kconfig-hardened-check.git
13 months agoAdd the 'kernel.yama.ptrace_scope' check
Alexander Popov [Tue, 17 Oct 2023 15:53:32 +0000 (18:53 +0300)]
Add the 'kernel.yama.ptrace_scope' check

13 months agoAdd the 'kernel.kptr_restrict' check
Alexander Popov [Tue, 17 Oct 2023 15:52:57 +0000 (18:52 +0300)]
Add the 'kernel.kptr_restrict' check

13 months agoImprove the slab_common.usercopy_fallback check
Alexander Popov [Tue, 17 Oct 2023 05:38:51 +0000 (08:38 +0300)]
Improve the slab_common.usercopy_fallback check

Don't require slab_common.usercopy_fallback=0,
since HARDENED_USERCOPY_FALLBACK was removed in Linux v5.16

13 months agohardened_usercopy=1 is now officially recommended by KSPP
Alexander Popov [Tue, 17 Oct 2023 05:35:00 +0000 (08:35 +0300)]
hardened_usercopy=1 is now officially recommended by KSPP

13 months agoEnabling page_alloc.shuffle is now recommended by KSPP
Alexander Popov [Mon, 16 Oct 2023 20:40:15 +0000 (23:40 +0300)]
Enabling page_alloc.shuffle is now recommended by KSPP

13 months ago'mitigations=auto,nosmt' is now recommended by KSPP
Alexander Popov [Mon, 16 Oct 2023 20:22:59 +0000 (23:22 +0300)]
'mitigations=auto,nosmt' is now recommended by KSPP

13 months agoDisabling X86_VSYSCALL_EMULATION is now recommended by KSPP
Alexander Popov [Mon, 16 Oct 2023 05:13:29 +0000 (08:13 +0300)]
Disabling X86_VSYSCALL_EMULATION is now recommended by KSPP

13 months agoUse /usr/bin/env in shebangs (#90)
Alexander Popov [Mon, 16 Oct 2023 04:31:36 +0000 (07:31 +0300)]
Use /usr/bin/env in shebangs (#90)

Thanks, @SuperSandro2000

13 months agoUse /usr/bin/env in shebangs 90/head
Sandro Jäckel [Thu, 5 Oct 2023 22:41:00 +0000 (00:41 +0200)]
Use /usr/bin/env in shebangs

This is guaranteed to work everything including NixOS

13 months agoDrop ZERO_CALL_USED_REGS in favour of backward-edge CFI
Alexander Popov [Wed, 4 Oct 2023 18:21:21 +0000 (21:21 +0300)]
Drop ZERO_CALL_USED_REGS in favour of backward-edge CFI

This option isn't worth the performance impact.

Refers to #82.

14 months agoUpdate the README
Alexander Popov [Mon, 18 Sep 2023 20:56:21 +0000 (23:56 +0300)]
Update the README

14 months agoRefactor the assertion in colorize_result() to improve test coverage
Alexander Popov [Mon, 18 Sep 2023 05:58:44 +0000 (08:58 +0300)]
Refactor the assertion in colorize_result() to improve test coverage

14 months agoUpdate the backup in issues.md
Alexander Popov [Sun, 17 Sep 2023 22:56:10 +0000 (01:56 +0300)]
Update the backup in issues.md

14 months agoRename kconfig-hardened-check into kernel-hardening-checker (#85)
Alexander Popov [Sun, 17 Sep 2023 22:29:39 +0000 (01:29 +0300)]
Rename kconfig-hardened-check into kernel-hardening-checker (#85)

**kconfig-hardened-check** is a tool for checking the security hardening
options of the Linux kernel.

In addition to Kconfig options, it now can check kernel cmdline
arguments and sysctl parameters.

It's time to give this project a new name that describes it better:
**kernel-hardening-checker**.

14 months agoRenaming fixes renaming 85/head
Alexander Popov [Sun, 10 Sep 2023 11:45:03 +0000 (14:45 +0300)]
Renaming fixes

14 months agoDrop default.nix (it contains a wrong utility name anyway)
Alexander Popov [Sat, 9 Sep 2023 20:19:46 +0000 (23:19 +0300)]
Drop default.nix (it contains a wrong utility name anyway)

14 months agokconfig-hardened-check -> kernel-hardening-checker
Alexander Popov [Sat, 9 Sep 2023 20:18:12 +0000 (23:18 +0300)]
kconfig-hardened-check -> kernel-hardening-checker

14 months agotest_engine: add test_complex_nested()
Alexander Popov [Sun, 17 Sep 2023 16:46:18 +0000 (19:46 +0300)]
test_engine: add test_complex_nested()

AND(AND()), OR(OR()) are not supported intentionally.

14 months agotest_engine: improve the output
Alexander Popov [Sun, 17 Sep 2023 16:42:47 +0000 (19:42 +0300)]
test_engine: improve the output

14 months agotest_engine: improve the test_stdout()
Alexander Popov [Sat, 16 Sep 2023 18:26:33 +0000 (21:26 +0300)]
test_engine: improve the test_stdout()

(The nested AND/OR should be tested separately, stay tuned)

14 months agotest_engine: refactor test_complex_or() and test_complex_and()
Alexander Popov [Thu, 14 Sep 2023 21:31:52 +0000 (00:31 +0300)]
test_engine: refactor test_complex_or() and test_complex_and()

14 months agoDon't remove ANSI colors, adapt the testcases instead
Alexander Popov [Wed, 13 Sep 2023 22:07:47 +0000 (01:07 +0300)]
Don't remove ANSI colors, adapt the testcases instead

This rewrites the commit aa7e1bffebde9d4f1855df93819cea75a5bc4c79.

Refers to #86.

14 months agoAdd colors to output (#86)
Alexander Popov [Wed, 13 Sep 2023 22:06:19 +0000 (01:06 +0300)]
Add colors to output (#86)

Shows OK in green and FAIL in red

Thanks to @frakman1.

Refers to #81. Needs fixing `test_stdout()` in the unit-test.

14 months agoAdjust test scripts to scrub ANSI colors from output 86/head
Frak [Tue, 12 Sep 2023 15:47:28 +0000 (11:47 -0400)]
Adjust test scripts to scrub ANSI colors from output

14 months agoFix pylints and verbose/None case
Frak [Mon, 11 Sep 2023 22:46:50 +0000 (18:46 -0400)]
Fix pylints and verbose/None case

14 months agofix typo
Frak [Sun, 10 Sep 2023 20:29:51 +0000 (16:29 -0400)]
fix typo

14 months agocleanup spaces
Frak [Sun, 10 Sep 2023 17:40:59 +0000 (13:40 -0400)]
cleanup spaces

14 months agocleanup
Frak [Sat, 9 Sep 2023 21:17:54 +0000 (17:17 -0400)]
cleanup

14 months agore-factoring
Frak [Sat, 9 Sep 2023 21:09:18 +0000 (17:09 -0400)]
re-factoring

14 months agoAdd colors for OK and FAIL cases
Frak [Sat, 9 Sep 2023 18:18:39 +0000 (14:18 -0400)]
Add colors for OK and FAIL cases

14 months agoFix arch conditions for some CmdlineChecks
Alexander Popov [Sun, 3 Sep 2023 20:41:26 +0000 (23:41 +0300)]
Fix arch conditions for some CmdlineChecks

By the way, don't add `if arch` for checks that require 'is not set'
(there is nothing wrong with that).

14 months agoMake the functional tests more informative
Alexander Popov [Mon, 28 Aug 2023 11:26:17 +0000 (14:26 +0300)]
Make the functional tests more informative

Drop `> /dev/null` for non-verbose output of the tool.

14 months agoTest more wrong combinations of options
Alexander Popov [Mon, 28 Aug 2023 11:20:13 +0000 (14:20 +0300)]
Test more wrong combinations of options

14 months agoTest checking sysctl separately
Alexander Popov [Mon, 28 Aug 2023 11:02:00 +0000 (14:02 +0300)]
Test checking sysctl separately

14 months agoSupport separate sysctl checking (without kconfig)
Alexander Popov [Sun, 27 Aug 2023 20:31:55 +0000 (23:31 +0300)]
Support separate sysctl checking (without kconfig)

15 months agoImprove coverage of the functional test a bit
Alexander Popov [Mon, 14 Aug 2023 20:47:09 +0000 (23:47 +0300)]
Improve coverage of the functional test a bit

15 months agoClean .gitignore
Alexander Popov [Mon, 14 Aug 2023 18:48:07 +0000 (21:48 +0300)]
Clean .gitignore

15 months agoShow git information in the functional test
Alexander Popov [Mon, 14 Aug 2023 16:42:15 +0000 (19:42 +0300)]
Show git information in the functional test

15 months agoTest an invalid sysctl file
Alexander Popov [Mon, 14 Aug 2023 15:56:39 +0000 (18:56 +0300)]
Test an invalid sysctl file

15 months agoTest an unexpected line in the sysctl file
Alexander Popov [Mon, 14 Aug 2023 15:56:13 +0000 (18:56 +0300)]
Test an unexpected line in the sysctl file

15 months agoTest an unexpected line in the Kconfig file
Alexander Popov [Mon, 14 Aug 2023 15:53:25 +0000 (18:53 +0300)]
Test an unexpected line in the Kconfig file

15 months agoDrop `if __name__ == "__main__"` from ./bin/kconfig-hardened-check
Alexander Popov [Mon, 14 Aug 2023 15:39:18 +0000 (18:39 +0300)]
Drop `if __name__ == "__main__"` from ./bin/kconfig-hardened-check

It always runs as a main program.

15 months agoTurn the warning about unexpected line in Kconfig file into an error
Alexander Popov [Mon, 14 Aug 2023 13:02:21 +0000 (16:02 +0300)]
Turn the warning about unexpected line in Kconfig file into an error

15 months agoUpdate the README (add the --sysctl mode)
Alexander Popov [Mon, 14 Aug 2023 12:22:34 +0000 (15:22 +0300)]
Update the README (add the --sysctl mode)

15 months agoAdd the Kconfig file of Fedora 38
Alexander Popov [Sun, 13 Aug 2023 21:22:57 +0000 (00:22 +0300)]
Add the Kconfig file of Fedora 38

15 months agoUse example_sysctls.txt in the functional test
Alexander Popov [Sun, 13 Aug 2023 21:08:22 +0000 (00:08 +0300)]
Use example_sysctls.txt in the functional test

This file was made with root privileges, so it has a full list of sysctls.

15 months agoAdd an example sysctl output file
Alexander Popov [Sun, 13 Aug 2023 20:59:26 +0000 (23:59 +0300)]
Add an example sysctl output file

15 months agoAdd the / symbol to the sysctl parsing pattern
Alexander Popov [Sun, 13 Aug 2023 19:39:11 +0000 (22:39 +0300)]
Add the / symbol to the sysctl parsing pattern

The GitHub Actions virtual machine has such a sysctl:
  fs.binfmt_misc.llvm-14-runtime/binfmt = enabled

This example shows that sysctl names may contain the / symbol.

15 months agoAdd --sysctl to functional testing
Alexander Popov [Sun, 13 Aug 2023 17:37:28 +0000 (20:37 +0300)]
Add --sysctl to functional testing

Refers to #65

15 months agoImprove checking the combinations of flags in the functional test
Alexander Popov [Sun, 13 Aug 2023 17:04:32 +0000 (20:04 +0300)]
Improve checking the combinations of flags in the functional test

15 months agoFix syntax to run on the Woodpecker 1.0.0 CI (part II)
Alexander Popov [Sun, 13 Aug 2023 16:54:42 +0000 (19:54 +0300)]
Fix syntax to run on the Woodpecker 1.0.0 CI (part II)

15 months agoFix syntax to run on the Woodpecker 1.0.0 CI
Alexander Popov [Sun, 13 Aug 2023 16:50:42 +0000 (19:50 +0300)]
Fix syntax to run on the Woodpecker 1.0.0 CI

15 months agoReport that --print and --generate can't be used together
Alexander Popov [Sun, 13 Aug 2023 16:49:08 +0000 (19:49 +0300)]
Report that --print and --generate can't be used together

15 months agoEnable sysctl checking
Alexander Popov [Sun, 13 Aug 2023 16:28:05 +0000 (19:28 +0300)]
Enable sysctl checking

Refers to #65

16 months agoCheck the kernel.unprivileged_bpf_disabled sysctl
Alexander Popov [Sun, 23 Jul 2023 21:24:36 +0000 (00:24 +0300)]
Check the kernel.unprivileged_bpf_disabled sysctl

16 months agoCheck the dev.tty.ldisc_autoload sysctl
Alexander Popov [Sun, 23 Jul 2023 21:24:06 +0000 (00:24 +0300)]
Check the dev.tty.ldisc_autoload sysctl

16 months agoCheck the user.max_user_namespaces sysctl
Alexander Popov [Sun, 23 Jul 2023 21:23:38 +0000 (00:23 +0300)]
Check the user.max_user_namespaces sysctl

16 months agoCheck the kernel.kexec_load_disabled sysctl
Alexander Popov [Sun, 23 Jul 2023 21:18:49 +0000 (00:18 +0300)]
Check the kernel.kexec_load_disabled sysctl

16 months agoCheck the kernel.perf_event_paranoid sysctl
Alexander Popov [Sun, 23 Jul 2023 21:17:44 +0000 (00:17 +0300)]
Check the kernel.perf_event_paranoid sysctl

16 months agoCheck the kernel.dmesg_restrict sysctl
Alexander Popov [Sun, 23 Jul 2023 21:15:57 +0000 (00:15 +0300)]
Check the kernel.dmesg_restrict sysctl

16 months agoCheck the net.core.bpf_jit_harden sysctl
Alexander Popov [Sun, 23 Jul 2023 21:14:45 +0000 (00:14 +0300)]
Check the net.core.bpf_jit_harden sysctl

16 months agotest_engine: use SysctlCheck in test_value_overriding()
Alexander Popov [Sun, 23 Jul 2023 17:09:05 +0000 (20:09 +0300)]
test_engine: use SysctlCheck in test_value_overriding()

16 months agotest_engine: use SysctlCheck in test_stdout()
Alexander Popov [Sun, 23 Jul 2023 16:57:28 +0000 (19:57 +0300)]
test_engine: use SysctlCheck in test_stdout()

16 months agotest_engine: implement test_simple_sysctl()
Alexander Popov [Sun, 23 Jul 2023 16:48:15 +0000 (19:48 +0300)]
test_engine: implement test_simple_sysctl()

16 months agotest_engine: support SysctlCheck
Alexander Popov [Sun, 23 Jul 2023 16:02:27 +0000 (19:02 +0300)]
test_engine: support SysctlCheck

16 months agoRefactor populate_opt_with_data()
Alexander Popov [Sat, 22 Jul 2023 21:44:17 +0000 (00:44 +0300)]
Refactor populate_opt_with_data()

Much better code, no functional changes

16 months agoMute warnings in the JSON mode and improve wording
Alexander Popov [Sun, 16 Jul 2023 21:15:47 +0000 (00:15 +0300)]
Mute warnings in the JSON mode and improve wording

16 months agoImplement parse_sysctl_file()
Alexander Popov [Sun, 16 Jul 2023 21:06:11 +0000 (00:06 +0300)]
Implement parse_sysctl_file()

Refers to #65

16 months agoDrop an obsolete error handling test
Alexander Popov [Sat, 15 Jul 2023 23:08:58 +0000 (02:08 +0300)]
Drop an obsolete error handling test

16 months agoFix the bug in the functional tests
Alexander Popov [Sat, 15 Jul 2023 22:52:18 +0000 (01:52 +0300)]
Fix the bug in the functional tests

`man 1 sh` says about '-e':
```
The shell does not exit if the command that fails is part of the command list
immediately following a while or until keyword, part of the test following
the if or elif reserved words, part of any command executed in a && or || list
except the command following the final && or ||, any command in a pipeline
but the last, or if the command's return value is being inverted with !.

That's why testing error handling in the functional tests didn't check
the exit status at all :(

Let's fix that.
Example before the fix:
! coverage run -a --branch bin/kconfig-hardened-check -l /proc/cmdline
Example after the fix:
coverage run -a --branch bin/kconfig-hardened-check -l /proc/cmdline && exit 1

16 months agoEmit WARNING for the cmdline options that exist multiple times
Alexander Popov [Sat, 15 Jul 2023 22:45:44 +0000 (01:45 +0300)]
Emit WARNING for the cmdline options that exist multiple times

Don't emit ERROR here. Even GitHub Actions machines have repeated options
in /proc/cmdline.

Also see the comment in cmdline parsing for x86:
https://elixir.bootlin.com/linux/v5.16.7/source/arch/x86/boot/cmdline.c#L21
```
In accordance with standard Linux practice, if this option is repeated,
this returns the last instance on the command line.
```

16 months agoPrecise the Kconfig parsing
Alexander Popov [Sat, 15 Jul 2023 19:58:17 +0000 (22:58 +0300)]
Precise the Kconfig parsing

16 months agoGet rid of useless regular expressions in detect_compiler()
Alexander Popov [Wed, 12 Jul 2023 16:41:09 +0000 (19:41 +0300)]
Get rid of useless regular expressions in detect_compiler()

16 months agoPrecise the regular expressions in detect_arch() and detect_kernel_version()
Alexander Popov [Wed, 12 Jul 2023 16:29:19 +0000 (19:29 +0300)]
Precise the regular expressions in detect_arch() and detect_kernel_version()

And fix the wording in the error message by the way.

16 months agoShow error if some cmdline option exists multiple times
Alexander Popov [Wed, 12 Jul 2023 08:11:27 +0000 (11:11 +0300)]
Show error if some cmdline option exists multiple times

16 months agoAdd the basic infrastructure for checking sysctl
Alexander Popov [Sat, 8 Jul 2023 21:18:28 +0000 (00:18 +0300)]
Add the basic infrastructure for checking sysctl

Refers to #65

16 months agoIntroduce the SysctlCheck class
Alexander Popov [Sat, 8 Jul 2023 20:40:49 +0000 (23:40 +0300)]
Introduce the SysctlCheck class

Refers to #65

16 months agoCheck disabling XFS_SUPPORT_V4 for cutting attack surface
Alexander Popov [Tue, 4 Jul 2023 11:20:20 +0000 (14:20 +0300)]
Check disabling XFS_SUPPORT_V4 for cutting attack surface

The XFS V4 format is deprecated:
https://elixir.bootlin.com/linux/v6.3.11/source/fs/xfs/Kconfig#L25

Quote:
The V4 filesystem format lacks certain features that are supported
by the V5 format, such as metadata checksumming, strengthened
metadata verification, and the ability to store timestamps past the
year 2038. Because of this, the V4 format is deprecated. All users
should upgrade by backing up their files, reformatting, and restoring
from the backup... To close off an attack surface, say N.

16 months agoPrint the microarchitecture in --generate mode
Alexander Popov [Sun, 2 Jul 2023 19:55:36 +0000 (22:55 +0300)]
Print the microarchitecture in --generate mode

The Kconfig fragment should describe the microarchitecture to avoid mistakes.

17 months agoUpdate the README
Alexander Popov [Sun, 25 Jun 2023 08:51:26 +0000 (11:51 +0300)]
Update the README

17 months agoAdd the info about /proc/cmdline to the usage help
Alexander Popov [Sun, 25 Jun 2023 08:51:02 +0000 (11:51 +0300)]
Add the info about /proc/cmdline to the usage help

I tested CONFIG_CMDLINE and CONFIG_BOOT_CONFIG mechanisms.
They allow passing additional boot parameters for the Linux kernel.

I see that all boot parameters are collected in /proc/cmdline.

So /proc/cmdline is the only information source that we should check to
analyze the Linux kernel boot parameters.

17 months agosetup: fix "The license_file parameter is deprecated"
Alexander Popov [Sun, 18 Jun 2023 23:07:13 +0000 (02:07 +0300)]
setup: fix "The license_file parameter is deprecated"

Use 'license_files' instead.

17 months agosetup: Don't use the automatic "find_namespace:" discovery
Alexander Popov [Sun, 18 Jun 2023 22:11:20 +0000 (01:11 +0300)]
setup: Don't use the automatic "find_namespace:" discovery

This automatic discovery doesn't fit to the flat layout of my package
(without the "src" directory).

Instead, let's specify the "packages" explicitly in setup.cfg.

17 months agosetup: Fix the warning "Package would be ignored"
Alexander Popov [Sun, 18 Jun 2023 21:42:53 +0000 (00:42 +0300)]
setup: Fix the warning "Package would be ignored"

The warning:
  ############################
  # Package would be ignored #
  ############################
  Python recognizes 'kconfig_hardened_check.config_files.distros' as an importable package,
  but it is not listed in the `packages` configuration of setuptools.

  'kconfig_hardened_check.config_files.distros' has been automatically added to the distribution only
  because it may contain data files, but this behavior is likely to change
  in future versions of setuptools (and therefore is considered deprecated).

  Please make sure that 'kconfig_hardened_check.config_files.distros' is included as a package by using
  the `packages` configuration field or the proper discovery methods
  (for example by using `find_namespace_packages(...)`/`find_namespace:`
  instead of `find_packages(...)`/`find:`).

So let's use "find_namespace:" for package directory to include
the package data. More info in the documentation:
https://setuptools.pypa.io/en/latest/userguide/package_discovery.html#finding-namespace-packages

17 months agosetup: Drop obsolete zip_safe flag
Alexander Popov [Sun, 18 Jun 2023 21:35:10 +0000 (00:35 +0300)]
setup: Drop obsolete zip_safe flag

More info in the documentation:
https://setuptools.pypa.io/en/latest/deprecated/zip_safe.html

And fix style by the way.

17 months agoMove the draft of the security hardening sysctls to a proper place
Alexander Popov [Sat, 17 Jun 2023 17:15:06 +0000 (20:15 +0300)]
Move the draft of the security hardening sysctls to a proper place

Refers to #65

17 months agoImprove normalize_cmdline_options()
Alexander Popov [Sat, 17 Jun 2023 15:58:05 +0000 (18:58 +0300)]
Improve normalize_cmdline_options()

17 months agoGitHub Actions: decrease the max-parallel to 1 to avoid the codecov rate limit
Alexander Popov [Mon, 12 Jun 2023 15:28:42 +0000 (18:28 +0300)]
GitHub Actions: decrease the max-parallel to 1 to avoid the codecov rate limit

17 months agoAdd functional tests for --generate
Alexander Popov [Mon, 12 Jun 2023 14:59:50 +0000 (17:59 +0300)]
Add functional tests for --generate

Refers to #67.

17 months agoUpdate the README
Alexander Popov [Mon, 12 Jun 2023 14:46:25 +0000 (17:46 +0300)]
Update the README

Refers to #67.

17 months agoAdd a new feature --generate
Alexander Popov [Mon, 12 Jun 2023 14:40:50 +0000 (17:40 +0300)]
Add a new feature --generate

With this argument the tool generates a Kconfig fragment with the security
hardening options for the selected microarchitecture.

Refers to #67.

This Kconfig fragment can be merged with the existing Linux kernel config:

$ ./bin/kconfig-hardened-check -g X86_64 > /tmp/fragment
$ cd ~/linux-src/
$ ./scripts/kconfig/merge_config.sh .config /tmp/fragment
Using .config as base
Merging /tmp/fragment
Value of CONFIG_BUG_ON_DATA_CORRUPTION is redefined by fragment /tmp/fragment:
Previous value: # CONFIG_BUG_ON_DATA_CORRUPTION is not set
New value: CONFIG_BUG_ON_DATA_CORRUPTION=y
...

17 months agoRefactoring of the argument parsing
Alexander Popov [Mon, 12 Jun 2023 13:50:54 +0000 (16:50 +0300)]
Refactoring of the argument parsing

17 months agoImprove the comments and README (part II)
Alexander Popov [Mon, 12 Jun 2023 13:26:12 +0000 (16:26 +0300)]
Improve the comments and README (part II)

17 months agoSkip normalize_cmdline_options() for the vdso32 and vdso cmdline parameters
Alexander Popov [Mon, 12 Jun 2023 12:55:41 +0000 (15:55 +0300)]
Skip normalize_cmdline_options() for the vdso32 and vdso cmdline parameters

See vdso32_setup() in arch/x86/entry/vdso/vdso32-setup.c

17 months agoSkip normalize_cmdline_options() for the vsyscall cmdline parameter
Alexander Popov [Mon, 12 Jun 2023 12:45:56 +0000 (15:45 +0300)]
Skip normalize_cmdline_options() for the vsyscall cmdline parameter

See vsyscall_setup() in arch/x86/entry/vsyscall/vsyscall_64.c

17 months agoSkip normalize_cmdline_options() for the iommu cmdline parameter
Alexander Popov [Mon, 12 Jun 2023 12:43:05 +0000 (15:43 +0300)]
Skip normalize_cmdline_options() for the iommu cmdline parameter

See iommu_setup() in arch/x86/kernel/pci-dma.c

17 months agoSkip normalize_cmdline_options() for the slub_debug cmdline parameter
Alexander Popov [Mon, 12 Jun 2023 12:00:32 +0000 (15:00 +0300)]
Skip normalize_cmdline_options() for the slub_debug cmdline parameter

See setup_slub_debug() in mm/slub.c

17 months agoImprove the comments and README
Alexander Popov [Mon, 12 Jun 2023 11:37:42 +0000 (14:37 +0300)]
Improve the comments and README

17 months agoSkip normalize_cmdline_options() for the rodata cmdline parameter
Alexander Popov [Mon, 5 Jun 2023 20:48:34 +0000 (23:48 +0300)]
Skip normalize_cmdline_options() for the rodata cmdline parameter

Also fix the rodata check (change '1' to 'on').

See set_debug_rodata() in init/main.c.

17 months agoSkip normalize_cmdline_options() for the ssbd cmdline parameter
Alexander Popov [Mon, 5 Jun 2023 20:44:42 +0000 (23:44 +0300)]
Skip normalize_cmdline_options() for the ssbd cmdline parameter

See parse_spectre_v4_param() in arch/arm64/kernel/proton-pack.c