Alexander Popov [Fri, 20 Aug 2021 18:19:03 +0000 (21:19 +0300)]
Merge pull request #51 from Hacks4Snacks/master
Added the CBL-Mariner kernel configuration file.
Mark D. Gray [Fri, 20 Aug 2021 17:39:03 +0000 (12:39 -0500)]
Added Linux/x86_64 kernel config link for CBL-Mariner
Mark D. Gray [Thu, 19 Aug 2021 20:40:09 +0000 (15:40 -0500)]
Added cbl-mariner kernel configuration file.
Alexander Popov [Sat, 14 Aug 2021 07:10:13 +0000 (10:10 +0300)]
Add hardware tag-based KASAN with arm64 Memory Tagging Extension
Alexander Popov [Sat, 14 Aug 2021 06:33:14 +0000 (09:33 +0300)]
Add the command line parameters that should NOT be set
Alexander Popov [Sun, 8 Aug 2021 22:00:28 +0000 (01:00 +0300)]
Document the changes of vm.unprivileged_userfaultfd in v5.11
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=
37cd0575b8510159992d279c530c05f872990b02
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=
d0d4730ac2e404a5b0da9a87ef38c73e51cb1664
Alexander Popov [Sun, 8 Aug 2021 13:48:04 +0000 (16:48 +0300)]
Add the news about PAGE_POISONING
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=
f289041ed4cf9a3f6e8a32068fef9ffb2acc5662
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=
8f424750baaafcef229791882e879da01c9473b5
Alexander Popov [Fri, 2 Jul 2021 12:56:13 +0000 (15:56 +0300)]
Improve wording
Alexander Popov [Sat, 19 Jun 2021 17:36:31 +0000 (20:36 +0300)]
Update the README.
Ready for the release 0.5.10.
Alexander Popov [Sat, 19 Jun 2021 15:42:02 +0000 (18:42 +0300)]
Fix pylint warning
Alexander Popov [Sat, 19 Jun 2021 15:22:23 +0000 (18:22 +0300)]
Remember that SHADOW_CALL_STACK depends on clang
Alexander Popov [Sat, 19 Jun 2021 15:20:02 +0000 (18:20 +0300)]
STACKPROTECTOR_PER_TASK is also available for ARM64
Alexander Popov [Sat, 19 Jun 2021 15:17:33 +0000 (18:17 +0300)]
INTEL_IOMMU_SVM is available only for X86_64
Alexander Popov [Sat, 19 Jun 2021 15:08:30 +0000 (18:08 +0300)]
Reorder arch checks
Alexander Popov [Sat, 19 Jun 2021 12:40:13 +0000 (15:40 +0300)]
SECURITY_DMESG_RESTRICT is recommended by KSPP now
Alexander Popov [Sat, 19 Jun 2021 11:49:03 +0000 (14:49 +0300)]
Think about kptr_restrict later (KSPP recommends to set it to 1)
Alexander Popov [Sat, 19 Jun 2021 11:46:54 +0000 (14:46 +0300)]
Mention that nosmt is slow
Alexander Popov [Sat, 19 Jun 2021 11:46:07 +0000 (14:46 +0300)]
More info on init_on_free and init_on_alloc
Alexander Popov [Sat, 19 Jun 2021 11:45:02 +0000 (14:45 +0300)]
SLUB_DEBUG_ON is very slow, leave it for the kernel command line
Alexander Popov [Sat, 19 Jun 2021 11:27:21 +0000 (14:27 +0300)]
Update KSPP recommendations
Alexander Popov [Sat, 19 Jun 2021 11:15:14 +0000 (14:15 +0300)]
Add defconfigs for v5.10
Made with updated https://github.com/a13xp0p0v/kernel-build-containers
Excellent!
Alexander Popov [Sat, 19 Jun 2021 10:04:30 +0000 (13:04 +0300)]
HARDEN_BRANCH_PREDICTOR for ARM64 is enabled by default since v5.10
Alexander Popov [Fri, 18 Jun 2021 21:12:46 +0000 (00:12 +0300)]
Add ARM64_MTE for userspace
Alexander Popov [Fri, 18 Jun 2021 21:11:41 +0000 (00:11 +0300)]
Maybe SHADOW_CALL_STACK should be alternative to STACKPROTECTOR_STRONG
Alexander Popov [Fri, 18 Jun 2021 17:47:20 +0000 (20:47 +0300)]
Save 'debugfs=no-mount' for future
Alexander Popov [Fri, 30 Oct 2020 17:56:45 +0000 (20:56 +0300)]
Update the README.
Ready for the release 0.5.9.
Alexander Popov [Fri, 30 Oct 2020 17:44:07 +0000 (20:44 +0300)]
Fix indentation (thanks to pylint)
Alexander Popov [Thu, 29 Oct 2020 08:03:24 +0000 (11:03 +0300)]
Add a Q&A about spectre-meltdown-checker maintained by @speed47
Alexander Popov [Fri, 23 Oct 2020 18:03:01 +0000 (21:03 +0300)]
INIT_STACK_ALL -> INIT_STACK_ALL_ZERO (was renamed)
Alexander Popov [Fri, 23 Oct 2020 17:53:33 +0000 (20:53 +0300)]
Add SHADOW_CALL_STACK for ARM64
Alexander Popov [Thu, 22 Oct 2020 19:46:27 +0000 (22:46 +0300)]
Add the recommendation about TRIM_UNUSED_KSYMS
Alexander Popov [Thu, 22 Oct 2020 19:38:35 +0000 (22:38 +0300)]
Add ARM64_BTI_KERNEL
Alexander Popov [Thu, 22 Oct 2020 18:42:21 +0000 (21:42 +0300)]
Add the recommendation about UBSAN_BOUNDS
Enable UBSAN_BOUNDS and UBSAN_TRAP.
But keep UBSAN_MISC disabled to avoid useless reports.
Alexander Popov [Thu, 22 Oct 2020 17:46:04 +0000 (20:46 +0300)]
PAGE_POISONING -> PAGE_POISONING_ZERO
In fact, KSPP recommends PAGE_POISONING_ZERO.
Alexander Popov [Thu, 22 Oct 2020 16:59:00 +0000 (19:59 +0300)]
Improve AND check reports
Alexander Popov [Thu, 22 Oct 2020 16:09:35 +0000 (19:09 +0300)]
Improve HARDEN_EL2_VECTORS check
In fact HARDEN_EL2_VECTORS was included in RANDOMIZE_BASE in v5.9.
Use new nested ComplexOptChecks for this rule.
Refers to #48.
Alexander Popov [Thu, 22 Oct 2020 15:55:31 +0000 (18:55 +0300)]
Merge remote-tracking branch 'pgils/el2_vectors'
Thanks, @pgils.
Refers to #48.
Alexander Popov [Wed, 21 Oct 2020 18:20:37 +0000 (21:20 +0300)]
Add nested ComplexOptChecks support
Now we can do things like OR(opt1, AND(opt2, opt3)).
Cool!
Refers to #48
Pelle van Gils [Mon, 19 Oct 2020 13:07:53 +0000 (15:07 +0200)]
Do not check CONFIG_HARDEN_EL2_VECTORS for v5.9+
Alexander Popov [Fri, 16 Oct 2020 15:51:01 +0000 (18:51 +0300)]
Add TODO about SLUB_DEBUG_ON
Alexander Popov [Fri, 16 Oct 2020 15:39:41 +0000 (18:39 +0300)]
Add CLIP OS recommendation about EFI_CUSTOM_SSDT_OVERLAYS
Alexander Popov [Fri, 16 Oct 2020 15:37:35 +0000 (18:37 +0300)]
Disabling ACPI_TABLE_UPGRADE is now recommended by CLIP OS
Alexander Popov [Fri, 16 Oct 2020 15:05:37 +0000 (18:05 +0300)]
Withdraw my recommendation about BPF_JIT
CLIP OS wiki and Kees say that BPF interpreter is worse for the kernel
security than BPF_JIT.
So for now I withdraw my recommendation about BPF_JIT.
N.B. LOCKDOWN disables BPF_SYSCALL, but not BPF_JIT.
Alexander Popov [Wed, 14 Oct 2020 11:32:20 +0000 (14:32 +0300)]
Use cross compiler to build defconfigs
Alexander Popov [Wed, 14 Oct 2020 11:11:35 +0000 (14:11 +0300)]
Add defconfigs for Linux kernel v5.9
Alexander Popov [Wed, 15 Jul 2020 21:12:52 +0000 (00:12 +0300)]
Update the README
Ready for release 0.5.7
Alexander Popov [Wed, 15 Jul 2020 21:05:49 +0000 (00:05 +0300)]
Fix relevant pylint warnings
Alexander Popov [Wed, 15 Jul 2020 16:17:49 +0000 (19:17 +0300)]
Fix 'decision' priority order ('lockdown' vs 'clipos' vs 'grapheneos')
Alexander Popov [Wed, 15 Jul 2020 16:16:27 +0000 (19:16 +0300)]
Add CLIP OS recommendations about CONFIG_IO_URING and CONFIG_X86_IOPL_IOPERM
CONFIG_X86_IOPL_IOPERM is also disabled by kernel lockdown
Alexander Popov [Wed, 15 Jul 2020 16:14:10 +0000 (19:14 +0300)]
Add CONFIG_EFI_DISABLE_PCI_DMA recommended by CLIP OS
Alexander Popov [Wed, 15 Jul 2020 15:26:22 +0000 (18:26 +0300)]
Fix 'decision' -- CONFIG_INTEGRITY is not enabled by default on ARM
Alexander Popov [Wed, 15 Jul 2020 15:10:16 +0000 (18:10 +0300)]
Add defconfigs for Linux kernel v5.7
Alexander Popov [Wed, 15 Jul 2020 13:15:24 +0000 (16:15 +0300)]
Take new AND use case for X86_PTDUMP / PTDUMP_DEBUGFS
Alexander Popov [Wed, 15 Jul 2020 13:12:54 +0000 (16:12 +0300)]
Improve ComplexOptCheck use cases
Alexander Popov [Wed, 15 Jul 2020 11:44:39 +0000 (14:44 +0300)]
Add 'show_ok' and 'show_fail' print modes
Refers the issue #45
Alexander Popov [Mon, 13 Jul 2020 19:10:18 +0000 (22:10 +0300)]
Declare variables closer to their usage
Alexander Popov [Mon, 13 Jul 2020 18:48:05 +0000 (21:48 +0300)]
Get rid of 'kernel_version' global variable
(done while solving the issue #45)
Alexander Popov [Mon, 13 Jul 2020 18:13:43 +0000 (21:13 +0300)]
Big rework of the report modes
Let's fold the alternative options --debug and --json into --mode parameter:
-m {verbose,json}, --mode {verbose,json}
choose the report mode
That also allows to get rid of 'debug_mode' and 'json_mode' globals.
This work is a prerequisite of solving the issue #45.
Alexander Popov [Mon, 13 Jul 2020 15:27:35 +0000 (18:27 +0300)]
Add another link about user namespaces to Q&A
Alexander Popov [Fri, 10 Jul 2020 20:35:35 +0000 (23:35 +0300)]
Add ARM64_PAN
Alexander Popov [Thu, 9 Jul 2020 12:24:11 +0000 (15:24 +0300)]
Use += instead of append() for checklist
Alexander Popov [Thu, 9 Jul 2020 11:52:56 +0000 (14:52 +0300)]
Reorder some checking rules for better looking code
Alexander Popov [Thu, 9 Jul 2020 11:16:40 +0000 (14:16 +0300)]
Change the order of arguments in OptCheck constructor
That makes the code style much better.
Side note: I was thinking a lot about storing the checking rules
separately in some file format. Finally I decided not to do that because:
- I want avoid additional parsing (these rules are static anyway);
- the rules include a lot of special cases and exceptions, which
don't look pretty in any format.
Alexander Popov [Thu, 9 Jul 2020 06:30:18 +0000 (09:30 +0300)]
Drop unused 'state' property from ComplexOptCheck
Alexander Popov [Thu, 9 Jul 2020 05:59:24 +0000 (08:59 +0300)]
Don't return self.result in check() method -- it's not used
Alexander Popov [Mon, 6 Jul 2020 22:55:21 +0000 (01:55 +0300)]
ARM64_PTR_AUTH is now supported for the kernel (from v5.7)
Alexander Popov [Fri, 3 Jul 2020 18:10:56 +0000 (21:10 +0300)]
Add the link to huldufolk project by @tych0
Alexander Popov [Sat, 30 May 2020 20:17:46 +0000 (23:17 +0300)]
Add the link to @BlackIkeEagle article
Alexander Popov [Wed, 6 May 2020 21:36:58 +0000 (00:36 +0300)]
Merge branch 'ubuntu20'
Thanks @HacKurx.
HacKurx [Tue, 5 May 2020 08:51:33 +0000 (10:51 +0200)]
Upgrading to Ubuntu 20.04 kernel config
CONFIG_RANDOM_TRUST_BOOTLOADER = FAIL: "y"
CONFIG_SECURITY_LOCKDOWN_LSM = OK
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY = OK
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY = FAIL: "is not set"
Alexander Popov [Thu, 9 Apr 2020 15:54:38 +0000 (18:54 +0300)]
Merge branch 'evbug'
Thanks @HacKurx
Alexander Popov [Thu, 9 Apr 2020 15:28:30 +0000 (18:28 +0300)]
Merge branch 'pylint'
Thanks @shamilbi
HacKurx [Thu, 9 Apr 2020 11:48:56 +0000 (13:48 +0200)]
Updating the number of failures in the README
HacKurx [Thu, 9 Apr 2020 11:25:37 +0000 (13:25 +0200)]
Add CONFIG_INPUT_EVBUG
The "evbug" module records key events and mouse movements in the system log.
Useful for debugging, this is a security threat, its use can be hijacked as a keylogger.
An attacker will be able to retrieve your passwords using this module.
shamilbi [Wed, 8 Apr 2020 06:57:04 +0000 (13:57 +0700)]
pylint some code
Alexander Popov [Mon, 6 Apr 2020 14:36:19 +0000 (17:36 +0300)]
Improve versioning
Alexander Popov [Fri, 3 Apr 2020 17:00:06 +0000 (20:00 +0300)]
Add DRM_LEGACY, FB, and VT checks
Thanks to:
- Dmitry Vyukov @dvyukov for the idea
- Daniel Vetter @danvet for the knowledge
Alexander Popov [Tue, 31 Mar 2020 13:57:03 +0000 (16:57 +0300)]
Implement PresenceCheck and use it for LDISC_AUTOLOAD
Refers to #32
Alexander Popov [Tue, 31 Mar 2020 13:42:05 +0000 (16:42 +0300)]
Fix ComplexOptCheck result printing
Alexander Popov [Tue, 31 Mar 2020 13:41:40 +0000 (16:41 +0300)]
Newline should be printed by print_checklist() that prints the table
Alexander Popov [Tue, 31 Mar 2020 13:18:44 +0000 (16:18 +0300)]
Add more tests to increase coverage - IV
Alexander Popov [Tue, 31 Mar 2020 13:18:05 +0000 (16:18 +0300)]
Create polymorphism for printing, add table_print() method for each class
That makes print_checklist() much better.
Alexander Popov [Tue, 31 Mar 2020 12:24:13 +0000 (15:24 +0300)]
Revisit special behavior in checking and printing that depends on the class
Alexander Popov [Tue, 31 Mar 2020 11:34:38 +0000 (14:34 +0300)]
Rename some workflow steps
Alexander Popov [Mon, 30 Mar 2020 20:29:42 +0000 (23:29 +0300)]
Add more tests to increase coverage - III
Alexander Popov [Mon, 30 Mar 2020 17:11:00 +0000 (20:11 +0300)]
Add more tests to increase coverage - II
Alexander Popov [Mon, 30 Mar 2020 17:06:09 +0000 (20:06 +0300)]
Add more tests to increase coverage - I
Alexander Popov [Mon, 30 Mar 2020 16:08:29 +0000 (19:08 +0300)]
Collect coverage
Alexander Popov [Mon, 30 Mar 2020 13:36:14 +0000 (16:36 +0300)]
Count checked configs
Alexander Popov [Mon, 30 Mar 2020 12:04:26 +0000 (15:04 +0300)]
Check all configs automatically
Alexander Popov [Mon, 30 Mar 2020 11:53:55 +0000 (14:53 +0300)]
Revisit return values
Alexander Popov [Mon, 30 Mar 2020 09:51:26 +0000 (12:51 +0300)]
Create the github workflow for functional tests
Alexander Popov [Sat, 28 Mar 2020 20:58:29 +0000 (23:58 +0300)]
Fix the shebang to allow `./get-nix-kconfig.py`
Thanks to @Mic92
Refers to #27
Alexander Popov [Fri, 27 Mar 2020 20:25:02 +0000 (23:25 +0300)]
Add NixOS hardened kernel config
Alexander Popov [Thu, 26 Mar 2020 14:55:56 +0000 (17:55 +0300)]
Fix typo in README
Alexander Popov [Thu, 26 Mar 2020 13:57:54 +0000 (16:57 +0300)]
Add vim swp files to gitignore
Alexander Popov [Thu, 26 Mar 2020 13:55:00 +0000 (16:55 +0300)]
Merge branch 'nix'
Refers to #27
Jörg Thalheim [Thu, 2 Jan 2020 10:38:24 +0000 (10:38 +0000)]
add script to download linux kernel configs from nix
Jörg Thalheim [Thu, 2 Jan 2020 08:59:33 +0000 (08:59 +0000)]
add gitignore
Jörg Thalheim [Thu, 2 Jan 2020 08:53:41 +0000 (08:53 +0000)]
add default.nix for installation via nix
Allows installation via nix from the repository itself
on NixOS and other Linux distribution that have Nix (i.e. Archlinux/Debian).
```
$ nix-build
$ ./result/bin/kconfig-hardened-check
$ nix-env -f . -i
```
It also provides an development environment for `nix-shell` with setuptools and
python in path
```
$ nix-shell
```