BPF_JIT | is not set | my | cut_attack_surface || FAIL: "y" CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos |userspace_protection|| FAIL: "28" -[+] config check is finished: 'OK' - 50 / 'FAIL' - 71 +[+] config check is finished: 'OK' - 50 / 'FAIL' - 70 ``` diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py index cb59e39..9ca0279 100755 --- a/kconfig-hardened-check.py +++ b/kconfig-hardened-check.py @@ -257,7 +257,6 @@ def construct_checklist(arch): if debug_mode or arch == 'X86_64' or arch == 'X86_32': checklist.append(OptCheck('RANDOM_TRUST_CPU', 'is not set', 'clipos', 'self_protection')) checklist.append(OptCheck('MICROCODE', 'y', 'clipos', 'self_protection')) # is needed for mitigating CPU bugs - checklist.append(OptCheck('X86_MSR', 'y', 'clipos', 'self_protection')) # is needed for mitigating CPU bugs iommu_support_is_set = OptCheck('IOMMU_SUPPORT', 'y', 'clipos', 'self_protection') # is needed for mitigating DMA attacks checklist.append(iommu_support_is_set) checklist.append(AND(OptCheck('INTEL_IOMMU', 'y', 'clipos', 'self_protection'), \