kconfig-hardened-check.git
20 months agoInform about supporting *.gz kconfig files
Alexander Popov [Sun, 26 Mar 2023 15:19:55 +0000 (18:19 +0300)]
Inform about supporting *.gz kconfig files

Refers to #80

20 months agoAdd an example of a gzipped config
Alexander Popov [Sun, 26 Mar 2023 15:10:40 +0000 (18:10 +0300)]
Add an example of a gzipped config

Refers to #80

20 months agoMerge pull request #80 from nE0sIghT/feature/gzipped-config
Alexander Popov [Sun, 26 Mar 2023 15:06:37 +0000 (18:06 +0300)]
Merge pull request #80 from nE0sIghT/feature/gzipped-config

Added support for gzipped config (eg. /proc/config.gz)

20 months agoAdded support for gzipped config (eg. /proc/config.gz) 80/head
Yuri Konotopov [Sat, 25 Mar 2023 09:36:30 +0000 (13:36 +0400)]
Added support for gzipped config (eg. /proc/config.gz)

20 months agotest_engine: add test_OR() and test_AND()
Alexander Popov [Fri, 24 Mar 2023 20:19:02 +0000 (23:19 +0300)]
test_engine: add test_OR() and test_AND()

20 months agotest_engine: reorganize single unit-tests
Alexander Popov [Fri, 24 Mar 2023 20:18:32 +0000 (23:18 +0300)]
test_engine: reorganize single unit-tests

20 months agotest_engine: add test_kconfig_not_found()
Alexander Popov [Fri, 24 Mar 2023 20:18:06 +0000 (23:18 +0300)]
test_engine: add test_kconfig_not_found()

20 months agoPrevent populating the checklist with empty data
Alexander Popov [Fri, 24 Mar 2023 20:17:39 +0000 (23:17 +0300)]
Prevent populating the checklist with empty data

20 months agotest_engine: add test_cmdline_ok() and test_cmdline_fail()
Alexander Popov [Fri, 24 Mar 2023 20:17:20 +0000 (23:17 +0300)]
test_engine: add test_cmdline_ok() and test_cmdline_fail()

20 months agotest_engine: add test_kconfig_fail()
Alexander Popov [Fri, 24 Mar 2023 20:16:41 +0000 (23:16 +0300)]
test_engine: add test_kconfig_fail()

20 months agoMute some pylint warnings for test_engine.py
Alexander Popov [Fri, 24 Mar 2023 20:16:15 +0000 (23:16 +0300)]
Mute some pylint warnings for test_engine.py

20 months agotest_engine: add test_kconfig_ok()
Alexander Popov [Fri, 24 Mar 2023 20:15:57 +0000 (23:15 +0300)]
test_engine: add test_kconfig_ok()

20 months agorun_engine(): add the 'result' argument and put the JSON output into it
Alexander Popov [Fri, 24 Mar 2023 20:15:38 +0000 (23:15 +0300)]
run_engine(): add the 'result' argument and put the JSON output into it

20 months agoFix pylint warnings: add class docstring
Alexander Popov [Fri, 24 Mar 2023 20:11:49 +0000 (23:11 +0300)]
Fix pylint warnings: add class docstring

20 months agoFix pylint warnings: mark run_engine() with @staticmethod
Alexander Popov [Fri, 24 Mar 2023 20:11:22 +0000 (23:11 +0300)]
Fix pylint warnings: mark run_engine() with @staticmethod

20 months agoCreate the run_engine() helper
Alexander Popov [Fri, 24 Mar 2023 20:10:57 +0000 (23:10 +0300)]
Create the run_engine() helper

20 months agoAdd the first unit-test draft
Alexander Popov [Fri, 24 Mar 2023 20:10:35 +0000 (23:10 +0300)]
Add the first unit-test draft

20 months agoFix style
Alexander Popov [Fri, 24 Mar 2023 20:10:13 +0000 (23:10 +0300)]
Fix style

20 months agoGroup the badges
Alexander Popov [Sat, 11 Mar 2023 08:31:27 +0000 (11:31 +0300)]
Group the badges

20 months agoSet the names for the codecov uploads
Alexander Popov [Fri, 10 Mar 2023 22:07:41 +0000 (01:07 +0300)]
Set the names for the codecov uploads

20 months agoCreate two separate badges: functional test coverage and unit-test coverage
Alexander Popov [Fri, 10 Mar 2023 21:31:33 +0000 (00:31 +0300)]
Create two separate badges: functional test coverage and unit-test coverage

20 months agoInstall 'coverage' in the unit-test CI workflow
Alexander Popov [Fri, 10 Mar 2023 21:17:02 +0000 (00:17 +0300)]
Install 'coverage' in the unit-test CI workflow

20 months agoDon't fail the unit-test template
Alexander Popov [Fri, 10 Mar 2023 21:09:38 +0000 (00:09 +0300)]
Don't fail the unit-test template

That will allow the CI workflow to continue

20 months agoUpload the unit-test coverage to codecov (use a separate flag)
Alexander Popov [Fri, 10 Mar 2023 21:03:49 +0000 (00:03 +0300)]
Upload the unit-test coverage to codecov (use a separate flag)

20 months agoAdd the links to the project badges
Alexander Popov [Fri, 10 Mar 2023 20:39:02 +0000 (23:39 +0300)]
Add the links to the project badges

20 months agoAdd the unit-test badge
Alexander Popov [Fri, 10 Mar 2023 20:36:34 +0000 (23:36 +0300)]
Add the unit-test badge

20 months agoRename the workflow file with the functional test
Alexander Popov [Fri, 10 Mar 2023 20:33:24 +0000 (23:33 +0300)]
Rename the workflow file with the functional test

20 months agoCreate a separate CI workflow for unit-tests
Alexander Popov [Fri, 10 Mar 2023 20:22:47 +0000 (23:22 +0300)]
Create a separate CI workflow for unit-tests

20 months agoAdd a template for unit-tests
Alexander Popov [Fri, 10 Mar 2023 20:12:58 +0000 (23:12 +0300)]
Add a template for unit-tests

20 months agoErase coverage to prepare for unit-testing
Alexander Popov [Fri, 10 Mar 2023 20:03:04 +0000 (23:03 +0300)]
Erase coverage to prepare for unit-testing

20 months agoLimit the number of parallel GitHub Action jobs to 3
Alexander Popov [Mon, 6 Mar 2023 17:06:38 +0000 (20:06 +0300)]
Limit the number of parallel GitHub Action jobs to 3

That hopefully prevents the error "codecov failed with exit code 255".

20 months agoAdd more automatic tests (and increase the coverage)
Alexander Popov [Mon, 6 Mar 2023 15:49:42 +0000 (18:49 +0300)]
Add more automatic tests (and increase the coverage)

20 months agoUpdate the GitHub Actions to newer versions
Alexander Popov [Mon, 6 Mar 2023 15:21:08 +0000 (18:21 +0300)]
Update the GitHub Actions to newer versions

20 months agoDrop a useless 'if'
Alexander Popov [Mon, 6 Mar 2023 14:59:53 +0000 (17:59 +0300)]
Drop a useless 'if'

This condition has been checked at the beginning of the function.

Noticed this in the code coverage report.

20 months agoRefactor normalize_cmdline_options() for better style and test coverage
Alexander Popov [Mon, 6 Mar 2023 14:51:47 +0000 (17:51 +0300)]
Refactor normalize_cmdline_options() for better style and test coverage

20 months agoDrop the 'kvm.nx_huge_pages' check
Alexander Popov [Mon, 6 Mar 2023 14:35:29 +0000 (17:35 +0300)]
Drop the 'kvm.nx_huge_pages' check

It's not really about security

20 months agoFix the bug in OptCheck.check() introduced in cb779a71bf57d95b
Alexander Popov [Sun, 5 Mar 2023 20:56:45 +0000 (23:56 +0300)]
Fix the bug in OptCheck.check() introduced in cb779a71bf57d95b

Use 'elif' instead of 'if' to avoid wrong self.result when
self.state is 'off'.

We need unit-tests for the engine checking the correctness: #79

20 months agoImprove the test coverage
Alexander Popov [Sun, 5 Mar 2023 14:42:58 +0000 (17:42 +0300)]
Improve the test coverage

20 months agoFix style in the CI script
Alexander Popov [Sun, 5 Mar 2023 14:40:16 +0000 (17:40 +0300)]
Fix style in the CI script

20 months agoImprove the slab_nomerge check
Alexander Popov [Sun, 5 Mar 2023 13:55:44 +0000 (16:55 +0300)]
Improve the slab_nomerge check

20 months agoAdd my files to gitignore
Alexander Popov [Sun, 5 Mar 2023 13:23:14 +0000 (16:23 +0300)]
Add my files to gitignore

20 months agoUse similar f-strings for more cases
Alexander Popov [Sun, 5 Mar 2023 13:19:41 +0000 (16:19 +0300)]
Use similar f-strings for more cases

20 months agoCompare with None explicitly
Alexander Popov [Sun, 5 Mar 2023 12:57:43 +0000 (15:57 +0300)]
Compare with None explicitly

These objects should be compared for identity with None using 'is' operator.

20 months agoAdd the GitHub link
Alexander Popov [Sun, 5 Mar 2023 10:02:21 +0000 (13:02 +0300)]
Add the GitHub link

20 months agoAllow not setting specific CPU bug mitigations only if 'mitigations=auto,nosmt'
Alexander Popov [Wed, 1 Mar 2023 15:26:02 +0000 (18:26 +0300)]
Allow not setting specific CPU bug mitigations only if 'mitigations=auto,nosmt'

20 months agoImprove the 'pylint disable' statements
Alexander Popov [Sun, 26 Feb 2023 20:08:07 +0000 (23:08 +0300)]
Improve the 'pylint disable' statements

20 months agoAdd docstrings for the modules
Alexander Popov [Sun, 26 Feb 2023 20:05:44 +0000 (23:05 +0300)]
Add docstrings for the modules

20 months agoSplit into Python modules
Alexander Popov [Sun, 26 Feb 2023 19:06:08 +0000 (22:06 +0300)]
Split into Python modules

20 months agoFix pylint: Using open without explicitly specifying an encoding
Alexander Popov [Sun, 26 Feb 2023 07:02:04 +0000 (10:02 +0300)]
Fix pylint: Using open without explicitly specifying an encoding

20 months agoFix pylint warning: formatting a regular string which could be a f-string (IV)
Alexander Popov [Sun, 26 Feb 2023 06:44:26 +0000 (09:44 +0300)]
Fix pylint warning: formatting a regular string which could be a f-string (IV)

Part IV, sys.exit()

20 months agoFix pylint warning: formatting a regular string which could be a f-string (III)
Alexander Popov [Sun, 26 Feb 2023 06:37:21 +0000 (09:37 +0300)]
Fix pylint warning: formatting a regular string which could be a f-string (III)

Part III, strings

20 months agoFix pylint warning: formatting a regular string which could be a f-string (II)
Alexander Popov [Sun, 26 Feb 2023 06:31:05 +0000 (09:31 +0300)]
Fix pylint warning: formatting a regular string which could be a f-string (II)

Part II, assert()

20 months agoFix pylint warning: formatting a regular string which could be a f-string (I)
Alexander Popov [Sun, 26 Feb 2023 05:58:45 +0000 (08:58 +0300)]
Fix pylint warning: formatting a regular string which could be a f-string (I)

Part I, print()

21 months agoImprove the 'mitigations' check
Alexander Popov [Fri, 17 Feb 2023 17:12:52 +0000 (20:12 +0300)]
Improve the 'mitigations' check

Thanks to @izh1979

21 months agoAdd more info about perf_event_paranoid
Alexander Popov [Thu, 16 Feb 2023 16:11:38 +0000 (19:11 +0300)]
Add more info about perf_event_paranoid

Thanks to @izh1979

21 months agoReturn the AIO check
Alexander Popov [Sat, 4 Feb 2023 14:04:40 +0000 (17:04 +0300)]
Return the AIO check

Linus about AIO: https://lwn.net/Articles/671657/
LWN: Fixing asynchronous I/O, again: https://lwn.net/Articles/671649/

21 months agoAdd the NOUVEAU_LEGACY_CTX_SUPPORT check
Alexander Popov [Sat, 4 Feb 2023 13:22:42 +0000 (16:22 +0300)]
Add the NOUVEAU_LEGACY_CTX_SUPPORT check

See https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b30a43ac7132cdda833ac4b13dd1ebd35ace14b7

Dave Airlie:
There was a nouveau DDX that relied on legacy context ioctls to work,
but we fixed it years ago, give distros that have a modern DDX the
option to break the uAPI and close the mess of holes that legacy
context support is.

21 months agoDon't use the uninitialized 'parsed_cmdline_options' variable
Alexander Popov [Sat, 4 Feb 2023 11:57:54 +0000 (14:57 +0300)]
Don't use the uninitialized 'parsed_cmdline_options' variable

22 months agoUpdate the README
Alexander Popov [Sun, 22 Jan 2023 00:37:51 +0000 (03:37 +0300)]
Update the README

Ready for release 0.6.1.

22 months agoFix the 'decision' for the slub_merge check
Alexander Popov [Sun, 22 Jan 2023 22:16:52 +0000 (01:16 +0300)]
Fix the 'decision' for the slub_merge check

22 months agoFix the pylint R1714 issues
Alexander Popov [Sun, 22 Jan 2023 00:16:01 +0000 (03:16 +0300)]
Fix the pylint R1714 issues

No functional changes

22 months agoAdd the check for the 'kvm.nx_huge_pages' cmdline parameter
Alexander Popov [Sat, 21 Jan 2023 22:52:33 +0000 (01:52 +0300)]
Add the check for the 'kvm.nx_huge_pages' cmdline parameter

22 months agoAdd the check for the slub_merge cmdline parameter
Alexander Popov [Sat, 21 Jan 2023 22:41:43 +0000 (01:41 +0300)]
Add the check for the slub_merge cmdline parameter

22 months agoRename the file with the KSPP cmdline recommendations to avoid breaking the CI
Alexander Popov [Sat, 21 Jan 2023 22:07:42 +0000 (01:07 +0300)]
Rename the file with the KSPP cmdline recommendations to avoid breaking the CI

22 months agoClean up the comments
Alexander Popov [Sat, 21 Jan 2023 22:00:31 +0000 (01:00 +0300)]
Clean up the comments

22 months agoAdd the check for the iommu cmdline option
Alexander Popov [Sat, 21 Jan 2023 21:58:41 +0000 (00:58 +0300)]
Add the check for the iommu cmdline option

Refers to #76

22 months agoAdd the KSPP cmdline recommendations for x86_64
Alexander Popov [Sat, 21 Jan 2023 12:30:56 +0000 (15:30 +0300)]
Add the KSPP cmdline recommendations for x86_64

22 months agoInclude parsed_cmdline_options in the print_unknown_options() call
Alexander Popov [Sat, 21 Jan 2023 12:23:13 +0000 (15:23 +0300)]
Include parsed_cmdline_options in the print_unknown_options() call

22 months agoRename the files with the KSPP recommendations
Alexander Popov [Sat, 21 Jan 2023 10:53:39 +0000 (13:53 +0300)]
Rename the files with the KSPP recommendations

22 months agoDrop get-nix-kconfig.py (`nix-build get-nixos-kconfig.nix` does the job)
Alexander Popov [Thu, 19 Jan 2023 15:54:49 +0000 (18:54 +0300)]
Drop get-nix-kconfig.py (`nix-build get-nixos-kconfig.nix` does the job)

Refers to #77 and #63.

22 months agoAdd the NixOS kernel configs
Alexander Popov [Thu, 19 Jan 2023 15:34:12 +0000 (18:34 +0300)]
Add the NixOS kernel configs

Refers to #77

22 months agoMerge branch 'from-o8opi-2'
Alexander Popov [Thu, 19 Jan 2023 15:10:54 +0000 (18:10 +0300)]
Merge branch 'from-o8opi-2'

Thanks, @o8opi

22 months agoUpdate the VMAP_STACK check: it is available for ARM
Alexander Popov [Sun, 15 Jan 2023 21:10:12 +0000 (00:10 +0300)]
Update the VMAP_STACK check: it is available for ARM

22 months agoFix the arch condition for the SCHED_CORE check (II)
Alexander Popov [Sun, 15 Jan 2023 20:06:20 +0000 (23:06 +0300)]
Fix the arch condition for the SCHED_CORE check (II)

22 months agoUpdate the KSPP recommendations
Alexander Popov [Sat, 14 Jan 2023 15:46:45 +0000 (18:46 +0300)]
Update the KSPP recommendations

22 months agoFix the IOMMU_DEFAULT_DMA_STRICT check: it is in defconfig for arm64 and arm
Alexander Popov [Sat, 14 Jan 2023 15:07:29 +0000 (18:07 +0300)]
Fix the IOMMU_DEFAULT_DMA_STRICT check: it is in defconfig for arm64 and arm

22 months agoAdd the COMPAT and X86_X32_ABI checks
Alexander Popov [Sat, 14 Jan 2023 10:47:21 +0000 (13:47 +0300)]
Add the COMPAT and X86_X32_ABI checks

KSPP has added them to the recommendations.

Refers to #74.

22 months agoFix the WERROR check: it is in defconfig for X86_64 and X86_32 now
Alexander Popov [Sat, 14 Jan 2023 10:39:49 +0000 (13:39 +0300)]
Fix the WERROR check: it is in defconfig for X86_64 and X86_32 now

22 months agoFix the DEBUG_WX check: it is in defconfig for X86_64 and X86_32 now
Alexander Popov [Sat, 14 Jan 2023 10:33:33 +0000 (13:33 +0300)]
Fix the DEBUG_WX check: it is in defconfig for X86_64 and X86_32 now

22 months agoAdd defconfigs for Linux v6.1
Alexander Popov [Fri, 13 Jan 2023 19:12:22 +0000 (22:12 +0300)]
Add defconfigs for Linux v6.1

22 months agoadd get-nixos-kconfig nix script 77/head
o8opi [Thu, 29 Dec 2022 09:02:02 +0000 (10:02 +0100)]
add get-nixos-kconfig nix script

23 months agoAdd the repository mirrors 64/head
Alexander Popov [Mon, 26 Dec 2022 09:58:06 +0000 (12:58 +0300)]
Add the repository mirrors

23 months agoBackup the pull requests and issues into a Markdown file using gh2md
Alexander Popov [Sun, 25 Dec 2022 18:03:04 +0000 (21:03 +0300)]
Backup the pull requests and issues into a Markdown file using gh2md

That would allow to have more information in the mirror repositories.

I used the mattduck/gh2md tool for that purpose.
It employs https://api.github.com/graphql, so I had to generate
a GitHub personal access token (classic) with public access.

23 months agoRemove the AIO check
Alexander Popov [Fri, 16 Dec 2022 23:35:43 +0000 (02:35 +0300)]
Remove the AIO check

Currently GrapheneOS doesn't have it.

23 months agoRemember about the nosmt sysfs control file
Alexander Popov [Sat, 10 Dec 2022 18:25:13 +0000 (21:25 +0300)]
Remember about the nosmt sysfs control file

23 months agoDrop the comment about mitigations of CPU vulnerabilities
Alexander Popov [Sat, 10 Dec 2022 18:24:42 +0000 (21:24 +0300)]
Drop the comment about mitigations of CPU vulnerabilities

The corresponding checks have been developed.

23 months agoSave the list of disabled mitigations of CPU vulnerabilities (for history)
Alexander Popov [Sat, 10 Dec 2022 18:18:34 +0000 (21:18 +0300)]
Save the list of disabled mitigations of CPU vulnerabilities (for history)

23 months agoAdd the nospectre_bhb check
Alexander Popov [Sat, 10 Dec 2022 17:44:23 +0000 (20:44 +0300)]
Add the nospectre_bhb check

23 months agoAdd the kpti check
Alexander Popov [Sat, 10 Dec 2022 08:01:16 +0000 (11:01 +0300)]
Add the kpti check

1. Don't add an exception to normalize_cmdline_options() since strtobool()
is used for kpti

2. Use new '0' check of 'is not off'

23 months agoCompare against '0' in the 'is not off' check
Alexander Popov [Sat, 10 Dec 2022 07:47:05 +0000 (10:47 +0300)]
Compare against '0' in the 'is not off' check

23 months agoAdd the tsx check
Alexander Popov [Sat, 10 Dec 2022 07:08:23 +0000 (10:08 +0300)]
Add the tsx check

23 months agoChange the 'decision' of X86_INTEL_TSX_MODE_OFF check to defconfig
Alexander Popov [Sat, 10 Dec 2022 07:07:10 +0000 (10:07 +0300)]
Change the 'decision' of X86_INTEL_TSX_MODE_OFF check to defconfig

23 months agoAdd the nomte check
Alexander Popov [Sat, 10 Dec 2022 06:33:43 +0000 (09:33 +0300)]
Add the nomte check

23 months agoAdd the nopauth check
Alexander Popov [Sat, 10 Dec 2022 06:32:51 +0000 (09:32 +0300)]
Add the nopauth check

23 months agoAdd the nobti check
Alexander Popov [Sat, 10 Dec 2022 06:32:21 +0000 (09:32 +0300)]
Add the nobti check

23 months agoAdd the sysrq_always_enabled check
Alexander Popov [Fri, 9 Dec 2022 18:00:08 +0000 (21:00 +0300)]
Add the sysrq_always_enabled check

23 months agoAdd the ssbd check
Alexander Popov [Fri, 9 Dec 2022 17:37:49 +0000 (20:37 +0300)]
Add the ssbd check

23 months agoAvoid the YAML parsing mistake
Alexander Popov [Thu, 8 Dec 2022 22:38:05 +0000 (01:38 +0300)]
Avoid the YAML parsing mistake

3.10 is parsed as a number and it is trimmed to 3.1.
That is expected behavior for numbers, but it's crazy for versions.

23 months agoFix `python-version` in the GitHub Actions
Alexander Popov [Thu, 8 Dec 2022 22:29:03 +0000 (01:29 +0300)]
Fix `python-version` in the GitHub Actions

Current `ubuntu-latest` (Ubuntu 22.04 for x86_64) provides the following
versions of Python:
 - 3.10.8
 - 3.11.0
 - 3.7.15
 - 3.8.15
 - 3.9.15

23 months agoReorder some checks, no functional changes
Alexander Popov [Thu, 8 Dec 2022 21:59:38 +0000 (00:59 +0300)]
Reorder some checks, no functional changes