Alexander Popov [Sat, 14 Jan 2023 15:46:45 +0000 (18:46 +0300)]
Update the KSPP recommendations
Alexander Popov [Sat, 14 Jan 2023 15:07:29 +0000 (18:07 +0300)]
Fix the IOMMU_DEFAULT_DMA_STRICT check: it is in defconfig for arm64 and arm
Alexander Popov [Sat, 14 Jan 2023 10:47:21 +0000 (13:47 +0300)]
Add the COMPAT and X86_X32_ABI checks
KSPP has added them to the recommendations.
Refers to #74.
Alexander Popov [Sat, 14 Jan 2023 10:39:49 +0000 (13:39 +0300)]
Fix the WERROR check: it is in defconfig for X86_64 and X86_32 now
Alexander Popov [Sat, 14 Jan 2023 10:33:33 +0000 (13:33 +0300)]
Fix the DEBUG_WX check: it is in defconfig for X86_64 and X86_32 now
Alexander Popov [Fri, 13 Jan 2023 19:12:22 +0000 (22:12 +0300)]
Add defconfigs for Linux v6.1
Alexander Popov [Mon, 26 Dec 2022 09:58:06 +0000 (12:58 +0300)]
Add the repository mirrors
Alexander Popov [Sun, 25 Dec 2022 18:03:04 +0000 (21:03 +0300)]
Backup the pull requests and issues into a Markdown file using gh2md
That would allow to have more information in the mirror repositories.
I used the mattduck/gh2md tool for that purpose.
It employs https://api.github.com/graphql, so I had to generate
a GitHub personal access token (classic) with public access.
Alexander Popov [Fri, 16 Dec 2022 23:35:43 +0000 (02:35 +0300)]
Remove the AIO check
Currently GrapheneOS doesn't have it.
Alexander Popov [Sat, 10 Dec 2022 18:25:13 +0000 (21:25 +0300)]
Remember about the nosmt sysfs control file
Alexander Popov [Sat, 10 Dec 2022 18:24:42 +0000 (21:24 +0300)]
Drop the comment about mitigations of CPU vulnerabilities
The corresponding checks have been developed.
Alexander Popov [Sat, 10 Dec 2022 18:18:34 +0000 (21:18 +0300)]
Save the list of disabled mitigations of CPU vulnerabilities (for history)
Alexander Popov [Sat, 10 Dec 2022 17:44:23 +0000 (20:44 +0300)]
Add the nospectre_bhb check
Alexander Popov [Sat, 10 Dec 2022 08:01:16 +0000 (11:01 +0300)]
Add the kpti check
1. Don't add an exception to normalize_cmdline_options() since strtobool()
is used for kpti
2. Use new '0' check of 'is not off'
Alexander Popov [Sat, 10 Dec 2022 07:47:05 +0000 (10:47 +0300)]
Compare against '0' in the 'is not off' check
Alexander Popov [Sat, 10 Dec 2022 07:08:23 +0000 (10:08 +0300)]
Add the tsx check
Alexander Popov [Sat, 10 Dec 2022 07:07:10 +0000 (10:07 +0300)]
Change the 'decision' of X86_INTEL_TSX_MODE_OFF check to defconfig
Alexander Popov [Sat, 10 Dec 2022 06:33:43 +0000 (09:33 +0300)]
Add the nomte check
Alexander Popov [Sat, 10 Dec 2022 06:32:51 +0000 (09:32 +0300)]
Add the nopauth check
Alexander Popov [Sat, 10 Dec 2022 06:32:21 +0000 (09:32 +0300)]
Add the nobti check
Alexander Popov [Fri, 9 Dec 2022 18:00:08 +0000 (21:00 +0300)]
Add the sysrq_always_enabled check
Alexander Popov [Fri, 9 Dec 2022 17:37:49 +0000 (20:37 +0300)]
Add the ssbd check
Alexander Popov [Thu, 8 Dec 2022 22:38:05 +0000 (01:38 +0300)]
Avoid the YAML parsing mistake
3.10 is parsed as a number and it is trimmed to 3.1.
That is expected behavior for numbers, but it's crazy for versions.
Alexander Popov [Thu, 8 Dec 2022 22:29:03 +0000 (01:29 +0300)]
Fix `python-version` in the GitHub Actions
Current `ubuntu-latest` (Ubuntu 22.04 for x86_64) provides the following
versions of Python:
- 3.10.8
- 3.11.0
- 3.7.15
- 3.8.15
- 3.9.15
Alexander Popov [Thu, 8 Dec 2022 21:59:38 +0000 (00:59 +0300)]
Reorder some checks, no functional changes
Alexander Popov [Thu, 17 Nov 2022 16:39:32 +0000 (19:39 +0300)]
Add the srbds check
Alexander Popov [Thu, 17 Nov 2022 16:29:26 +0000 (19:29 +0300)]
Add the retbleed check
Alexander Popov [Thu, 17 Nov 2022 16:23:55 +0000 (19:23 +0300)]
Add the mmio_stale_data check
Alexander Popov [Thu, 17 Nov 2022 16:19:55 +0000 (19:19 +0300)]
Add the tsx_async_abort check
Alexander Popov [Thu, 17 Nov 2022 14:34:24 +0000 (17:34 +0300)]
Add the mds check
Alexander Popov [Thu, 17 Nov 2022 14:28:28 +0000 (17:28 +0300)]
Add the l1tf check
Alexander Popov [Thu, 17 Nov 2022 14:19:21 +0000 (17:19 +0300)]
Add the spectre_v2_user check
Alexander Popov [Thu, 17 Nov 2022 13:57:25 +0000 (16:57 +0300)]
Do refactoring in normalize_cmdline_options()
Alexander Popov [Thu, 17 Nov 2022 13:56:18 +0000 (16:56 +0300)]
Add the spec_store_bypass_disable check
Alexander Popov [Thu, 17 Nov 2022 13:42:30 +0000 (16:42 +0300)]
Add the spectre_v2 check
Alexander Popov [Thu, 17 Nov 2022 12:23:55 +0000 (15:23 +0300)]
Introduce the 'is present' check instead of expected=None constructor parameter
Alexander Popov [Fri, 11 Nov 2022 14:39:19 +0000 (17:39 +0300)]
Add the 'mitigations' check
The default value for the 'mitigations' option is 'auto'.
So this option should be enabled ('is not off') or not set at all.
Alexander Popov [Wed, 9 Nov 2022 15:32:52 +0000 (18:32 +0300)]
Add the nosmt check
Alexander Popov [Wed, 9 Nov 2022 15:24:52 +0000 (18:24 +0300)]
Add a special 'desired val' -- 'is not off'
This check gives FAIL if the option value is 'off' or
the option is not found. In other cases this check gives OK.
This feature is needed for checking that the CPU vulnerability mitigations
are not disabled. Let's see how it works and maybe improve it in future.
Alexander Popov [Wed, 9 Nov 2022 14:46:38 +0000 (17:46 +0300)]
Improve the result descriptions
Alexander Popov [Tue, 8 Nov 2022 21:31:16 +0000 (00:31 +0300)]
Add assertions to check arguments of the Class constructors
Alexander Popov [Sun, 23 Oct 2022 17:08:29 +0000 (20:08 +0300)]
Update the README
Alexander Popov [Sun, 23 Oct 2022 16:31:16 +0000 (19:31 +0300)]
Add the ARM64_E0PD check
Alexander Popov [Sun, 23 Oct 2022 16:14:46 +0000 (19:14 +0300)]
Fix the SCHED_CORE check: it's now available for ARM64 and ARM
Alexander Popov [Sun, 23 Oct 2022 15:23:55 +0000 (18:23 +0300)]
Update the self-protection checks adopted by KSPP (part V)
Thanks to @kees
Alexander Popov [Sat, 22 Oct 2022 21:05:45 +0000 (00:05 +0300)]
Update the self-protection checks adopted by KSPP (part IV): IOMMU
Thanks to @kees
Alexander Popov [Sat, 22 Oct 2022 21:02:55 +0000 (00:02 +0300)]
Update the self-protection checks adopted by KSPP (part III)
Thanks to @kees
Alexander Popov [Sat, 22 Oct 2022 18:34:56 +0000 (21:34 +0300)]
Update the KSPP recommendations again
Alexander Popov [Thu, 13 Oct 2022 16:33:11 +0000 (19:33 +0300)]
Update the self-protection checks adopted by KSPP (part II)
Thanks to @kees
Alexander Popov [Thu, 13 Oct 2022 15:24:41 +0000 (18:24 +0300)]
Update the self-protection checks adopted by KSPP (part I)
Thanks to @kees
Alexander Popov [Thu, 13 Oct 2022 15:07:14 +0000 (18:07 +0300)]
Update the HW_RANDOM_TPM check
Clip OS says that RANDOM_TRUST_BOOTLOADER and RANDOM_TRUST_CPU should be
disabled if HW_RANDOM_TPM is enabled. The Clip OS description:
Do not credit entropy included in Linux’s entropy pool when generated
by the CPU manufacturer’s HWRNG, the bootloader or the UEFI firmware.
Fast and robust initialization of Linux’s CSPRNG is instead achieved
thanks to the TPM’s HWRNG.
At the same time KSPP recommends to enable RANDOM_TRUST_BOOTLOADER and
RANDOM_TRUST_CPU anyway:
Get as much entropy as possible from external sources. The Chacha mixer
isn't vulnerable to injected entropy, so even malicious sources
should not cause problems.
In this situation, I think kconfig-hardened-check should check
only HW_RANDOM_TPM (there is no contradiction about it)
and leave the decision about RANDOM_TRUST_BOOTLOADER and
RANDOM_TRUST_CPU to the owner of the system.
Alexander Popov [Thu, 13 Oct 2022 14:19:23 +0000 (17:19 +0300)]
Update the UBSAN checks according to the KSPP recommendations
Thanks to @kees
Alexander Popov [Thu, 13 Oct 2022 13:54:02 +0000 (16:54 +0300)]
Update the security policy checks adopted by KSPP
Thanks to @kees
Alexander Popov [Thu, 13 Oct 2022 13:17:58 +0000 (16:17 +0300)]
Update the KSPP recommendations
Alexander Popov [Wed, 12 Oct 2022 18:49:23 +0000 (21:49 +0300)]
Improve the README
Alexander Popov [Sun, 9 Oct 2022 22:10:48 +0000 (01:10 +0300)]
Update the README
Alexander Popov [Sun, 9 Oct 2022 21:55:21 +0000 (00:55 +0300)]
Drop some of my security policy recommendations
Alexander Popov [Sun, 9 Oct 2022 18:31:25 +0000 (21:31 +0300)]
Check SECURITY_SELINUX_DEVELOP (recommended by Clip OS)
Clip OS description: it "will eventually be n".
Alexander Popov [Sun, 9 Oct 2022 18:25:33 +0000 (21:25 +0300)]
Check SECURITY_SELINUX_BOOTPARAM (recommended by Clip OS)
Alexander Popov [Sun, 9 Oct 2022 18:04:19 +0000 (21:04 +0300)]
Improve the HW_RANDOM_TPM check
RANDOM_TRUST_BOOTLOADER and RANDOM_TRUST_CPU should be disabled if
HW_RANDOM_TPM is enabled.
The Clip OS description:
Do not credit entropy included in Linux’s entropy pool when generated
by the CPU manufacturer’s HWRNG, the bootloader or the UEFI firmware.
Fast and robust initialization of Linux’s CSPRNG is instead achieved
thanks to the TPM’s HWRNG.
Alexander Popov [Sun, 9 Oct 2022 17:49:58 +0000 (20:49 +0300)]
Check COREDUMP (recommended by Clip OS)
Disabling COREDUMP is needed for cutting userspace attack surface.
Alexander Popov [Sun, 9 Oct 2022 12:49:13 +0000 (15:49 +0300)]
Check CONFIG_HW_RANDOM_TPM (recommended by Clip OS)
Alexander Popov [Sun, 9 Oct 2022 12:32:55 +0000 (15:32 +0300)]
Check X86_MCE, X86_MCE_INTEL, X86_MCE_AMD (recommended by Clip OS)
These options are enabled by default.
Alexander Popov [Sun, 9 Oct 2022 11:23:20 +0000 (14:23 +0300)]
Improve the README
Alexander Popov [Wed, 5 Oct 2022 13:56:28 +0000 (16:56 +0300)]
Update the README
Alexander Popov [Sun, 2 Oct 2022 18:45:13 +0000 (21:45 +0300)]
Also check 'nospectre_v2' with 'spectre_v2'
Alexander Popov [Sun, 2 Oct 2022 18:44:47 +0000 (21:44 +0300)]
Change the reason for the 'nopti' check
Alexander Popov [Sun, 2 Oct 2022 17:52:47 +0000 (20:52 +0300)]
Change the reason for the 'nokaslr' check
KASLR is enabled by default.
Alexander Popov [Sun, 2 Oct 2022 11:27:03 +0000 (14:27 +0300)]
Add the 'spectre_v2' check
Don't normalize this cmdline option.
Alexander Popov [Sun, 2 Oct 2022 11:23:19 +0000 (14:23 +0300)]
Add the 'nospectre_v2' check
Alexander Popov [Sun, 2 Oct 2022 11:04:10 +0000 (14:04 +0300)]
Change the reason for the 'nosmep' and 'nosmap' checks
SMEP and SMAP are enabled by default.
Alexander Popov [Sun, 2 Oct 2022 10:39:38 +0000 (13:39 +0300)]
Add the 'nospectre_v1' check
Alexander Popov [Sun, 2 Oct 2022 10:20:11 +0000 (13:20 +0300)]
Add the 'nopti' check
Alexander Popov [Sat, 24 Sep 2022 22:12:55 +0000 (01:12 +0300)]
Add the comments: CC_IS_GCC and CC_IS_CLANG exist since v4.18
Alexander Popov [Sat, 24 Sep 2022 21:51:25 +0000 (00:51 +0300)]
Add the UBSAN_LOCAL_BOUNDS check for Clang build
Explanations from the Linux kernel commit
6a6155f664e31c9be43cd:
When the kernel is compiled with Clang, -fsanitize=bounds expands to
-fsanitize=array-bounds and -fsanitize=local-bounds.
Enabling -fsanitize=local-bounds with Clang has the side-effect of
inserting traps.
That's why UBSAN_LOCAL_BOUNDS can enable the 'local-bounds' option
only when UBSAN_TRAP is enabled.
Alexander Popov [Sun, 18 Sep 2022 13:02:23 +0000 (16:02 +0300)]
Update the links to AOSP and GKI
Android Open Source Project (AOSP):
https://source.android.com/docs/setup/build/building-kernels
Android Generic Kernel Image (GKI):
https://source.android.com/docs/core/architecture/kernel/gki-release-builds
Also add the GKI config `android13-5.10`.
Thanks to @h0t for the idea.
Alexander Popov [Fri, 2 Sep 2022 15:14:28 +0000 (18:14 +0300)]
Update the README
Alexander Popov [Fri, 2 Sep 2022 15:04:04 +0000 (18:04 +0300)]
Detect the compiler used for the kernel compilation
Alexander Popov [Fri, 2 Sep 2022 14:22:15 +0000 (17:22 +0300)]
Don't use CONFIG_CC_IS_GCC in the checks (it was introduced only in v4.18)
Alexander Popov [Fri, 2 Sep 2022 11:50:39 +0000 (14:50 +0300)]
Move get-nix-kconfig.py to kconfig_hardened_check/config_files/distros
This script is still waiting for fixes from NixOS folks:
Issue #63
PR #64
Alexander Popov [Fri, 2 Sep 2022 11:38:18 +0000 (14:38 +0300)]
Fix the X86_SMAP check: it is enabled by default since v5.19
Refers to the issue #71
Alexander Popov [Fri, 2 Sep 2022 11:30:38 +0000 (14:30 +0300)]
Check the nosmap and nosmep cmdline parameters
Alexander Popov [Fri, 2 Sep 2022 11:15:06 +0000 (14:15 +0300)]
Adapt the RANDSTRUCT checks to the changes in Linux 5.19
Refers to the issue #71
Alexander Popov [Fri, 2 Sep 2022 10:32:25 +0000 (13:32 +0300)]
Fix the comment: SHADOW_CALL_STACK is now available for gcc (Linux 5.18)
Alexander Popov [Fri, 2 Sep 2022 10:23:35 +0000 (13:23 +0300)]
Add the SECURITY_LANDLOCK recommendation by KSPP
Alexander Popov [Tue, 23 Aug 2022 18:05:45 +0000 (21:05 +0300)]
Check the nokaslr cmdline parameter
Alexander Popov [Sat, 20 Aug 2022 10:07:31 +0000 (13:07 +0300)]
Require GCC for the GCC plugins (part II)
The current result on arm64_full_hardened_5.17_clang.config (clang 12):
[+] Special report mode: show_fail
[+] Kconfig file to check: my/arm64_full_hardened_5.17_clang.config
[+] Detected architecture: ARM64
[+] Detected kernel version: 5.17
=========================================================================================================================
option name | type |desired val | decision | reason | check result
=========================================================================================================================
CONFIG_GCC_PLUGINS |kconfig| y |defconfig | self_protection | FAIL: CONFIG_CC_IS_GCC not "y"
CONFIG_STACKPROTECTOR_PER_TASK |kconfig| y |defconfig | self_protection | FAIL: not found
CONFIG_FORTIFY_SOURCE |kconfig| y | kspp | self_protection | FAIL: not found
CONFIG_GCC_PLUGIN_LATENT_ENTROPY |kconfig| y | kspp | self_protection | FAIL: CONFIG_CC_IS_GCC not "y"
CONFIG_ZERO_CALL_USED_REGS |kconfig| y | kspp | self_protection | FAIL: not found
CONFIG_GCC_PLUGIN_RANDSTRUCT |kconfig| y | kspp | self_protection | FAIL: CONFIG_CC_IS_GCC not "y"
CONFIG_GCC_PLUGIN_STACKLEAK |kconfig| y | kspp | self_protection | FAIL: CONFIG_CC_IS_GCC not "y"
CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE|kconfig| is not set | clipos | self_protection | FAIL: CONFIG_CC_IS_GCC not "y"
CONFIG_STACKLEAK_METRICS |kconfig| is not set | clipos | self_protection | FAIL: CONFIG_CC_IS_GCC not "y"
CONFIG_STACKLEAK_RUNTIME_DISABLE |kconfig| is not set | clipos | self_protection | FAIL: CONFIG_CC_IS_GCC not "y"
CONFIG_STACKPROTECTOR_PER_TASK, CONFIG_FORTIFY_SOURCE and CONFIG_ZERO_CALL_USED_REGS
will be supported for clang in future (WIP).
Alexander Popov [Sat, 20 Aug 2022 09:43:05 +0000 (12:43 +0300)]
Require GCC for the GCC plugins
Alexander Popov [Sat, 20 Aug 2022 09:28:33 +0000 (12:28 +0300)]
Introduce cc_is_gcc and cc_is_clang
Use empty decision and reason for such kind of checks
Alexander Popov [Sat, 20 Aug 2022 08:52:46 +0000 (11:52 +0300)]
No, the 'page_alloc.shuffle' should be set anyway
Alexander Popov [Sat, 20 Aug 2022 08:42:50 +0000 (11:42 +0300)]
Drop the comment about slub_debug=FZ
These are very slow debugging features
Alexander Popov [Wed, 17 Aug 2022 06:33:00 +0000 (09:33 +0300)]
Add the debugfs check
Don't normalize this option value since the Linux kernel
doesn't use kstrtobool() for it.
Alexander Popov [Wed, 17 Aug 2022 06:11:42 +0000 (09:11 +0300)]
Improve the comments
Alexander Popov [Wed, 17 Aug 2022 05:40:44 +0000 (08:40 +0300)]
Add the 'page_alloc.shuffle' check
Alexander Popov [Sun, 14 Aug 2022 23:53:26 +0000 (02:53 +0300)]
Add more values for the normalization
Alexander Popov [Sun, 14 Aug 2022 22:26:32 +0000 (01:26 +0300)]
Implement the normalization of cmdline options
Alexander Popov [Sun, 14 Aug 2022 11:02:22 +0000 (14:02 +0300)]
Describe the meaning of the checks
Don't add CmdlineChecks in add_kconfig_checks() to avoid wrong results
when the tool doesn't check the cmdline.
A common pattern for checking the 'param_x' cmdline parameter
that __overrides__ the 'PARAM_X_DEFAULT' kconfig option:
l += [OR(CmdlineCheck(reason, decision, 'param_x', '1'),
AND(KconfigCheck(reason, decision, 'PARAM_X_DEFAULT_ON', 'y'),
CmdlineCheck(reason, decision, 'param_x, 'is not set')))]
Here we don't check the kconfig options or minimal kernel version
required for the cmdline parameters. That would make the checks
very complex and not give a 100% guarantee anyway.
Alexander Popov [Sat, 13 Aug 2022 23:16:18 +0000 (02:16 +0300)]
Check the 'rodata' cmdline parameter on the arches except ARM64
Alexander Popov [Sat, 13 Aug 2022 19:58:05 +0000 (22:58 +0300)]
Check hardened_usercopy in the cmdline
Alexander Popov [Sat, 13 Aug 2022 19:50:00 +0000 (22:50 +0300)]
Add the comment about vm.mmap_min_addr sysctl (for future reference)