kconfig-hardened-check.git
3 years agoMention that nosmt is slow
Alexander Popov [Sat, 19 Jun 2021 11:46:54 +0000 (14:46 +0300)]
Mention that nosmt is slow

3 years agoMore info on init_on_free and init_on_alloc
Alexander Popov [Sat, 19 Jun 2021 11:46:07 +0000 (14:46 +0300)]
More info on init_on_free and init_on_alloc

3 years agoSLUB_DEBUG_ON is very slow, leave it for the kernel command line
Alexander Popov [Sat, 19 Jun 2021 11:45:02 +0000 (14:45 +0300)]
SLUB_DEBUG_ON is very slow, leave it for the kernel command line

3 years agoUpdate KSPP recommendations
Alexander Popov [Sat, 19 Jun 2021 11:27:21 +0000 (14:27 +0300)]
Update KSPP recommendations

3 years agoAdd defconfigs for v5.10
Alexander Popov [Sat, 19 Jun 2021 11:15:14 +0000 (14:15 +0300)]
Add defconfigs for v5.10

Made with updated https://github.com/a13xp0p0v/kernel-build-containers

Excellent!

3 years agoHARDEN_BRANCH_PREDICTOR for ARM64 is enabled by default since v5.10
Alexander Popov [Sat, 19 Jun 2021 10:04:30 +0000 (13:04 +0300)]
HARDEN_BRANCH_PREDICTOR for ARM64 is enabled by default since v5.10

3 years agoAdd ARM64_MTE for userspace
Alexander Popov [Fri, 18 Jun 2021 21:12:46 +0000 (00:12 +0300)]
Add ARM64_MTE for userspace

3 years agoMaybe SHADOW_CALL_STACK should be alternative to STACKPROTECTOR_STRONG
Alexander Popov [Fri, 18 Jun 2021 21:11:41 +0000 (00:11 +0300)]
Maybe SHADOW_CALL_STACK should be alternative to STACKPROTECTOR_STRONG

3 years agoSave 'debugfs=no-mount' for future
Alexander Popov [Fri, 18 Jun 2021 17:47:20 +0000 (20:47 +0300)]
Save 'debugfs=no-mount' for future

4 years agoUpdate the README. v0.5.9
Alexander Popov [Fri, 30 Oct 2020 17:56:45 +0000 (20:56 +0300)]
Update the README.

Ready for the release 0.5.9.

4 years agoFix indentation (thanks to pylint)
Alexander Popov [Fri, 30 Oct 2020 17:44:07 +0000 (20:44 +0300)]
Fix indentation (thanks to pylint)

4 years agoAdd a Q&A about spectre-meltdown-checker maintained by @speed47
Alexander Popov [Thu, 29 Oct 2020 08:03:24 +0000 (11:03 +0300)]
Add a Q&A about spectre-meltdown-checker maintained by @speed47

4 years agoINIT_STACK_ALL -> INIT_STACK_ALL_ZERO (was renamed)
Alexander Popov [Fri, 23 Oct 2020 18:03:01 +0000 (21:03 +0300)]
INIT_STACK_ALL -> INIT_STACK_ALL_ZERO (was renamed)

4 years agoAdd SHADOW_CALL_STACK for ARM64
Alexander Popov [Fri, 23 Oct 2020 17:53:33 +0000 (20:53 +0300)]
Add SHADOW_CALL_STACK for ARM64

4 years agoAdd the recommendation about TRIM_UNUSED_KSYMS
Alexander Popov [Thu, 22 Oct 2020 19:46:27 +0000 (22:46 +0300)]
Add the recommendation about TRIM_UNUSED_KSYMS

4 years agoAdd ARM64_BTI_KERNEL
Alexander Popov [Thu, 22 Oct 2020 19:38:35 +0000 (22:38 +0300)]
Add ARM64_BTI_KERNEL

4 years agoAdd the recommendation about UBSAN_BOUNDS
Alexander Popov [Thu, 22 Oct 2020 18:42:21 +0000 (21:42 +0300)]
Add the recommendation about UBSAN_BOUNDS

Enable UBSAN_BOUNDS and UBSAN_TRAP.
But keep UBSAN_MISC disabled to avoid useless reports.

4 years agoPAGE_POISONING -> PAGE_POISONING_ZERO
Alexander Popov [Thu, 22 Oct 2020 17:46:04 +0000 (20:46 +0300)]
PAGE_POISONING -> PAGE_POISONING_ZERO

In fact, KSPP recommends PAGE_POISONING_ZERO.

4 years agoImprove AND check reports
Alexander Popov [Thu, 22 Oct 2020 16:59:00 +0000 (19:59 +0300)]
Improve AND check reports

4 years agoImprove HARDEN_EL2_VECTORS check
Alexander Popov [Thu, 22 Oct 2020 16:09:35 +0000 (19:09 +0300)]
Improve HARDEN_EL2_VECTORS check

In fact HARDEN_EL2_VECTORS was included in RANDOMIZE_BASE in v5.9.
Use new nested ComplexOptChecks for this rule.

Refers to #48.

4 years agoMerge remote-tracking branch 'pgils/el2_vectors'
Alexander Popov [Thu, 22 Oct 2020 15:55:31 +0000 (18:55 +0300)]
Merge remote-tracking branch 'pgils/el2_vectors'

Thanks, @pgils.

Refers to #48.

4 years agoAdd nested ComplexOptChecks support
Alexander Popov [Wed, 21 Oct 2020 18:20:37 +0000 (21:20 +0300)]
Add nested ComplexOptChecks support

Now we can do things like OR(opt1, AND(opt2, opt3)).
Cool!

Refers to #48

4 years agoDo not check CONFIG_HARDEN_EL2_VECTORS for v5.9+ 48/head
Pelle van Gils [Mon, 19 Oct 2020 13:07:53 +0000 (15:07 +0200)]
Do not check CONFIG_HARDEN_EL2_VECTORS for v5.9+

4 years agoAdd TODO about SLUB_DEBUG_ON
Alexander Popov [Fri, 16 Oct 2020 15:51:01 +0000 (18:51 +0300)]
Add TODO about SLUB_DEBUG_ON

4 years agoAdd CLIP OS recommendation about EFI_CUSTOM_SSDT_OVERLAYS
Alexander Popov [Fri, 16 Oct 2020 15:39:41 +0000 (18:39 +0300)]
Add CLIP OS recommendation about EFI_CUSTOM_SSDT_OVERLAYS

4 years agoDisabling ACPI_TABLE_UPGRADE is now recommended by CLIP OS
Alexander Popov [Fri, 16 Oct 2020 15:37:35 +0000 (18:37 +0300)]
Disabling ACPI_TABLE_UPGRADE is now recommended by CLIP OS

4 years agoWithdraw my recommendation about BPF_JIT
Alexander Popov [Fri, 16 Oct 2020 15:05:37 +0000 (18:05 +0300)]
Withdraw my recommendation about BPF_JIT

CLIP OS wiki and Kees say that BPF interpreter is worse for the kernel
security than BPF_JIT.

So for now I withdraw my recommendation about BPF_JIT.

N.B. LOCKDOWN disables BPF_SYSCALL, but not BPF_JIT.

4 years agoUse cross compiler to build defconfigs
Alexander Popov [Wed, 14 Oct 2020 11:32:20 +0000 (14:32 +0300)]
Use cross compiler to build defconfigs

4 years agoAdd defconfigs for Linux kernel v5.9
Alexander Popov [Wed, 14 Oct 2020 11:11:35 +0000 (14:11 +0300)]
Add defconfigs for Linux kernel v5.9

4 years agoUpdate the README v0.5.7
Alexander Popov [Wed, 15 Jul 2020 21:12:52 +0000 (00:12 +0300)]
Update the README

Ready for release 0.5.7

4 years agoFix relevant pylint warnings
Alexander Popov [Wed, 15 Jul 2020 21:05:49 +0000 (00:05 +0300)]
Fix relevant pylint warnings

4 years agoFix 'decision' priority order ('lockdown' vs 'clipos' vs 'grapheneos')
Alexander Popov [Wed, 15 Jul 2020 16:17:49 +0000 (19:17 +0300)]
Fix 'decision' priority order ('lockdown' vs 'clipos' vs 'grapheneos')

4 years agoAdd CLIP OS recommendations about CONFIG_IO_URING and CONFIG_X86_IOPL_IOPERM
Alexander Popov [Wed, 15 Jul 2020 16:16:27 +0000 (19:16 +0300)]
Add CLIP OS recommendations about CONFIG_IO_URING and CONFIG_X86_IOPL_IOPERM

CONFIG_X86_IOPL_IOPERM is also disabled by kernel lockdown

4 years agoAdd CONFIG_EFI_DISABLE_PCI_DMA recommended by CLIP OS
Alexander Popov [Wed, 15 Jul 2020 16:14:10 +0000 (19:14 +0300)]
Add CONFIG_EFI_DISABLE_PCI_DMA recommended by CLIP OS

4 years agoFix 'decision' -- CONFIG_INTEGRITY is not enabled by default on ARM
Alexander Popov [Wed, 15 Jul 2020 15:26:22 +0000 (18:26 +0300)]
Fix 'decision' -- CONFIG_INTEGRITY is not enabled by default on ARM

4 years agoAdd defconfigs for Linux kernel v5.7
Alexander Popov [Wed, 15 Jul 2020 15:10:16 +0000 (18:10 +0300)]
Add defconfigs for Linux kernel v5.7

4 years agoTake new AND use case for X86_PTDUMP / PTDUMP_DEBUGFS
Alexander Popov [Wed, 15 Jul 2020 13:15:24 +0000 (16:15 +0300)]
Take new AND use case for X86_PTDUMP / PTDUMP_DEBUGFS

4 years agoImprove ComplexOptCheck use cases
Alexander Popov [Wed, 15 Jul 2020 13:12:54 +0000 (16:12 +0300)]
Improve ComplexOptCheck use cases

4 years agoAdd 'show_ok' and 'show_fail' print modes
Alexander Popov [Wed, 15 Jul 2020 11:44:39 +0000 (14:44 +0300)]
Add 'show_ok' and 'show_fail' print modes

Refers the issue #45

4 years agoDeclare variables closer to their usage
Alexander Popov [Mon, 13 Jul 2020 19:10:18 +0000 (22:10 +0300)]
Declare variables closer to their usage

4 years agoGet rid of 'kernel_version' global variable
Alexander Popov [Mon, 13 Jul 2020 18:48:05 +0000 (21:48 +0300)]
Get rid of 'kernel_version' global variable

(done while solving the issue #45)

4 years agoBig rework of the report modes
Alexander Popov [Mon, 13 Jul 2020 18:13:43 +0000 (21:13 +0300)]
Big rework of the report modes

Let's fold the alternative options --debug and --json into --mode parameter:
  -m {verbose,json}, --mode {verbose,json}
   choose the report mode

That also allows to get rid of 'debug_mode' and 'json_mode' globals.

This work is a prerequisite of solving the issue #45.

4 years agoAdd another link about user namespaces to Q&A
Alexander Popov [Mon, 13 Jul 2020 15:27:35 +0000 (18:27 +0300)]
Add another link about user namespaces to Q&A

4 years agoAdd ARM64_PAN
Alexander Popov [Fri, 10 Jul 2020 20:35:35 +0000 (23:35 +0300)]
Add ARM64_PAN

4 years agoUse += instead of append() for checklist
Alexander Popov [Thu, 9 Jul 2020 12:24:11 +0000 (15:24 +0300)]
Use += instead of append() for checklist

4 years agoReorder some checking rules for better looking code
Alexander Popov [Thu, 9 Jul 2020 11:52:56 +0000 (14:52 +0300)]
Reorder some checking rules for better looking code

4 years agoChange the order of arguments in OptCheck constructor
Alexander Popov [Thu, 9 Jul 2020 11:16:40 +0000 (14:16 +0300)]
Change the order of arguments in OptCheck constructor

That makes the code style much better.

Side note: I was thinking a lot about storing the checking rules
separately in some file format. Finally I decided not to do that because:
 - I want avoid additional parsing (these rules are static anyway);
 - the rules include a lot of special cases and exceptions, which
don't look pretty in any format.

4 years agoDrop unused 'state' property from ComplexOptCheck
Alexander Popov [Thu, 9 Jul 2020 06:30:18 +0000 (09:30 +0300)]
Drop unused 'state' property from ComplexOptCheck

4 years agoDon't return self.result in check() method -- it's not used
Alexander Popov [Thu, 9 Jul 2020 05:59:24 +0000 (08:59 +0300)]
Don't return self.result in check() method -- it's not used

4 years agoARM64_PTR_AUTH is now supported for the kernel (from v5.7)
Alexander Popov [Mon, 6 Jul 2020 22:55:21 +0000 (01:55 +0300)]
ARM64_PTR_AUTH is now supported for the kernel (from v5.7)

4 years agoAdd the link to huldufolk project by @tych0
Alexander Popov [Fri, 3 Jul 2020 18:10:56 +0000 (21:10 +0300)]
Add the link to huldufolk project by @tych0

4 years agoAdd the link to @BlackIkeEagle article
Alexander Popov [Sat, 30 May 2020 20:17:46 +0000 (23:17 +0300)]
Add the link to @BlackIkeEagle article

4 years agoMerge branch 'ubuntu20'
Alexander Popov [Wed, 6 May 2020 21:36:58 +0000 (00:36 +0300)]
Merge branch 'ubuntu20'

Thanks @HacKurx.

4 years agoUpgrading to Ubuntu 20.04 kernel config 43/head
HacKurx [Tue, 5 May 2020 08:51:33 +0000 (10:51 +0200)]
Upgrading to Ubuntu 20.04 kernel config

CONFIG_RANDOM_TRUST_BOOTLOADER = FAIL: "y"
CONFIG_SECURITY_LOCKDOWN_LSM = OK
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY = OK
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY = FAIL: "is not set"

4 years agoMerge branch 'evbug'
Alexander Popov [Thu, 9 Apr 2020 15:54:38 +0000 (18:54 +0300)]
Merge branch 'evbug'

Thanks @HacKurx

4 years agoMerge branch 'pylint'
Alexander Popov [Thu, 9 Apr 2020 15:28:30 +0000 (18:28 +0300)]
Merge branch 'pylint'

Thanks @shamilbi

4 years agoUpdating the number of failures in the README 41/head
HacKurx [Thu, 9 Apr 2020 11:48:56 +0000 (13:48 +0200)]
Updating the number of failures in the README

4 years agoAdd CONFIG_INPUT_EVBUG
HacKurx [Thu, 9 Apr 2020 11:25:37 +0000 (13:25 +0200)]
Add CONFIG_INPUT_EVBUG

The "evbug" module records key events and mouse movements in the system log.
Useful for debugging, this is a security threat, its use can be hijacked as a keylogger.

An attacker will be able to retrieve your passwords using this module.

4 years agopylint some code 40/head
shamilbi [Wed, 8 Apr 2020 06:57:04 +0000 (13:57 +0700)]
pylint some code

4 years agoImprove versioning
Alexander Popov [Mon, 6 Apr 2020 14:36:19 +0000 (17:36 +0300)]
Improve versioning

4 years agoAdd DRM_LEGACY, FB, and VT checks
Alexander Popov [Fri, 3 Apr 2020 17:00:06 +0000 (20:00 +0300)]
Add DRM_LEGACY, FB, and VT checks

Thanks to:
 - Dmitry Vyukov @dvyukov for the idea
 - Daniel Vetter @danvet for the knowledge

4 years agoImplement PresenceCheck and use it for LDISC_AUTOLOAD
Alexander Popov [Tue, 31 Mar 2020 13:57:03 +0000 (16:57 +0300)]
Implement PresenceCheck and use it for LDISC_AUTOLOAD

Refers to #32

4 years agoFix ComplexOptCheck result printing
Alexander Popov [Tue, 31 Mar 2020 13:42:05 +0000 (16:42 +0300)]
Fix ComplexOptCheck result printing

4 years agoNewline should be printed by print_checklist() that prints the table
Alexander Popov [Tue, 31 Mar 2020 13:41:40 +0000 (16:41 +0300)]
Newline should be printed by print_checklist() that prints the table

4 years agoAdd more tests to increase coverage - IV
Alexander Popov [Tue, 31 Mar 2020 13:18:44 +0000 (16:18 +0300)]
Add more tests to increase coverage - IV

4 years agoCreate polymorphism for printing, add table_print() method for each class
Alexander Popov [Tue, 31 Mar 2020 13:18:05 +0000 (16:18 +0300)]
Create polymorphism for printing, add table_print() method for each class

That makes print_checklist() much better.

4 years agoRevisit special behavior in checking and printing that depends on the class
Alexander Popov [Tue, 31 Mar 2020 12:24:13 +0000 (15:24 +0300)]
Revisit special behavior in checking and printing that depends on the class

4 years agoRename some workflow steps
Alexander Popov [Tue, 31 Mar 2020 11:34:38 +0000 (14:34 +0300)]
Rename some workflow steps

4 years agoAdd more tests to increase coverage - III
Alexander Popov [Mon, 30 Mar 2020 20:29:42 +0000 (23:29 +0300)]
Add more tests to increase coverage - III

4 years agoAdd more tests to increase coverage - II
Alexander Popov [Mon, 30 Mar 2020 17:11:00 +0000 (20:11 +0300)]
Add more tests to increase coverage - II

4 years agoAdd more tests to increase coverage - I
Alexander Popov [Mon, 30 Mar 2020 17:06:09 +0000 (20:06 +0300)]
Add more tests to increase coverage - I

4 years agoCollect coverage
Alexander Popov [Mon, 30 Mar 2020 16:08:29 +0000 (19:08 +0300)]
Collect coverage

4 years agoCount checked configs
Alexander Popov [Mon, 30 Mar 2020 13:36:14 +0000 (16:36 +0300)]
Count checked configs

4 years agoCheck all configs automatically
Alexander Popov [Mon, 30 Mar 2020 12:04:26 +0000 (15:04 +0300)]
Check all configs automatically

4 years agoRevisit return values
Alexander Popov [Mon, 30 Mar 2020 11:53:55 +0000 (14:53 +0300)]
Revisit return values

4 years agoCreate the github workflow for functional tests
Alexander Popov [Mon, 30 Mar 2020 09:51:26 +0000 (12:51 +0300)]
Create the github workflow for functional tests

4 years agoFix the shebang to allow `./get-nix-kconfig.py`
Alexander Popov [Sat, 28 Mar 2020 20:58:29 +0000 (23:58 +0300)]
Fix the shebang to allow `./get-nix-kconfig.py`

Thanks to @Mic92

Refers to #27

4 years agoAdd NixOS hardened kernel config
Alexander Popov [Fri, 27 Mar 2020 20:25:02 +0000 (23:25 +0300)]
Add NixOS hardened kernel config

4 years agoFix typo in README
Alexander Popov [Thu, 26 Mar 2020 14:55:56 +0000 (17:55 +0300)]
Fix typo in README

4 years agoAdd vim swp files to gitignore
Alexander Popov [Thu, 26 Mar 2020 13:57:54 +0000 (16:57 +0300)]
Add vim swp files to gitignore

4 years agoMerge branch 'nix'
Alexander Popov [Thu, 26 Mar 2020 13:55:00 +0000 (16:55 +0300)]
Merge branch 'nix'

Refers to #27

4 years agoadd script to download linux kernel configs from nix
Jörg Thalheim [Thu, 2 Jan 2020 10:38:24 +0000 (10:38 +0000)]
add script to download linux kernel configs from nix

4 years agoadd gitignore
Jörg Thalheim [Thu, 2 Jan 2020 08:59:33 +0000 (08:59 +0000)]
add gitignore

4 years agoadd default.nix for installation via nix
Jörg Thalheim [Thu, 2 Jan 2020 08:53:41 +0000 (08:53 +0000)]
add default.nix for installation via nix

Allows installation via nix from the repository itself
on NixOS and other Linux distribution that have Nix (i.e. Archlinux/Debian).

```
$ nix-build
$ ./result/bin/kconfig-hardened-check
$ nix-env -f . -i
```

It also provides an development environment for `nix-shell` with setuptools and
python in path

```
$ nix-shell
```

4 years agoUpdate the README (describing installation)
Alexander Popov [Thu, 26 Mar 2020 12:58:17 +0000 (15:58 +0300)]
Update the README (describing installation)

4 years agoAdd a wrapper for using the tool without installation via setuptools
Alexander Popov [Thu, 26 Mar 2020 12:45:24 +0000 (15:45 +0300)]
Add a wrapper for using the tool without installation via setuptools

4 years agoEnable distribution via pip/setuptools
Alexander Popov [Thu, 26 Mar 2020 12:15:24 +0000 (15:15 +0300)]
Enable distribution via pip/setuptools

Thanks to @Mic92 for the proof-of-concept

Refers to #26

4 years agoCall it a tool
Alexander Popov [Thu, 26 Mar 2020 12:10:50 +0000 (15:10 +0300)]
Call it a tool

4 years agoUh, setuptools doesn't like package names that contain dash
Alexander Popov [Thu, 26 Mar 2020 10:59:26 +0000 (13:59 +0300)]
Uh, setuptools doesn't like package names that contain dash

4 years agoAdd main() and clean up working with globals
Alexander Popov [Wed, 25 Mar 2020 23:13:36 +0000 (02:13 +0300)]
Add main() and clean up working with globals

4 years agoRename to kconfig-hardened-check/__init__.py
Alexander Popov [Wed, 25 Mar 2020 23:10:05 +0000 (02:10 +0300)]
Rename to kconfig-hardened-check/__init__.py

4 years agoMove files to kconfig-hardened-check folder
Alexander Popov [Wed, 25 Mar 2020 22:00:27 +0000 (01:00 +0300)]
Move files to kconfig-hardened-check folder

4 years agoRename LICENSE file
Alexander Popov [Wed, 25 Mar 2020 21:56:54 +0000 (00:56 +0300)]
Rename LICENSE file

4 years agoVersion 0.5.5 (supports Linux kernel v5.5) v0.5.5
Alexander Popov [Tue, 24 Mar 2020 12:54:18 +0000 (15:54 +0300)]
Version 0.5.5 (supports Linux kernel v5.5)

4 years agoUpdate the README
Alexander Popov [Tue, 24 Mar 2020 12:44:49 +0000 (15:44 +0300)]
Update the README

4 years agoCLIP OS recommends disabling Intel TSX
Alexander Popov [Tue, 24 Mar 2020 12:10:37 +0000 (15:10 +0300)]
CLIP OS recommends disabling Intel TSX

4 years agoSmall syctl cleanup
Alexander Popov [Tue, 24 Mar 2020 11:14:20 +0000 (14:14 +0300)]
Small syctl cleanup

4 years agoMerge pull request #34 from madaidan/grapheneos
Alexander Popov [Mon, 23 Mar 2020 15:25:28 +0000 (18:25 +0300)]
Merge pull request #34 from madaidan/grapheneos

GrapheneOS is the continuation of CopperheadOS

4 years agoGrapheneOS is the continuation of CopperheadOS 34/head
madaidan [Sun, 22 Mar 2020 19:34:23 +0000 (19:34 +0000)]
GrapheneOS is the continuation of CopperheadOS

4 years agoCopperheadOS disables the kernel's CONFIG_AIO feature
Alexander Popov [Fri, 20 Mar 2020 20:24:03 +0000 (23:24 +0300)]
CopperheadOS disables the kernel's CONFIG_AIO feature

It isn't used or exposed by the base system and is a dubious feature.
It performs no better than thread pools and it can still block, along
with having coverage of only a tiny portion of blocking system calls
even when considering only commonly used system calls for IO.
There are no known compatibility issues caused by having this disabled.
Since this is such a dubious niche feature, it's also very poorly tested
and it doesn't get much attention. Proposed improvements have been blocked
based on the concern that POSIX AIO is such a bad interface that trying
to improve/extend it would be harmful. Following the lead of CopperheadOS
on this front has been proposed and accepted upstream for the recommended
Android kernel configuration used to derive device specific configurations.

https://github.com/AndroidHardeningArchive/documentation/blob/master/technical_overview.md#attack-surface-reduction