Martin Rowe [Tue, 15 Mar 2022 12:38:05 +0000 (12:38 +0000)]
EFI mitigations can't be enabled if EFI is not set
Both EFI_DISABLE_PCI_DMA and RESET_ATTACK_MITIGATION depend on EFI, but if EFI is not set, neither config is required.
Useful on embedded devices that use u-boot or similar instead of EFI.
Alexander Popov [Sun, 13 Mar 2022 22:28:18 +0000 (01:28 +0300)]
Fix the BPF_UNPRIV_DEFAULT_OFF check (it is enabled by default)
Alexander Popov [Sun, 13 Mar 2022 18:12:23 +0000 (21:12 +0300)]
Add CONFIG_SLS vs CVE-2021-26341 in Straight-Line-Speculation
Alexander Popov [Sun, 13 Mar 2022 17:39:06 +0000 (20:39 +0300)]
Add the comment that l1d_flush is a part of the l1tf option
Alexander Popov [Sun, 13 Mar 2022 17:18:48 +0000 (20:18 +0300)]
Add BPF_UNPRIV_DEFAULT_OFF to cut_attack_surface
Alexander Popov [Sat, 5 Mar 2022 15:44:16 +0000 (18:44 +0300)]
Use the option type instead of calling hasattr()
Alexander Popov [Sat, 5 Mar 2022 14:42:24 +0000 (17:42 +0300)]
Merge branch 'refactoring'
It has more preparations for solving #46.
Alexander Popov [Mon, 14 Feb 2022 21:57:42 +0000 (00:57 +0300)]
Introduce the json_dump() class method
Alexander Popov [Mon, 14 Feb 2022 21:19:42 +0000 (00:19 +0300)]
Improve 'type' for ComplexOptCheck and PresenceCheck classes
Alexander Popov [Mon, 14 Feb 2022 21:18:50 +0000 (00:18 +0300)]
Make populate_with_data() aware of data type
Alexander Popov [Mon, 14 Feb 2022 18:23:58 +0000 (21:23 +0300)]
Add 'type' for PresenceCheck and VersionCheck
Alexander Popov [Mon, 14 Feb 2022 18:22:17 +0000 (21:22 +0300)]
Rename VerCheck to VersionCheck
Alexander Popov [Mon, 14 Feb 2022 16:50:21 +0000 (19:50 +0300)]
Add more ComplexOptCheck validation
Alexander Popov [Mon, 14 Feb 2022 14:47:21 +0000 (17:47 +0300)]
Improve print_unknown_options()
Don't miss options behind the second level of ComplexOptCheck
Alexander Popov [Mon, 14 Feb 2022 07:59:36 +0000 (10:59 +0300)]
Remove 'CONFIG_' hardcoding
Alexander Popov [Fri, 11 Feb 2022 22:16:44 +0000 (01:16 +0300)]
Merge branch 'refactoring'
It has preparations for solving #46.
Alexander Popov [Fri, 11 Feb 2022 22:03:06 +0000 (01:03 +0300)]
Refactor the OR logic code
Alexander Popov [Fri, 11 Feb 2022 17:08:41 +0000 (20:08 +0300)]
Rename config to kconfig where needed (part II)
Alexander Popov [Sat, 22 Jan 2022 23:15:13 +0000 (02:15 +0300)]
Extract populate_with_data() from perform_checks()
Alexander Popov [Sat, 22 Jan 2022 22:10:09 +0000 (01:10 +0300)]
Rename config to kconfig where needed
Alexander Popov [Sat, 22 Jan 2022 21:34:01 +0000 (00:34 +0300)]
Print the type of a check in the json mode
Alexander Popov [Sat, 22 Jan 2022 21:33:04 +0000 (00:33 +0300)]
ComplexOptCheck type has the type of the first opt in it
Alexander Popov [Fri, 21 Jan 2022 23:22:37 +0000 (02:22 +0300)]
Update the example output in the README (yes, now I like it!)
Alexander Popov [Fri, 21 Jan 2022 23:19:05 +0000 (02:19 +0300)]
Do more output tuning
Alexander Popov [Fri, 21 Jan 2022 22:35:42 +0000 (01:35 +0300)]
Update the example output in the README
Alexander Popov [Fri, 21 Jan 2022 22:33:43 +0000 (01:33 +0300)]
Add check type
Alexander Popov [Fri, 21 Jan 2022 22:16:31 +0000 (01:16 +0300)]
Update the example output in the README
Alexander Popov [Fri, 21 Jan 2022 22:06:56 +0000 (01:06 +0300)]
Print compactly
Alexander Popov [Fri, 21 Jan 2022 21:15:16 +0000 (00:15 +0300)]
Introduce KconfigCheck class
Alexander Popov [Fri, 21 Jan 2022 15:45:54 +0000 (18:45 +0300)]
Fix TRIM_UNUSED_KSYMS check
TRIM_UNUSED_KSYMS can't be enabled if MODULES are disabled.
Thanks to @Churam for reporting.
Refers to #58.
Alexander Popov [Fri, 24 Dec 2021 17:51:11 +0000 (20:51 +0300)]
Add l1d_flush (for future reference)
Alexander Popov [Sun, 5 Dec 2021 11:57:08 +0000 (14:57 +0300)]
Add ARM64_PTR_AUTH_KERNEL extracted from ARM64_PTR_AUTH
Alexander Popov [Sun, 21 Nov 2021 13:09:53 +0000 (16:09 +0300)]
Document the output modes specified by the `-m` parameter
Alexander Popov [Sun, 21 Nov 2021 12:08:39 +0000 (15:08 +0300)]
TODO: RISC-V
See #56
Alexander Popov [Tue, 9 Nov 2021 18:59:43 +0000 (21:59 +0300)]
Update the README (a lot of new checks appeared)
Alexander Popov [Tue, 9 Nov 2021 18:29:10 +0000 (21:29 +0300)]
Keep the old X86_PTDUMP check as a backup
Alexander Popov [Tue, 9 Nov 2021 18:05:09 +0000 (21:05 +0300)]
Simplify the check about PTDUMP_DEBUGFS (I was correct)
Alexander Popov [Tue, 9 Nov 2021 18:02:57 +0000 (21:02 +0300)]
Add more checks from grsecurity for cutting attack surface (part II)
This includes:
- KCMP
- RSEQ
- LATENCYTOP
- KCOV
- PROVIDE_OHCI1394_DMA_INIT
- SUNRPC_DEBUG
- FAIL_FUTEX
- KPROBE_EVENTS
- UPROBE_EVENTS
- FUNCTION_TRACER
- STACK_TRACER
- HIST_TRIGGERS
- BLK_DEV_IO_TRACE
Alexander Popov [Tue, 9 Nov 2021 17:20:59 +0000 (20:20 +0300)]
Fix the 'decision' field of the IO_URING check
grsecurity disables IO_URING as well to cut attack surface
Alexander Popov [Tue, 9 Nov 2021 17:11:22 +0000 (20:11 +0300)]
Add more checks from grsecurity for cutting attack surface (part I)
This includes:
- PUNIT_ATOM_DEBUG
- ACPI_CONFIGFS
- EDAC_DEBUG
- DRM_I915_DEBUG
- BCACHE_CLOSURES_DEBUG
- DVB_C8SECTPFE
- MTD_SLRAM
- MTD_PHRAM
Alexander Popov [Tue, 9 Nov 2021 16:48:32 +0000 (19:48 +0300)]
Fix the 'decision' field of the KPROBES check
Alexander Popov [Tue, 9 Nov 2021 16:46:18 +0000 (19:46 +0300)]
Add the comment
Alexander Popov [Thu, 23 Sep 2021 12:56:34 +0000 (15:56 +0300)]
Improve the README
Alexander Popov [Thu, 23 Sep 2021 12:35:20 +0000 (15:35 +0300)]
Get a bit more coverage
Alexander Popov [Thu, 23 Sep 2021 12:01:36 +0000 (15:01 +0300)]
Update the README
Ready for the release 0.5.14.
Alexander Popov [Wed, 22 Sep 2021 10:50:11 +0000 (13:50 +0300)]
Move 'self_protection' & 'maintainer' higher
Alexander Popov [Tue, 21 Sep 2021 19:29:22 +0000 (22:29 +0300)]
Add HARDENED_USERCOPY_PAGESPAN check from KSPP
Alexander Popov [Tue, 21 Sep 2021 18:35:12 +0000 (21:35 +0300)]
Add comments about the maintainer recommendations
Refers to #53
Alexander Popov [Tue, 21 Sep 2021 18:19:51 +0000 (21:19 +0300)]
Fix UBSAN_BOUNDS recommendations
Thanks to @kees and @equaeghe
Refers to #53
Alexander Popov [Tue, 21 Sep 2021 17:44:17 +0000 (20:44 +0300)]
RANDOMIZE_KSTACK_OFFSET_DEFAULT is recommended by KSPP
Thanks to @anthraxx
Alexander Popov [Thu, 16 Sep 2021 18:01:57 +0000 (21:01 +0300)]
Update the KSPP recommendations
Alexander Popov [Thu, 16 Sep 2021 16:54:35 +0000 (19:54 +0300)]
Add defconfigs for Linux v5.14
Alexander Popov [Fri, 10 Sep 2021 21:26:54 +0000 (00:26 +0300)]
Merge pull request #54 from evdenis/master
Recommend disabling CONFIG_BLK_DEV_FD ( thanks to @evdenis )
Denis Efremov [Fri, 10 Sep 2021 12:30:04 +0000 (15:30 +0300)]
Add BLK_DEV_FD
Floppy driver was written many years ago. It was designed to
work in a single-threaded environment (many global variables)
and to work on real hardware which has significant delays
(floppy drives are slow). Nowadays, when we use virtual
devices (which are fast) and multi-core cpus, floppy driver
shows its problems including deadlocking/livelocking and
other security-related issues. However, we can't just
rewrite it because lack of real hardware and compatibility
with existing userspace tools, many of which rely on
undocumented driver behavior.
Here are some CVEs related to floppy driver:
- CVE-2014-1737 privileges escalation in FDRAWCMD ioctl
- CVE-2014-1738 info leak from kernel heap in FDRAWCMD ioctl
- CVE-2018-7755 kernel pointer lead in FDGETPRM ioctl
- CVE-2019-14283 integer overflow and out-of-bounds read in set_geometry
- CVE-2019-14284 denial of service in setup_format_params
- CVE-2020-9383 out-of-bounds read in set_fdc
- CVE-2021-20261 race condition in floppy_revalidate,
floppy_check_events
As pointed by Linus [1]:
> The only users are virtualization, and even they are going away
> because floppies are so small, and other things have become more
> standard anyway (ie USB disk) or easier to emulate (NVMe or whatever).
> So I suspect the only reason floppy is used even in that area is just
> legacy "we haven't bothered updating to anything better and we have
> old scripts and images that work".
CONFIG_BLK_DEV_FD is not enabled in defconfig on x86_64.
Many distros already require root access for /dev/fd0.
However, qemu (5.2.0) still enables floppy device by default.
[1] https://lore.kernel.org/all/CAHk-=whFAAV_TOLFNnj=wu4mD2L9OvgB6n2sKDdmd8buMKFv8A@mail.gmail.com/
Alexander Popov [Fri, 20 Aug 2021 16:34:35 +0000 (19:34 +0300)]
Add RANDOMIZE_KSTACK_OFFSET_DEFAULT
This refers to the pull request #52.
Thanks to Levente Polyak aka @anthraxx.
Alexander Popov [Sun, 29 Aug 2021 21:16:27 +0000 (00:16 +0300)]
Add CFI_CLANG
Alexander Popov [Fri, 20 Aug 2021 17:10:54 +0000 (20:10 +0300)]
Add ARM64_EPAN
Alexander Popov [Fri, 20 Aug 2021 18:19:03 +0000 (21:19 +0300)]
Merge pull request #51 from Hacks4Snacks/master
Added the CBL-Mariner kernel configuration file.
Mark D. Gray [Fri, 20 Aug 2021 17:39:03 +0000 (12:39 -0500)]
Added Linux/x86_64 kernel config link for CBL-Mariner
Mark D. Gray [Thu, 19 Aug 2021 20:40:09 +0000 (15:40 -0500)]
Added cbl-mariner kernel configuration file.
Alexander Popov [Sat, 14 Aug 2021 07:10:13 +0000 (10:10 +0300)]
Add hardware tag-based KASAN with arm64 Memory Tagging Extension
Alexander Popov [Sat, 14 Aug 2021 06:33:14 +0000 (09:33 +0300)]
Add the command line parameters that should NOT be set
Alexander Popov [Sun, 8 Aug 2021 22:00:28 +0000 (01:00 +0300)]
Document the changes of vm.unprivileged_userfaultfd in v5.11
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=
37cd0575b8510159992d279c530c05f872990b02
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=
d0d4730ac2e404a5b0da9a87ef38c73e51cb1664
Alexander Popov [Sun, 8 Aug 2021 13:48:04 +0000 (16:48 +0300)]
Add the news about PAGE_POISONING
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=
f289041ed4cf9a3f6e8a32068fef9ffb2acc5662
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=
8f424750baaafcef229791882e879da01c9473b5
Alexander Popov [Fri, 2 Jul 2021 12:56:13 +0000 (15:56 +0300)]
Improve wording
Alexander Popov [Sat, 19 Jun 2021 17:36:31 +0000 (20:36 +0300)]
Update the README.
Ready for the release 0.5.10.
Alexander Popov [Sat, 19 Jun 2021 15:42:02 +0000 (18:42 +0300)]
Fix pylint warning
Alexander Popov [Sat, 19 Jun 2021 15:22:23 +0000 (18:22 +0300)]
Remember that SHADOW_CALL_STACK depends on clang
Alexander Popov [Sat, 19 Jun 2021 15:20:02 +0000 (18:20 +0300)]
STACKPROTECTOR_PER_TASK is also available for ARM64
Alexander Popov [Sat, 19 Jun 2021 15:17:33 +0000 (18:17 +0300)]
INTEL_IOMMU_SVM is available only for X86_64
Alexander Popov [Sat, 19 Jun 2021 15:08:30 +0000 (18:08 +0300)]
Reorder arch checks
Alexander Popov [Sat, 19 Jun 2021 12:40:13 +0000 (15:40 +0300)]
SECURITY_DMESG_RESTRICT is recommended by KSPP now
Alexander Popov [Sat, 19 Jun 2021 11:49:03 +0000 (14:49 +0300)]
Think about kptr_restrict later (KSPP recommends to set it to 1)
Alexander Popov [Sat, 19 Jun 2021 11:46:54 +0000 (14:46 +0300)]
Mention that nosmt is slow
Alexander Popov [Sat, 19 Jun 2021 11:46:07 +0000 (14:46 +0300)]
More info on init_on_free and init_on_alloc
Alexander Popov [Sat, 19 Jun 2021 11:45:02 +0000 (14:45 +0300)]
SLUB_DEBUG_ON is very slow, leave it for the kernel command line
Alexander Popov [Sat, 19 Jun 2021 11:27:21 +0000 (14:27 +0300)]
Update KSPP recommendations
Alexander Popov [Sat, 19 Jun 2021 11:15:14 +0000 (14:15 +0300)]
Add defconfigs for v5.10
Made with updated https://github.com/a13xp0p0v/kernel-build-containers
Excellent!
Alexander Popov [Sat, 19 Jun 2021 10:04:30 +0000 (13:04 +0300)]
HARDEN_BRANCH_PREDICTOR for ARM64 is enabled by default since v5.10
Alexander Popov [Fri, 18 Jun 2021 21:12:46 +0000 (00:12 +0300)]
Add ARM64_MTE for userspace
Alexander Popov [Fri, 18 Jun 2021 21:11:41 +0000 (00:11 +0300)]
Maybe SHADOW_CALL_STACK should be alternative to STACKPROTECTOR_STRONG
Alexander Popov [Fri, 18 Jun 2021 17:47:20 +0000 (20:47 +0300)]
Save 'debugfs=no-mount' for future
Alexander Popov [Fri, 30 Oct 2020 17:56:45 +0000 (20:56 +0300)]
Update the README.
Ready for the release 0.5.9.
Alexander Popov [Fri, 30 Oct 2020 17:44:07 +0000 (20:44 +0300)]
Fix indentation (thanks to pylint)
Alexander Popov [Thu, 29 Oct 2020 08:03:24 +0000 (11:03 +0300)]
Add a Q&A about spectre-meltdown-checker maintained by @speed47
Alexander Popov [Fri, 23 Oct 2020 18:03:01 +0000 (21:03 +0300)]
INIT_STACK_ALL -> INIT_STACK_ALL_ZERO (was renamed)
Alexander Popov [Fri, 23 Oct 2020 17:53:33 +0000 (20:53 +0300)]
Add SHADOW_CALL_STACK for ARM64
Alexander Popov [Thu, 22 Oct 2020 19:46:27 +0000 (22:46 +0300)]
Add the recommendation about TRIM_UNUSED_KSYMS
Alexander Popov [Thu, 22 Oct 2020 19:38:35 +0000 (22:38 +0300)]
Add ARM64_BTI_KERNEL
Alexander Popov [Thu, 22 Oct 2020 18:42:21 +0000 (21:42 +0300)]
Add the recommendation about UBSAN_BOUNDS
Enable UBSAN_BOUNDS and UBSAN_TRAP.
But keep UBSAN_MISC disabled to avoid useless reports.
Alexander Popov [Thu, 22 Oct 2020 17:46:04 +0000 (20:46 +0300)]
PAGE_POISONING -> PAGE_POISONING_ZERO
In fact, KSPP recommends PAGE_POISONING_ZERO.
Alexander Popov [Thu, 22 Oct 2020 16:59:00 +0000 (19:59 +0300)]
Improve AND check reports
Alexander Popov [Thu, 22 Oct 2020 16:09:35 +0000 (19:09 +0300)]
Improve HARDEN_EL2_VECTORS check
In fact HARDEN_EL2_VECTORS was included in RANDOMIZE_BASE in v5.9.
Use new nested ComplexOptChecks for this rule.
Refers to #48.
Alexander Popov [Thu, 22 Oct 2020 15:55:31 +0000 (18:55 +0300)]
Merge remote-tracking branch 'pgils/el2_vectors'
Thanks, @pgils.
Refers to #48.
Alexander Popov [Wed, 21 Oct 2020 18:20:37 +0000 (21:20 +0300)]
Add nested ComplexOptChecks support
Now we can do things like OR(opt1, AND(opt2, opt3)).
Cool!
Refers to #48
Pelle van Gils [Mon, 19 Oct 2020 13:07:53 +0000 (15:07 +0200)]
Do not check CONFIG_HARDEN_EL2_VECTORS for v5.9+
Alexander Popov [Fri, 16 Oct 2020 15:51:01 +0000 (18:51 +0300)]
Add TODO about SLUB_DEBUG_ON
Alexander Popov [Fri, 16 Oct 2020 15:39:41 +0000 (18:39 +0300)]
Add CLIP OS recommendation about EFI_CUSTOM_SSDT_OVERLAYS
Alexander Popov [Fri, 16 Oct 2020 15:37:35 +0000 (18:37 +0300)]
Disabling ACPI_TABLE_UPGRADE is now recommended by CLIP OS
Alexander Popov [Fri, 16 Oct 2020 15:05:37 +0000 (18:05 +0300)]
Withdraw my recommendation about BPF_JIT
CLIP OS wiki and Kees say that BPF interpreter is worse for the kernel
security than BPF_JIT.
So for now I withdraw my recommendation about BPF_JIT.
N.B. LOCKDOWN disables BPF_SYSCALL, but not BPF_JIT.