kconfig-hardened-check.git
3 years agoMerge pull request #51 from Hacks4Snacks/master
Alexander Popov [Fri, 20 Aug 2021 18:19:03 +0000 (21:19 +0300)]
Merge pull request #51 from Hacks4Snacks/master

Added the CBL-Mariner kernel configuration file.

3 years agoAdded Linux/x86_64 kernel config link for CBL-Mariner 51/head
Mark D. Gray [Fri, 20 Aug 2021 17:39:03 +0000 (12:39 -0500)]
Added Linux/x86_64 kernel config link for CBL-Mariner

3 years agoAdded cbl-mariner kernel configuration file.
Mark D. Gray [Thu, 19 Aug 2021 20:40:09 +0000 (15:40 -0500)]
Added cbl-mariner kernel configuration file.

3 years agoAdd hardware tag-based KASAN with arm64 Memory Tagging Extension
Alexander Popov [Sat, 14 Aug 2021 07:10:13 +0000 (10:10 +0300)]
Add hardware tag-based KASAN with arm64 Memory Tagging Extension

3 years agoAdd the command line parameters that should NOT be set
Alexander Popov [Sat, 14 Aug 2021 06:33:14 +0000 (09:33 +0300)]
Add the command line parameters that should NOT be set

3 years agoDocument the changes of vm.unprivileged_userfaultfd in v5.11
Alexander Popov [Sun, 8 Aug 2021 22:00:28 +0000 (01:00 +0300)]
Document the changes of vm.unprivileged_userfaultfd in v5.11

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=37cd0575b8510159992d279c530c05f872990b02
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d0d4730ac2e404a5b0da9a87ef38c73e51cb1664

3 years agoAdd the news about PAGE_POISONING
Alexander Popov [Sun, 8 Aug 2021 13:48:04 +0000 (16:48 +0300)]
Add the news about PAGE_POISONING

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f289041ed4cf9a3f6e8a32068fef9ffb2acc5662
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8f424750baaafcef229791882e879da01c9473b5

3 years agoImprove wording
Alexander Popov [Fri, 2 Jul 2021 12:56:13 +0000 (15:56 +0300)]
Improve wording

3 years agoUpdate the README. v0.5.10
Alexander Popov [Sat, 19 Jun 2021 17:36:31 +0000 (20:36 +0300)]
Update the README.

Ready for the release 0.5.10.

3 years agoFix pylint warning
Alexander Popov [Sat, 19 Jun 2021 15:42:02 +0000 (18:42 +0300)]
Fix pylint warning

3 years agoRemember that SHADOW_CALL_STACK depends on clang
Alexander Popov [Sat, 19 Jun 2021 15:22:23 +0000 (18:22 +0300)]
Remember that SHADOW_CALL_STACK depends on clang

3 years agoSTACKPROTECTOR_PER_TASK is also available for ARM64
Alexander Popov [Sat, 19 Jun 2021 15:20:02 +0000 (18:20 +0300)]
STACKPROTECTOR_PER_TASK is also available for ARM64

3 years agoINTEL_IOMMU_SVM is available only for X86_64
Alexander Popov [Sat, 19 Jun 2021 15:17:33 +0000 (18:17 +0300)]
INTEL_IOMMU_SVM is available only for X86_64

3 years agoReorder arch checks
Alexander Popov [Sat, 19 Jun 2021 15:08:30 +0000 (18:08 +0300)]
Reorder arch checks

3 years agoSECURITY_DMESG_RESTRICT is recommended by KSPP now
Alexander Popov [Sat, 19 Jun 2021 12:40:13 +0000 (15:40 +0300)]
SECURITY_DMESG_RESTRICT is recommended by KSPP now

3 years agoThink about kptr_restrict later (KSPP recommends to set it to 1)
Alexander Popov [Sat, 19 Jun 2021 11:49:03 +0000 (14:49 +0300)]
Think about kptr_restrict later (KSPP recommends to set it to 1)

3 years agoMention that nosmt is slow
Alexander Popov [Sat, 19 Jun 2021 11:46:54 +0000 (14:46 +0300)]
Mention that nosmt is slow

3 years agoMore info on init_on_free and init_on_alloc
Alexander Popov [Sat, 19 Jun 2021 11:46:07 +0000 (14:46 +0300)]
More info on init_on_free and init_on_alloc

3 years agoSLUB_DEBUG_ON is very slow, leave it for the kernel command line
Alexander Popov [Sat, 19 Jun 2021 11:45:02 +0000 (14:45 +0300)]
SLUB_DEBUG_ON is very slow, leave it for the kernel command line

3 years agoUpdate KSPP recommendations
Alexander Popov [Sat, 19 Jun 2021 11:27:21 +0000 (14:27 +0300)]
Update KSPP recommendations

3 years agoAdd defconfigs for v5.10
Alexander Popov [Sat, 19 Jun 2021 11:15:14 +0000 (14:15 +0300)]
Add defconfigs for v5.10

Made with updated https://github.com/a13xp0p0v/kernel-build-containers

Excellent!

3 years agoHARDEN_BRANCH_PREDICTOR for ARM64 is enabled by default since v5.10
Alexander Popov [Sat, 19 Jun 2021 10:04:30 +0000 (13:04 +0300)]
HARDEN_BRANCH_PREDICTOR for ARM64 is enabled by default since v5.10

3 years agoAdd ARM64_MTE for userspace
Alexander Popov [Fri, 18 Jun 2021 21:12:46 +0000 (00:12 +0300)]
Add ARM64_MTE for userspace

3 years agoMaybe SHADOW_CALL_STACK should be alternative to STACKPROTECTOR_STRONG
Alexander Popov [Fri, 18 Jun 2021 21:11:41 +0000 (00:11 +0300)]
Maybe SHADOW_CALL_STACK should be alternative to STACKPROTECTOR_STRONG

3 years agoSave 'debugfs=no-mount' for future
Alexander Popov [Fri, 18 Jun 2021 17:47:20 +0000 (20:47 +0300)]
Save 'debugfs=no-mount' for future

4 years agoUpdate the README. v0.5.9
Alexander Popov [Fri, 30 Oct 2020 17:56:45 +0000 (20:56 +0300)]
Update the README.

Ready for the release 0.5.9.

4 years agoFix indentation (thanks to pylint)
Alexander Popov [Fri, 30 Oct 2020 17:44:07 +0000 (20:44 +0300)]
Fix indentation (thanks to pylint)

4 years agoAdd a Q&A about spectre-meltdown-checker maintained by @speed47
Alexander Popov [Thu, 29 Oct 2020 08:03:24 +0000 (11:03 +0300)]
Add a Q&A about spectre-meltdown-checker maintained by @speed47

4 years agoINIT_STACK_ALL -> INIT_STACK_ALL_ZERO (was renamed)
Alexander Popov [Fri, 23 Oct 2020 18:03:01 +0000 (21:03 +0300)]
INIT_STACK_ALL -> INIT_STACK_ALL_ZERO (was renamed)

4 years agoAdd SHADOW_CALL_STACK for ARM64
Alexander Popov [Fri, 23 Oct 2020 17:53:33 +0000 (20:53 +0300)]
Add SHADOW_CALL_STACK for ARM64

4 years agoAdd the recommendation about TRIM_UNUSED_KSYMS
Alexander Popov [Thu, 22 Oct 2020 19:46:27 +0000 (22:46 +0300)]
Add the recommendation about TRIM_UNUSED_KSYMS

4 years agoAdd ARM64_BTI_KERNEL
Alexander Popov [Thu, 22 Oct 2020 19:38:35 +0000 (22:38 +0300)]
Add ARM64_BTI_KERNEL

4 years agoAdd the recommendation about UBSAN_BOUNDS
Alexander Popov [Thu, 22 Oct 2020 18:42:21 +0000 (21:42 +0300)]
Add the recommendation about UBSAN_BOUNDS

Enable UBSAN_BOUNDS and UBSAN_TRAP.
But keep UBSAN_MISC disabled to avoid useless reports.

4 years agoPAGE_POISONING -> PAGE_POISONING_ZERO
Alexander Popov [Thu, 22 Oct 2020 17:46:04 +0000 (20:46 +0300)]
PAGE_POISONING -> PAGE_POISONING_ZERO

In fact, KSPP recommends PAGE_POISONING_ZERO.

4 years agoImprove AND check reports
Alexander Popov [Thu, 22 Oct 2020 16:59:00 +0000 (19:59 +0300)]
Improve AND check reports

4 years agoImprove HARDEN_EL2_VECTORS check
Alexander Popov [Thu, 22 Oct 2020 16:09:35 +0000 (19:09 +0300)]
Improve HARDEN_EL2_VECTORS check

In fact HARDEN_EL2_VECTORS was included in RANDOMIZE_BASE in v5.9.
Use new nested ComplexOptChecks for this rule.

Refers to #48.

4 years agoMerge remote-tracking branch 'pgils/el2_vectors'
Alexander Popov [Thu, 22 Oct 2020 15:55:31 +0000 (18:55 +0300)]
Merge remote-tracking branch 'pgils/el2_vectors'

Thanks, @pgils.

Refers to #48.

4 years agoAdd nested ComplexOptChecks support
Alexander Popov [Wed, 21 Oct 2020 18:20:37 +0000 (21:20 +0300)]
Add nested ComplexOptChecks support

Now we can do things like OR(opt1, AND(opt2, opt3)).
Cool!

Refers to #48

4 years agoDo not check CONFIG_HARDEN_EL2_VECTORS for v5.9+ 48/head
Pelle van Gils [Mon, 19 Oct 2020 13:07:53 +0000 (15:07 +0200)]
Do not check CONFIG_HARDEN_EL2_VECTORS for v5.9+

4 years agoAdd TODO about SLUB_DEBUG_ON
Alexander Popov [Fri, 16 Oct 2020 15:51:01 +0000 (18:51 +0300)]
Add TODO about SLUB_DEBUG_ON

4 years agoAdd CLIP OS recommendation about EFI_CUSTOM_SSDT_OVERLAYS
Alexander Popov [Fri, 16 Oct 2020 15:39:41 +0000 (18:39 +0300)]
Add CLIP OS recommendation about EFI_CUSTOM_SSDT_OVERLAYS

4 years agoDisabling ACPI_TABLE_UPGRADE is now recommended by CLIP OS
Alexander Popov [Fri, 16 Oct 2020 15:37:35 +0000 (18:37 +0300)]
Disabling ACPI_TABLE_UPGRADE is now recommended by CLIP OS

4 years agoWithdraw my recommendation about BPF_JIT
Alexander Popov [Fri, 16 Oct 2020 15:05:37 +0000 (18:05 +0300)]
Withdraw my recommendation about BPF_JIT

CLIP OS wiki and Kees say that BPF interpreter is worse for the kernel
security than BPF_JIT.

So for now I withdraw my recommendation about BPF_JIT.

N.B. LOCKDOWN disables BPF_SYSCALL, but not BPF_JIT.

4 years agoUse cross compiler to build defconfigs
Alexander Popov [Wed, 14 Oct 2020 11:32:20 +0000 (14:32 +0300)]
Use cross compiler to build defconfigs

4 years agoAdd defconfigs for Linux kernel v5.9
Alexander Popov [Wed, 14 Oct 2020 11:11:35 +0000 (14:11 +0300)]
Add defconfigs for Linux kernel v5.9

4 years agoUpdate the README v0.5.7
Alexander Popov [Wed, 15 Jul 2020 21:12:52 +0000 (00:12 +0300)]
Update the README

Ready for release 0.5.7

4 years agoFix relevant pylint warnings
Alexander Popov [Wed, 15 Jul 2020 21:05:49 +0000 (00:05 +0300)]
Fix relevant pylint warnings

4 years agoFix 'decision' priority order ('lockdown' vs 'clipos' vs 'grapheneos')
Alexander Popov [Wed, 15 Jul 2020 16:17:49 +0000 (19:17 +0300)]
Fix 'decision' priority order ('lockdown' vs 'clipos' vs 'grapheneos')

4 years agoAdd CLIP OS recommendations about CONFIG_IO_URING and CONFIG_X86_IOPL_IOPERM
Alexander Popov [Wed, 15 Jul 2020 16:16:27 +0000 (19:16 +0300)]
Add CLIP OS recommendations about CONFIG_IO_URING and CONFIG_X86_IOPL_IOPERM

CONFIG_X86_IOPL_IOPERM is also disabled by kernel lockdown

4 years agoAdd CONFIG_EFI_DISABLE_PCI_DMA recommended by CLIP OS
Alexander Popov [Wed, 15 Jul 2020 16:14:10 +0000 (19:14 +0300)]
Add CONFIG_EFI_DISABLE_PCI_DMA recommended by CLIP OS

4 years agoFix 'decision' -- CONFIG_INTEGRITY is not enabled by default on ARM
Alexander Popov [Wed, 15 Jul 2020 15:26:22 +0000 (18:26 +0300)]
Fix 'decision' -- CONFIG_INTEGRITY is not enabled by default on ARM

4 years agoAdd defconfigs for Linux kernel v5.7
Alexander Popov [Wed, 15 Jul 2020 15:10:16 +0000 (18:10 +0300)]
Add defconfigs for Linux kernel v5.7

4 years agoTake new AND use case for X86_PTDUMP / PTDUMP_DEBUGFS
Alexander Popov [Wed, 15 Jul 2020 13:15:24 +0000 (16:15 +0300)]
Take new AND use case for X86_PTDUMP / PTDUMP_DEBUGFS

4 years agoImprove ComplexOptCheck use cases
Alexander Popov [Wed, 15 Jul 2020 13:12:54 +0000 (16:12 +0300)]
Improve ComplexOptCheck use cases

4 years agoAdd 'show_ok' and 'show_fail' print modes
Alexander Popov [Wed, 15 Jul 2020 11:44:39 +0000 (14:44 +0300)]
Add 'show_ok' and 'show_fail' print modes

Refers the issue #45

4 years agoDeclare variables closer to their usage
Alexander Popov [Mon, 13 Jul 2020 19:10:18 +0000 (22:10 +0300)]
Declare variables closer to their usage

4 years agoGet rid of 'kernel_version' global variable
Alexander Popov [Mon, 13 Jul 2020 18:48:05 +0000 (21:48 +0300)]
Get rid of 'kernel_version' global variable

(done while solving the issue #45)

4 years agoBig rework of the report modes
Alexander Popov [Mon, 13 Jul 2020 18:13:43 +0000 (21:13 +0300)]
Big rework of the report modes

Let's fold the alternative options --debug and --json into --mode parameter:
  -m {verbose,json}, --mode {verbose,json}
   choose the report mode

That also allows to get rid of 'debug_mode' and 'json_mode' globals.

This work is a prerequisite of solving the issue #45.

4 years agoAdd another link about user namespaces to Q&A
Alexander Popov [Mon, 13 Jul 2020 15:27:35 +0000 (18:27 +0300)]
Add another link about user namespaces to Q&A

4 years agoAdd ARM64_PAN
Alexander Popov [Fri, 10 Jul 2020 20:35:35 +0000 (23:35 +0300)]
Add ARM64_PAN

4 years agoUse += instead of append() for checklist
Alexander Popov [Thu, 9 Jul 2020 12:24:11 +0000 (15:24 +0300)]
Use += instead of append() for checklist

4 years agoReorder some checking rules for better looking code
Alexander Popov [Thu, 9 Jul 2020 11:52:56 +0000 (14:52 +0300)]
Reorder some checking rules for better looking code

4 years agoChange the order of arguments in OptCheck constructor
Alexander Popov [Thu, 9 Jul 2020 11:16:40 +0000 (14:16 +0300)]
Change the order of arguments in OptCheck constructor

That makes the code style much better.

Side note: I was thinking a lot about storing the checking rules
separately in some file format. Finally I decided not to do that because:
 - I want avoid additional parsing (these rules are static anyway);
 - the rules include a lot of special cases and exceptions, which
don't look pretty in any format.

4 years agoDrop unused 'state' property from ComplexOptCheck
Alexander Popov [Thu, 9 Jul 2020 06:30:18 +0000 (09:30 +0300)]
Drop unused 'state' property from ComplexOptCheck

4 years agoDon't return self.result in check() method -- it's not used
Alexander Popov [Thu, 9 Jul 2020 05:59:24 +0000 (08:59 +0300)]
Don't return self.result in check() method -- it's not used

4 years agoARM64_PTR_AUTH is now supported for the kernel (from v5.7)
Alexander Popov [Mon, 6 Jul 2020 22:55:21 +0000 (01:55 +0300)]
ARM64_PTR_AUTH is now supported for the kernel (from v5.7)

4 years agoAdd the link to huldufolk project by @tych0
Alexander Popov [Fri, 3 Jul 2020 18:10:56 +0000 (21:10 +0300)]
Add the link to huldufolk project by @tych0

4 years agoAdd the link to @BlackIkeEagle article
Alexander Popov [Sat, 30 May 2020 20:17:46 +0000 (23:17 +0300)]
Add the link to @BlackIkeEagle article

4 years agoMerge branch 'ubuntu20'
Alexander Popov [Wed, 6 May 2020 21:36:58 +0000 (00:36 +0300)]
Merge branch 'ubuntu20'

Thanks @HacKurx.

4 years agoUpgrading to Ubuntu 20.04 kernel config 43/head
HacKurx [Tue, 5 May 2020 08:51:33 +0000 (10:51 +0200)]
Upgrading to Ubuntu 20.04 kernel config

CONFIG_RANDOM_TRUST_BOOTLOADER = FAIL: "y"
CONFIG_SECURITY_LOCKDOWN_LSM = OK
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY = OK
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY = FAIL: "is not set"

4 years agoMerge branch 'evbug'
Alexander Popov [Thu, 9 Apr 2020 15:54:38 +0000 (18:54 +0300)]
Merge branch 'evbug'

Thanks @HacKurx

4 years agoMerge branch 'pylint'
Alexander Popov [Thu, 9 Apr 2020 15:28:30 +0000 (18:28 +0300)]
Merge branch 'pylint'

Thanks @shamilbi

4 years agoUpdating the number of failures in the README 41/head
HacKurx [Thu, 9 Apr 2020 11:48:56 +0000 (13:48 +0200)]
Updating the number of failures in the README

4 years agoAdd CONFIG_INPUT_EVBUG
HacKurx [Thu, 9 Apr 2020 11:25:37 +0000 (13:25 +0200)]
Add CONFIG_INPUT_EVBUG

The "evbug" module records key events and mouse movements in the system log.
Useful for debugging, this is a security threat, its use can be hijacked as a keylogger.

An attacker will be able to retrieve your passwords using this module.

4 years agopylint some code 40/head
shamilbi [Wed, 8 Apr 2020 06:57:04 +0000 (13:57 +0700)]
pylint some code

4 years agoImprove versioning
Alexander Popov [Mon, 6 Apr 2020 14:36:19 +0000 (17:36 +0300)]
Improve versioning

4 years agoAdd DRM_LEGACY, FB, and VT checks
Alexander Popov [Fri, 3 Apr 2020 17:00:06 +0000 (20:00 +0300)]
Add DRM_LEGACY, FB, and VT checks

Thanks to:
 - Dmitry Vyukov @dvyukov for the idea
 - Daniel Vetter @danvet for the knowledge

4 years agoImplement PresenceCheck and use it for LDISC_AUTOLOAD
Alexander Popov [Tue, 31 Mar 2020 13:57:03 +0000 (16:57 +0300)]
Implement PresenceCheck and use it for LDISC_AUTOLOAD

Refers to #32

4 years agoFix ComplexOptCheck result printing
Alexander Popov [Tue, 31 Mar 2020 13:42:05 +0000 (16:42 +0300)]
Fix ComplexOptCheck result printing

4 years agoNewline should be printed by print_checklist() that prints the table
Alexander Popov [Tue, 31 Mar 2020 13:41:40 +0000 (16:41 +0300)]
Newline should be printed by print_checklist() that prints the table

4 years agoAdd more tests to increase coverage - IV
Alexander Popov [Tue, 31 Mar 2020 13:18:44 +0000 (16:18 +0300)]
Add more tests to increase coverage - IV

4 years agoCreate polymorphism for printing, add table_print() method for each class
Alexander Popov [Tue, 31 Mar 2020 13:18:05 +0000 (16:18 +0300)]
Create polymorphism for printing, add table_print() method for each class

That makes print_checklist() much better.

4 years agoRevisit special behavior in checking and printing that depends on the class
Alexander Popov [Tue, 31 Mar 2020 12:24:13 +0000 (15:24 +0300)]
Revisit special behavior in checking and printing that depends on the class

4 years agoRename some workflow steps
Alexander Popov [Tue, 31 Mar 2020 11:34:38 +0000 (14:34 +0300)]
Rename some workflow steps

4 years agoAdd more tests to increase coverage - III
Alexander Popov [Mon, 30 Mar 2020 20:29:42 +0000 (23:29 +0300)]
Add more tests to increase coverage - III

4 years agoAdd more tests to increase coverage - II
Alexander Popov [Mon, 30 Mar 2020 17:11:00 +0000 (20:11 +0300)]
Add more tests to increase coverage - II

4 years agoAdd more tests to increase coverage - I
Alexander Popov [Mon, 30 Mar 2020 17:06:09 +0000 (20:06 +0300)]
Add more tests to increase coverage - I

4 years agoCollect coverage
Alexander Popov [Mon, 30 Mar 2020 16:08:29 +0000 (19:08 +0300)]
Collect coverage

4 years agoCount checked configs
Alexander Popov [Mon, 30 Mar 2020 13:36:14 +0000 (16:36 +0300)]
Count checked configs

4 years agoCheck all configs automatically
Alexander Popov [Mon, 30 Mar 2020 12:04:26 +0000 (15:04 +0300)]
Check all configs automatically

4 years agoRevisit return values
Alexander Popov [Mon, 30 Mar 2020 11:53:55 +0000 (14:53 +0300)]
Revisit return values

4 years agoCreate the github workflow for functional tests
Alexander Popov [Mon, 30 Mar 2020 09:51:26 +0000 (12:51 +0300)]
Create the github workflow for functional tests

4 years agoFix the shebang to allow `./get-nix-kconfig.py`
Alexander Popov [Sat, 28 Mar 2020 20:58:29 +0000 (23:58 +0300)]
Fix the shebang to allow `./get-nix-kconfig.py`

Thanks to @Mic92

Refers to #27

4 years agoAdd NixOS hardened kernel config
Alexander Popov [Fri, 27 Mar 2020 20:25:02 +0000 (23:25 +0300)]
Add NixOS hardened kernel config

4 years agoFix typo in README
Alexander Popov [Thu, 26 Mar 2020 14:55:56 +0000 (17:55 +0300)]
Fix typo in README

4 years agoAdd vim swp files to gitignore
Alexander Popov [Thu, 26 Mar 2020 13:57:54 +0000 (16:57 +0300)]
Add vim swp files to gitignore

4 years agoMerge branch 'nix'
Alexander Popov [Thu, 26 Mar 2020 13:55:00 +0000 (16:55 +0300)]
Merge branch 'nix'

Refers to #27

4 years agoadd script to download linux kernel configs from nix
Jörg Thalheim [Thu, 2 Jan 2020 10:38:24 +0000 (10:38 +0000)]
add script to download linux kernel configs from nix

4 years agoadd gitignore
Jörg Thalheim [Thu, 2 Jan 2020 08:59:33 +0000 (08:59 +0000)]
add gitignore

4 years agoadd default.nix for installation via nix
Jörg Thalheim [Thu, 2 Jan 2020 08:53:41 +0000 (08:53 +0000)]
add default.nix for installation via nix

Allows installation via nix from the repository itself
on NixOS and other Linux distribution that have Nix (i.e. Archlinux/Debian).

```
$ nix-build
$ ./result/bin/kconfig-hardened-check
$ nix-env -f . -i
```

It also provides an development environment for `nix-shell` with setuptools and
python in path

```
$ nix-shell
```