Alexander Popov [Sat, 19 Jun 2021 11:46:54 +0000 (14:46 +0300)]
Mention that nosmt is slow
Alexander Popov [Sat, 19 Jun 2021 11:46:07 +0000 (14:46 +0300)]
More info on init_on_free and init_on_alloc
Alexander Popov [Sat, 19 Jun 2021 11:45:02 +0000 (14:45 +0300)]
SLUB_DEBUG_ON is very slow, leave it for the kernel command line
Alexander Popov [Sat, 19 Jun 2021 11:27:21 +0000 (14:27 +0300)]
Update KSPP recommendations
Alexander Popov [Sat, 19 Jun 2021 11:15:14 +0000 (14:15 +0300)]
Add defconfigs for v5.10
Made with updated https://github.com/a13xp0p0v/kernel-build-containers
Excellent!
Alexander Popov [Sat, 19 Jun 2021 10:04:30 +0000 (13:04 +0300)]
HARDEN_BRANCH_PREDICTOR for ARM64 is enabled by default since v5.10
Alexander Popov [Fri, 18 Jun 2021 21:12:46 +0000 (00:12 +0300)]
Add ARM64_MTE for userspace
Alexander Popov [Fri, 18 Jun 2021 21:11:41 +0000 (00:11 +0300)]
Maybe SHADOW_CALL_STACK should be alternative to STACKPROTECTOR_STRONG
Alexander Popov [Fri, 18 Jun 2021 17:47:20 +0000 (20:47 +0300)]
Save 'debugfs=no-mount' for future
Alexander Popov [Fri, 30 Oct 2020 17:56:45 +0000 (20:56 +0300)]
Update the README.
Ready for the release 0.5.9.
Alexander Popov [Fri, 30 Oct 2020 17:44:07 +0000 (20:44 +0300)]
Fix indentation (thanks to pylint)
Alexander Popov [Thu, 29 Oct 2020 08:03:24 +0000 (11:03 +0300)]
Add a Q&A about spectre-meltdown-checker maintained by @speed47
Alexander Popov [Fri, 23 Oct 2020 18:03:01 +0000 (21:03 +0300)]
INIT_STACK_ALL -> INIT_STACK_ALL_ZERO (was renamed)
Alexander Popov [Fri, 23 Oct 2020 17:53:33 +0000 (20:53 +0300)]
Add SHADOW_CALL_STACK for ARM64
Alexander Popov [Thu, 22 Oct 2020 19:46:27 +0000 (22:46 +0300)]
Add the recommendation about TRIM_UNUSED_KSYMS
Alexander Popov [Thu, 22 Oct 2020 19:38:35 +0000 (22:38 +0300)]
Add ARM64_BTI_KERNEL
Alexander Popov [Thu, 22 Oct 2020 18:42:21 +0000 (21:42 +0300)]
Add the recommendation about UBSAN_BOUNDS
Enable UBSAN_BOUNDS and UBSAN_TRAP.
But keep UBSAN_MISC disabled to avoid useless reports.
Alexander Popov [Thu, 22 Oct 2020 17:46:04 +0000 (20:46 +0300)]
PAGE_POISONING -> PAGE_POISONING_ZERO
In fact, KSPP recommends PAGE_POISONING_ZERO.
Alexander Popov [Thu, 22 Oct 2020 16:59:00 +0000 (19:59 +0300)]
Improve AND check reports
Alexander Popov [Thu, 22 Oct 2020 16:09:35 +0000 (19:09 +0300)]
Improve HARDEN_EL2_VECTORS check
In fact HARDEN_EL2_VECTORS was included in RANDOMIZE_BASE in v5.9.
Use new nested ComplexOptChecks for this rule.
Refers to #48.
Alexander Popov [Thu, 22 Oct 2020 15:55:31 +0000 (18:55 +0300)]
Merge remote-tracking branch 'pgils/el2_vectors'
Thanks, @pgils.
Refers to #48.
Alexander Popov [Wed, 21 Oct 2020 18:20:37 +0000 (21:20 +0300)]
Add nested ComplexOptChecks support
Now we can do things like OR(opt1, AND(opt2, opt3)).
Cool!
Refers to #48
Pelle van Gils [Mon, 19 Oct 2020 13:07:53 +0000 (15:07 +0200)]
Do not check CONFIG_HARDEN_EL2_VECTORS for v5.9+
Alexander Popov [Fri, 16 Oct 2020 15:51:01 +0000 (18:51 +0300)]
Add TODO about SLUB_DEBUG_ON
Alexander Popov [Fri, 16 Oct 2020 15:39:41 +0000 (18:39 +0300)]
Add CLIP OS recommendation about EFI_CUSTOM_SSDT_OVERLAYS
Alexander Popov [Fri, 16 Oct 2020 15:37:35 +0000 (18:37 +0300)]
Disabling ACPI_TABLE_UPGRADE is now recommended by CLIP OS
Alexander Popov [Fri, 16 Oct 2020 15:05:37 +0000 (18:05 +0300)]
Withdraw my recommendation about BPF_JIT
CLIP OS wiki and Kees say that BPF interpreter is worse for the kernel
security than BPF_JIT.
So for now I withdraw my recommendation about BPF_JIT.
N.B. LOCKDOWN disables BPF_SYSCALL, but not BPF_JIT.
Alexander Popov [Wed, 14 Oct 2020 11:32:20 +0000 (14:32 +0300)]
Use cross compiler to build defconfigs
Alexander Popov [Wed, 14 Oct 2020 11:11:35 +0000 (14:11 +0300)]
Add defconfigs for Linux kernel v5.9
Alexander Popov [Wed, 15 Jul 2020 21:12:52 +0000 (00:12 +0300)]
Update the README
Ready for release 0.5.7
Alexander Popov [Wed, 15 Jul 2020 21:05:49 +0000 (00:05 +0300)]
Fix relevant pylint warnings
Alexander Popov [Wed, 15 Jul 2020 16:17:49 +0000 (19:17 +0300)]
Fix 'decision' priority order ('lockdown' vs 'clipos' vs 'grapheneos')
Alexander Popov [Wed, 15 Jul 2020 16:16:27 +0000 (19:16 +0300)]
Add CLIP OS recommendations about CONFIG_IO_URING and CONFIG_X86_IOPL_IOPERM
CONFIG_X86_IOPL_IOPERM is also disabled by kernel lockdown
Alexander Popov [Wed, 15 Jul 2020 16:14:10 +0000 (19:14 +0300)]
Add CONFIG_EFI_DISABLE_PCI_DMA recommended by CLIP OS
Alexander Popov [Wed, 15 Jul 2020 15:26:22 +0000 (18:26 +0300)]
Fix 'decision' -- CONFIG_INTEGRITY is not enabled by default on ARM
Alexander Popov [Wed, 15 Jul 2020 15:10:16 +0000 (18:10 +0300)]
Add defconfigs for Linux kernel v5.7
Alexander Popov [Wed, 15 Jul 2020 13:15:24 +0000 (16:15 +0300)]
Take new AND use case for X86_PTDUMP / PTDUMP_DEBUGFS
Alexander Popov [Wed, 15 Jul 2020 13:12:54 +0000 (16:12 +0300)]
Improve ComplexOptCheck use cases
Alexander Popov [Wed, 15 Jul 2020 11:44:39 +0000 (14:44 +0300)]
Add 'show_ok' and 'show_fail' print modes
Refers the issue #45
Alexander Popov [Mon, 13 Jul 2020 19:10:18 +0000 (22:10 +0300)]
Declare variables closer to their usage
Alexander Popov [Mon, 13 Jul 2020 18:48:05 +0000 (21:48 +0300)]
Get rid of 'kernel_version' global variable
(done while solving the issue #45)
Alexander Popov [Mon, 13 Jul 2020 18:13:43 +0000 (21:13 +0300)]
Big rework of the report modes
Let's fold the alternative options --debug and --json into --mode parameter:
-m {verbose,json}, --mode {verbose,json}
choose the report mode
That also allows to get rid of 'debug_mode' and 'json_mode' globals.
This work is a prerequisite of solving the issue #45.
Alexander Popov [Mon, 13 Jul 2020 15:27:35 +0000 (18:27 +0300)]
Add another link about user namespaces to Q&A
Alexander Popov [Fri, 10 Jul 2020 20:35:35 +0000 (23:35 +0300)]
Add ARM64_PAN
Alexander Popov [Thu, 9 Jul 2020 12:24:11 +0000 (15:24 +0300)]
Use += instead of append() for checklist
Alexander Popov [Thu, 9 Jul 2020 11:52:56 +0000 (14:52 +0300)]
Reorder some checking rules for better looking code
Alexander Popov [Thu, 9 Jul 2020 11:16:40 +0000 (14:16 +0300)]
Change the order of arguments in OptCheck constructor
That makes the code style much better.
Side note: I was thinking a lot about storing the checking rules
separately in some file format. Finally I decided not to do that because:
- I want avoid additional parsing (these rules are static anyway);
- the rules include a lot of special cases and exceptions, which
don't look pretty in any format.
Alexander Popov [Thu, 9 Jul 2020 06:30:18 +0000 (09:30 +0300)]
Drop unused 'state' property from ComplexOptCheck
Alexander Popov [Thu, 9 Jul 2020 05:59:24 +0000 (08:59 +0300)]
Don't return self.result in check() method -- it's not used
Alexander Popov [Mon, 6 Jul 2020 22:55:21 +0000 (01:55 +0300)]
ARM64_PTR_AUTH is now supported for the kernel (from v5.7)
Alexander Popov [Fri, 3 Jul 2020 18:10:56 +0000 (21:10 +0300)]
Add the link to huldufolk project by @tych0
Alexander Popov [Sat, 30 May 2020 20:17:46 +0000 (23:17 +0300)]
Add the link to @BlackIkeEagle article
Alexander Popov [Wed, 6 May 2020 21:36:58 +0000 (00:36 +0300)]
Merge branch 'ubuntu20'
Thanks @HacKurx.
HacKurx [Tue, 5 May 2020 08:51:33 +0000 (10:51 +0200)]
Upgrading to Ubuntu 20.04 kernel config
CONFIG_RANDOM_TRUST_BOOTLOADER = FAIL: "y"
CONFIG_SECURITY_LOCKDOWN_LSM = OK
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY = OK
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY = FAIL: "is not set"
Alexander Popov [Thu, 9 Apr 2020 15:54:38 +0000 (18:54 +0300)]
Merge branch 'evbug'
Thanks @HacKurx
Alexander Popov [Thu, 9 Apr 2020 15:28:30 +0000 (18:28 +0300)]
Merge branch 'pylint'
Thanks @shamilbi
HacKurx [Thu, 9 Apr 2020 11:48:56 +0000 (13:48 +0200)]
Updating the number of failures in the README
HacKurx [Thu, 9 Apr 2020 11:25:37 +0000 (13:25 +0200)]
Add CONFIG_INPUT_EVBUG
The "evbug" module records key events and mouse movements in the system log.
Useful for debugging, this is a security threat, its use can be hijacked as a keylogger.
An attacker will be able to retrieve your passwords using this module.
shamilbi [Wed, 8 Apr 2020 06:57:04 +0000 (13:57 +0700)]
pylint some code
Alexander Popov [Mon, 6 Apr 2020 14:36:19 +0000 (17:36 +0300)]
Improve versioning
Alexander Popov [Fri, 3 Apr 2020 17:00:06 +0000 (20:00 +0300)]
Add DRM_LEGACY, FB, and VT checks
Thanks to:
- Dmitry Vyukov @dvyukov for the idea
- Daniel Vetter @danvet for the knowledge
Alexander Popov [Tue, 31 Mar 2020 13:57:03 +0000 (16:57 +0300)]
Implement PresenceCheck and use it for LDISC_AUTOLOAD
Refers to #32
Alexander Popov [Tue, 31 Mar 2020 13:42:05 +0000 (16:42 +0300)]
Fix ComplexOptCheck result printing
Alexander Popov [Tue, 31 Mar 2020 13:41:40 +0000 (16:41 +0300)]
Newline should be printed by print_checklist() that prints the table
Alexander Popov [Tue, 31 Mar 2020 13:18:44 +0000 (16:18 +0300)]
Add more tests to increase coverage - IV
Alexander Popov [Tue, 31 Mar 2020 13:18:05 +0000 (16:18 +0300)]
Create polymorphism for printing, add table_print() method for each class
That makes print_checklist() much better.
Alexander Popov [Tue, 31 Mar 2020 12:24:13 +0000 (15:24 +0300)]
Revisit special behavior in checking and printing that depends on the class
Alexander Popov [Tue, 31 Mar 2020 11:34:38 +0000 (14:34 +0300)]
Rename some workflow steps
Alexander Popov [Mon, 30 Mar 2020 20:29:42 +0000 (23:29 +0300)]
Add more tests to increase coverage - III
Alexander Popov [Mon, 30 Mar 2020 17:11:00 +0000 (20:11 +0300)]
Add more tests to increase coverage - II
Alexander Popov [Mon, 30 Mar 2020 17:06:09 +0000 (20:06 +0300)]
Add more tests to increase coverage - I
Alexander Popov [Mon, 30 Mar 2020 16:08:29 +0000 (19:08 +0300)]
Collect coverage
Alexander Popov [Mon, 30 Mar 2020 13:36:14 +0000 (16:36 +0300)]
Count checked configs
Alexander Popov [Mon, 30 Mar 2020 12:04:26 +0000 (15:04 +0300)]
Check all configs automatically
Alexander Popov [Mon, 30 Mar 2020 11:53:55 +0000 (14:53 +0300)]
Revisit return values
Alexander Popov [Mon, 30 Mar 2020 09:51:26 +0000 (12:51 +0300)]
Create the github workflow for functional tests
Alexander Popov [Sat, 28 Mar 2020 20:58:29 +0000 (23:58 +0300)]
Fix the shebang to allow `./get-nix-kconfig.py`
Thanks to @Mic92
Refers to #27
Alexander Popov [Fri, 27 Mar 2020 20:25:02 +0000 (23:25 +0300)]
Add NixOS hardened kernel config
Alexander Popov [Thu, 26 Mar 2020 14:55:56 +0000 (17:55 +0300)]
Fix typo in README
Alexander Popov [Thu, 26 Mar 2020 13:57:54 +0000 (16:57 +0300)]
Add vim swp files to gitignore
Alexander Popov [Thu, 26 Mar 2020 13:55:00 +0000 (16:55 +0300)]
Merge branch 'nix'
Refers to #27
Jörg Thalheim [Thu, 2 Jan 2020 10:38:24 +0000 (10:38 +0000)]
add script to download linux kernel configs from nix
Jörg Thalheim [Thu, 2 Jan 2020 08:59:33 +0000 (08:59 +0000)]
add gitignore
Jörg Thalheim [Thu, 2 Jan 2020 08:53:41 +0000 (08:53 +0000)]
add default.nix for installation via nix
Allows installation via nix from the repository itself
on NixOS and other Linux distribution that have Nix (i.e. Archlinux/Debian).
```
$ nix-build
$ ./result/bin/kconfig-hardened-check
$ nix-env -f . -i
```
It also provides an development environment for `nix-shell` with setuptools and
python in path
```
$ nix-shell
```
Alexander Popov [Thu, 26 Mar 2020 12:58:17 +0000 (15:58 +0300)]
Update the README (describing installation)
Alexander Popov [Thu, 26 Mar 2020 12:45:24 +0000 (15:45 +0300)]
Add a wrapper for using the tool without installation via setuptools
Alexander Popov [Thu, 26 Mar 2020 12:15:24 +0000 (15:15 +0300)]
Enable distribution via pip/setuptools
Thanks to @Mic92 for the proof-of-concept
Refers to #26
Alexander Popov [Thu, 26 Mar 2020 12:10:50 +0000 (15:10 +0300)]
Call it a tool
Alexander Popov [Thu, 26 Mar 2020 10:59:26 +0000 (13:59 +0300)]
Uh, setuptools doesn't like package names that contain dash
Alexander Popov [Wed, 25 Mar 2020 23:13:36 +0000 (02:13 +0300)]
Add main() and clean up working with globals
Alexander Popov [Wed, 25 Mar 2020 23:10:05 +0000 (02:10 +0300)]
Rename to kconfig-hardened-check/__init__.py
Alexander Popov [Wed, 25 Mar 2020 22:00:27 +0000 (01:00 +0300)]
Move files to kconfig-hardened-check folder
Alexander Popov [Wed, 25 Mar 2020 21:56:54 +0000 (00:56 +0300)]
Rename LICENSE file
Alexander Popov [Tue, 24 Mar 2020 12:54:18 +0000 (15:54 +0300)]
Version 0.5.5 (supports Linux kernel v5.5)
Alexander Popov [Tue, 24 Mar 2020 12:44:49 +0000 (15:44 +0300)]
Update the README
Alexander Popov [Tue, 24 Mar 2020 12:10:37 +0000 (15:10 +0300)]
CLIP OS recommends disabling Intel TSX
Alexander Popov [Tue, 24 Mar 2020 11:14:20 +0000 (14:14 +0300)]
Small syctl cleanup
Alexander Popov [Mon, 23 Mar 2020 15:25:28 +0000 (18:25 +0300)]
Merge pull request #34 from madaidan/grapheneos
GrapheneOS is the continuation of CopperheadOS
madaidan [Sun, 22 Mar 2020 19:34:23 +0000 (19:34 +0000)]
GrapheneOS is the continuation of CopperheadOS
Alexander Popov [Fri, 20 Mar 2020 20:24:03 +0000 (23:24 +0300)]
CopperheadOS disables the kernel's CONFIG_AIO feature
It isn't used or exposed by the base system and is a dubious feature.
It performs no better than thread pools and it can still block, along
with having coverage of only a tiny portion of blocking system calls
even when considering only commonly used system calls for IO.
There are no known compatibility issues caused by having this disabled.
Since this is such a dubious niche feature, it's also very poorly tested
and it doesn't get much attention. Proposed improvements have been blocked
based on the concern that POSIX AIO is such a bad interface that trying
to improve/extend it would be harmful. Following the lead of CopperheadOS
on this front has been proposed and accepted upstream for the recommended
Android kernel configuration used to derive device specific configurations.
https://github.com/AndroidHardeningArchive/documentation/blob/master/technical_overview.md#attack-surface-reduction