kconfig-hardened-check.git
5 years agoMerge remote-tracking branch 'hackurx/master'
Alexander Popov [Fri, 17 May 2019 15:13:40 +0000 (18:13 +0300)]
Merge remote-tracking branch 'hackurx/master'

Thanks to @HacKurx for updating the distro configs.

5 years agoCreate rhel-8.0.config 17/head
Loïc [Sun, 12 May 2019 15:04:25 +0000 (17:04 +0200)]
Create rhel-8.0.config

config check is finished: 'OK' - 41 / 'FAIL' - 62

5 years agoUpdate and rename pentoo-4.17.11.config to pentoo-livecd.config
Loïc [Sun, 12 May 2019 09:59:15 +0000 (11:59 +0200)]
Update and rename pentoo-4.17.11.config to pentoo-livecd.config

config check is finished: 'OK' - 71 / 'FAIL' - 32

5 years agoUpdate Archlinux-hardened.config
Loïc [Sun, 12 May 2019 09:54:43 +0000 (11:54 +0200)]
Update Archlinux-hardened.config

config check is finished: 'OK' - 75 / 'FAIL' - 28

5 years agoUpdate Alpinelinux-edge.config
Loïc [Sun, 12 May 2019 09:51:39 +0000 (11:51 +0200)]
Update Alpinelinux-edge.config

config check is finished: 'OK' - 49 / 'FAIL' - 54

5 years agoUpdate debian-stretch.config
Loïc [Sun, 12 May 2019 09:46:53 +0000 (11:46 +0200)]
Update debian-stretch.config

config check is finished: 'OK' - 42 / 'FAIL' - 61

5 years agoCreate AmazonLinux2.config
Loïc [Sun, 12 May 2019 09:38:12 +0000 (11:38 +0200)]
Create AmazonLinux2.config

config check is finished: 'OK' - 42 / 'FAIL' - 61

5 years agoAdd Q&A to the README
Alexander Popov [Wed, 20 Mar 2019 07:25:22 +0000 (10:25 +0300)]
Add Q&A to the README

Refers to the issue #14 by @jcberthon.

5 years agoAdd the comment about kptr_restrict
Alexander Popov [Wed, 13 Mar 2019 17:40:23 +0000 (20:40 +0300)]
Add the comment about kptr_restrict

5 years agoAdd ARM64_PTR_AUTH check
Alexander Popov [Wed, 13 Mar 2019 13:45:34 +0000 (16:45 +0300)]
Add ARM64_PTR_AUTH check

5 years agoAdd STACKPROTECTOR_PER_TASK check for ARM
Alexander Popov [Wed, 13 Mar 2019 09:02:19 +0000 (12:02 +0300)]
Add STACKPROTECTOR_PER_TASK check for ARM

5 years agoAdd defconfigs for 5.0
Alexander Popov [Wed, 13 Mar 2019 08:37:13 +0000 (11:37 +0300)]
Add defconfigs for 5.0

5 years agoDon't hide AND check results if the requirements are not met
Alexander Popov [Tue, 12 Mar 2019 21:46:32 +0000 (00:46 +0300)]
Don't hide AND check results if the requirements are not met

Report them as FAIL.

Thanks to @Bernhard40 for this nice idea.

5 years agoUpdate the README
Alexander Popov [Tue, 12 Mar 2019 15:11:56 +0000 (18:11 +0300)]
Update the README

5 years agoImprove the final result output
Alexander Popov [Tue, 12 Mar 2019 14:29:20 +0000 (17:29 +0300)]
Improve the final result output

Refers to issue #13.

5 years agoUse the AND check for HARDENED_USERCOPY_FALLBACK
Alexander Popov [Tue, 12 Mar 2019 14:12:14 +0000 (17:12 +0300)]
Use the AND check for HARDENED_USERCOPY_FALLBACK

If HARDENED_USERCOPY is not set, HARDENED_USERCOPY_FALLBACK is not checked.

Refers to issue #13.

5 years agoUse the AND check for PAGE_POISONING_NO_SANITY and PAGE_POISONING_ZERO
Alexander Popov [Tue, 12 Mar 2019 14:10:57 +0000 (17:10 +0300)]
Use the AND check for PAGE_POISONING_NO_SANITY and PAGE_POISONING_ZERO

If PAGE_POISONING is not set, PAGE_POISONING_NO_SANITY and
PAGE_POISONING_ZERO are not checked.

Refers to issue #13.

5 years agoImplement AND ComplexOptCheck
Alexander Popov [Tue, 12 Mar 2019 13:45:35 +0000 (16:45 +0300)]
Implement AND ComplexOptCheck

Use case: AND(<suboption>, <main_option>).
Suboption is not checked if checking of the main_option is failed.

It's needed to solve issue #13.

5 years agoAdd a sanity check and do minor refactoring
Alexander Popov [Tue, 12 Mar 2019 13:42:23 +0000 (16:42 +0300)]
Add a sanity check and do minor refactoring

5 years agoIntroduce the ComplexOptCheck superclass
Alexander Popov [Tue, 12 Mar 2019 12:02:49 +0000 (15:02 +0300)]
Introduce the ComplexOptCheck superclass

5 years agoUpdate the README
Alexander Popov [Mon, 11 Mar 2019 15:59:10 +0000 (18:59 +0300)]
Update the README

5 years agoAdd explicit checks for CONFIG_MODULES and CONFIG_DEVMEM
Alexander Popov [Mon, 11 Mar 2019 15:21:18 +0000 (18:21 +0300)]
Add explicit checks for CONFIG_MODULES and CONFIG_DEVMEM

I like this hack. Now the script recommends to disable modules and
devmem OR harden them at least.

5 years agoAdd missing OR use case
Alexander Popov [Mon, 11 Mar 2019 15:08:59 +0000 (18:08 +0300)]
Add missing OR use case

5 years agoImprove the output of OR checks
Alexander Popov [Mon, 11 Mar 2019 15:33:11 +0000 (18:33 +0300)]
Improve the output of OR checks

5 years agoAdd the RESET_ATTACK_MITIGATION check according to the feature request #11
Alexander Popov [Mon, 4 Mar 2019 18:24:45 +0000 (21:24 +0300)]
Add the RESET_ATTACK_MITIGATION check according to the feature request #11

Let's check the RESET_ATTACK_MITIGATION option.

The description of this security feature:
https://lwn.net/Articles/730006/

It needs support from the userspace side:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a5c03c31af2291f13689d11760c0b59fb70c9a5a

Improve the comments about the userspace support by the way.

5 years agoFix false positive about CONFIG_MODULE_SIG_FORCE.
Alexander Popov [Mon, 4 Mar 2019 13:38:14 +0000 (16:38 +0300)]
Fix false positive about CONFIG_MODULE_SIG_FORCE.

CONFIG_MODULE_SIG_FORCE shouldn't be checked if CONFIG_MODULES is not set.

Fixes issue #12.
Thanks to @hannob.

5 years agoUpdate the README and comments after adding ARM support
Alexander Popov [Thu, 24 Jan 2019 07:43:58 +0000 (10:43 +0300)]
Update the README and comments after adding ARM support

5 years agoFix typo in KSPP recommendations for ARM
Alexander Popov [Thu, 24 Jan 2019 07:34:00 +0000 (10:34 +0300)]
Fix typo in KSPP recommendations for ARM

5 years agoAdd ARM support
Alexander Popov [Thu, 24 Jan 2019 07:33:25 +0000 (10:33 +0300)]
Add ARM support

5 years agoUpdate the README after adding ARM64 support
Alexander Popov [Wed, 23 Jan 2019 17:02:53 +0000 (20:02 +0300)]
Update the README after adding ARM64 support

5 years agoGo through all the checks in debug mode
Alexander Popov [Wed, 23 Jan 2019 16:31:26 +0000 (19:31 +0300)]
Go through all the checks in debug mode

5 years agoAdd ARM64 support
Alexander Popov [Wed, 23 Jan 2019 16:11:55 +0000 (19:11 +0300)]
Add ARM64 support

5 years agoUpdate the README after adding X86_32 support
Alexander Popov [Tue, 22 Jan 2019 12:22:04 +0000 (15:22 +0300)]
Update the README after adding X86_32 support

And improve the style by the way.

5 years agoAdd X86_32 support
Alexander Popov [Tue, 22 Jan 2019 11:55:47 +0000 (14:55 +0300)]
Add X86_32 support

5 years agoMerge branch 'arch-configs'
Alexander Popov [Tue, 22 Jan 2019 11:55:07 +0000 (14:55 +0300)]
Merge branch 'arch-configs'

5 years agoCreate a separate directory for distro configs
Alexander Popov [Tue, 22 Jan 2019 11:22:35 +0000 (14:22 +0300)]
Create a separate directory for distro configs

5 years agoCreate a separate directory for defconfigs
Alexander Popov [Tue, 22 Jan 2019 11:10:23 +0000 (14:10 +0300)]
Create a separate directory for defconfigs

5 years agoAdd arm64 defconfig for v4.20
Alexander Popov [Tue, 22 Jan 2019 11:09:26 +0000 (14:09 +0300)]
Add arm64 defconfig for v4.20

5 years agoAdd arm defconfig for v4.20
Alexander Popov [Tue, 22 Jan 2019 11:09:09 +0000 (14:09 +0300)]
Add arm defconfig for v4.20

5 years agoAdd x86_32 defconfig for v4.20
Alexander Popov [Tue, 22 Jan 2019 10:47:31 +0000 (13:47 +0300)]
Add x86_32 defconfig for v4.20

5 years agoCreate a separate directory for KSPP recommendations
Alexander Popov [Tue, 22 Jan 2019 11:04:51 +0000 (14:04 +0300)]
Create a separate directory for KSPP recommendations

5 years agoSpecify the architecture in KSPP recommendations
Alexander Popov [Tue, 22 Jan 2019 11:03:11 +0000 (14:03 +0300)]
Specify the architecture in KSPP recommendations

5 years agoUpdate the README (arch support)
Alexander Popov [Mon, 21 Jan 2019 22:18:36 +0000 (01:18 +0300)]
Update the README (arch support)

5 years agoMake the script aware of target architecture
Alexander Popov [Mon, 21 Jan 2019 22:06:45 +0000 (01:06 +0300)]
Make the script aware of target architecture

Add the ability to parse the processor architecture from the config file.

Change '-p' command-line argument behaviour. Now it comes with the
name of architecture you want to print recommendations for.

Currently only X86_64 is supported. More architectures to come soon.

This is based heavily on work by @tyhicks.

5 years agoMerge branch 'from-tyhicks-1'
Alexander Popov [Mon, 21 Jan 2019 16:16:00 +0000 (19:16 +0300)]
Merge branch 'from-tyhicks-1'

Create arch-dependent KSPP recommendations.
Thanks to @tyhicks.

5 years agoAdd a KSPP recommendations config for arm64
Tyler Hicks [Thu, 17 Jan 2019 17:57:23 +0000 (17:57 +0000)]
Add a KSPP recommendations config for arm64

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
5 years agoAdd a KSPP recommendations config for arm
Tyler Hicks [Thu, 17 Jan 2019 17:56:09 +0000 (17:56 +0000)]
Add a KSPP recommendations config for arm

The arm section of the KSPP Recommended_Settings wiki page contains the
following lines:

 # If building an old out-of-tree Qualcomm kernel, this is similar to
 # CONFIG_STRICT_KERNEL_RWX.
 CONFIG_STRICT_MEMORY_RWX=y

Since this option only applies to an old out-of-tree Qualcomm kernel,
it is not included in the config file.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
5 years agoAdd a KSPP recommendations config for x86_32
Tyler Hicks [Thu, 17 Jan 2019 17:53:43 +0000 (17:53 +0000)]
Add a KSPP recommendations config for x86_32

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
5 years agoMake KSPP recommendations config x86_64 specific
Tyler Hicks [Thu, 17 Jan 2019 17:47:44 +0000 (17:47 +0000)]
Make KSPP recommendations config x86_64 specific

Rename the file so that it is clear that the recommendations are x86-64
specific.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
5 years agoUpdate kspp-recommendations.config to look like an x86_64 config
Tyler Hicks [Sat, 12 Jan 2019 00:04:46 +0000 (00:04 +0000)]
Update kspp-recommendations.config to look like an x86_64 config

Add a header that will make the checker script think that it is dealing
with a x86_64 config file. Additionally, update the stackprotector
related options to reflect the >= 4.18 names.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
5 years agoAdd x86_64_defconfig for v4.20
Alexander Popov [Mon, 14 Jan 2019 22:45:35 +0000 (01:45 +0300)]
Add x86_64_defconfig for v4.20

5 years agoMerge branch 'decision-cleanup'
Alexander Popov [Mon, 14 Jan 2019 22:28:03 +0000 (01:28 +0300)]
Merge branch 'decision-cleanup'

Thanks to @Bernhard40 for a nice idea.

5 years agoUpdate README
Alexander Popov [Mon, 14 Jan 2019 22:26:10 +0000 (01:26 +0300)]
Update README

5 years agoChange the last 'ubuntu18' checks (about lockdown)
Alexander Popov [Mon, 14 Jan 2019 22:22:22 +0000 (01:22 +0300)]
Change the last 'ubuntu18' checks (about lockdown)

5 years agoChange 'decision' to 'grsecurity' for their additional 'cut_attack_surface' recommend...
Alexander Popov [Mon, 14 Jan 2019 22:19:44 +0000 (01:19 +0300)]
Change 'decision' to 'grsecurity' for their additional 'cut_attack_surface' recommendations

5 years agoChange 'decision' to 'kspp' for non-default options recommended by KSPP
Alexander Popov [Mon, 14 Jan 2019 22:22:37 +0000 (01:22 +0300)]
Change 'decision' to 'kspp' for non-default options recommended by KSPP

5 years agoChange 'decision' to 'defconfig' for hardening features enabled by default
Alexander Popov [Mon, 14 Jan 2019 22:08:00 +0000 (01:08 +0300)]
Change 'decision' to 'defconfig' for hardening features enabled by default

5 years agoAdd kernel command line options enabling mitigations of side-channel attacks
Alexander Popov [Fri, 21 Dec 2018 15:45:44 +0000 (18:45 +0300)]
Add kernel command line options enabling mitigations of side-channel attacks

5 years agoAdd TODO (hardening preferences for ARM) and update README
Alexander Popov [Wed, 12 Dec 2018 22:01:22 +0000 (01:01 +0300)]
Add TODO (hardening preferences for ARM) and update README

5 years agoCheck x86 hardening features: X86_SMAP and X86_INTEL_UMIP
Alexander Popov [Wed, 12 Dec 2018 21:55:34 +0000 (00:55 +0300)]
Check x86 hardening features: X86_SMAP and X86_INTEL_UMIP

5 years agoAdd SECURITY_LOADPIN check
Alexander Popov [Wed, 12 Dec 2018 21:54:51 +0000 (00:54 +0300)]
Add SECURITY_LOADPIN check

5 years agoAdd SLAB_MERGE_DEFAULT check
Alexander Popov [Wed, 12 Dec 2018 21:54:23 +0000 (00:54 +0300)]
Add SLAB_MERGE_DEFAULT check

5 years agoMention net.core.bpf_jit_harden
Alexander Popov [Wed, 12 Dec 2018 21:53:22 +0000 (00:53 +0300)]
Mention net.core.bpf_jit_harden

5 years agoRecommend slub_debug=FZP
Alexander Popov [Wed, 12 Dec 2018 21:52:40 +0000 (00:52 +0300)]
Recommend slub_debug=FZP

5 years agoMark options connected with CONFIG_LOCK_DOWN_KERNEL (and add some new)
Alexander Popov [Fri, 7 Dec 2018 12:54:32 +0000 (15:54 +0300)]
Mark options connected with CONFIG_LOCK_DOWN_KERNEL (and add some new)

5 years agoAdd CONFIG_LOCK_DOWN_KERNEL
Alexander Popov [Fri, 7 Dec 2018 09:35:21 +0000 (12:35 +0300)]
Add CONFIG_LOCK_DOWN_KERNEL

5 years agoAdd a hint about gcc plugins support
Alexander Popov [Wed, 5 Dec 2018 21:29:34 +0000 (00:29 +0300)]
Add a hint about gcc plugins support

6 years agoMerge branch 'from-hackurx-3'
Alexander Popov [Wed, 8 Aug 2018 12:29:23 +0000 (15:29 +0300)]
Merge branch 'from-hackurx-3'

6 years agoMove kspp-recommendations.config to config_files
Alexander Popov [Wed, 8 Aug 2018 12:21:20 +0000 (15:21 +0300)]
Move kspp-recommendations.config to config_files

6 years agoAdd missing configs
Alexander Popov [Wed, 8 Aug 2018 12:20:22 +0000 (15:20 +0300)]
Add missing configs

6 years agoFix links to configs
Alexander Popov [Wed, 8 Aug 2018 12:18:21 +0000 (15:18 +0300)]
Fix links to configs

6 years agoUpdate UEK config
Alexander Popov [Wed, 8 Aug 2018 12:00:13 +0000 (15:00 +0300)]
Update UEK config

6 years agoAdd links.txt
Loïc [Thu, 26 Jul 2018 09:41:13 +0000 (11:41 +0200)]
Add links.txt

The file indicates where you can find kernel configurations.

6 years agoMinor fixes for the script output
Alexander Popov [Mon, 30 Jul 2018 20:06:05 +0000 (23:06 +0300)]
Minor fixes for the script output

6 years agoMerge branch 'from-iad42-1'
Alexander Popov [Mon, 30 Jul 2018 20:02:24 +0000 (23:02 +0300)]
Merge branch 'from-iad42-1'

6 years agoget_option_state function now looks a lot prettier using dict.get() method
Anatoly Ivanov [Mon, 30 Jul 2018 14:17:05 +0000 (17:17 +0300)]
get_option_state function now looks a lot prettier using dict.get() method

6 years agoMade long lines in major output shorter
Anatoly Ivanov [Mon, 30 Jul 2018 11:36:47 +0000 (14:36 +0300)]
Made long lines in major output shorter

6 years agoAnd update README
Alexander Popov [Mon, 30 Jul 2018 14:07:44 +0000 (17:07 +0300)]
And update README

6 years agoAdd DEBUG_RODATA as old alternative to STRICT_KERNEL_RWX
Alexander Popov [Mon, 30 Jul 2018 14:06:04 +0000 (17:06 +0300)]
Add DEBUG_RODATA as old alternative to STRICT_KERNEL_RWX

6 years agoAlign lines better
Alexander Popov [Mon, 30 Jul 2018 13:47:33 +0000 (16:47 +0300)]
Align lines better

6 years agoAdd DEBUG_SET_MODULE_RONX as old alternative to STRICT_MODULE_RWX
Alexander Popov [Mon, 30 Jul 2018 13:53:42 +0000 (16:53 +0300)]
Add DEBUG_SET_MODULE_RONX as old alternative to STRICT_MODULE_RWX

6 years agoUpdate the README (LKDTM is commented out)
Alexander Popov [Mon, 30 Jul 2018 10:49:30 +0000 (13:49 +0300)]
Update the README (LKDTM is commented out)

6 years agoUpdate the function names according to the new meaning
Alexander Popov [Mon, 30 Jul 2018 10:47:05 +0000 (13:47 +0300)]
Update the function names according to the new meaning

6 years agoMerge branch 'from-hackurx-2'
Alexander Popov [Fri, 27 Jul 2018 21:16:26 +0000 (00:16 +0300)]
Merge branch 'from-hackurx-2'

6 years agoAdd debian-stretch.config
Loïc [Thu, 26 Jul 2018 11:13:50 +0000 (13:13 +0200)]
Add debian-stretch.config

config check is NOT PASSED: 56 errors

6 years agoDelete debian-sid-amd64.config
Loïc [Thu, 26 Jul 2018 09:36:44 +0000 (11:36 +0200)]
Delete debian-sid-amd64.config

6 years agoDelete Archlinux-Testing.config
Loïc [Thu, 26 Jul 2018 09:34:43 +0000 (11:34 +0200)]
Delete Archlinux-Testing.config

6 years agoAdd SLE15.config
Loïc [Mon, 23 Jul 2018 07:32:10 +0000 (09:32 +0200)]
Add SLE15.config

Source: https://kernel.opensuse.org/cgit/kernel-source/plain/config/x86_64/default?h=SLE15

config check is NOT PASSED: 58 errors

6 years agoComment out LKDTM
Alexander Popov [Fri, 27 Jul 2018 21:13:56 +0000 (00:13 +0300)]
Comment out LKDTM

6 years agoAvoid false positive errors if CONFIG_MODULES is not set
Alexander Popov [Wed, 25 Jul 2018 11:26:26 +0000 (14:26 +0300)]
Avoid false positive errors if CONFIG_MODULES is not set

6 years agoSupport both versions of the STACKPROTECTOR_STRONG option
Alexander Popov [Wed, 25 Jul 2018 11:33:35 +0000 (14:33 +0300)]
Support both versions of the STACKPROTECTOR_STRONG option

6 years agoMerge branch 'OR-from-anthraxx'
Alexander Popov [Tue, 24 Jul 2018 22:41:29 +0000 (01:41 +0300)]
Merge branch 'OR-from-anthraxx'

6 years agoUpdate the README
Alexander Popov [Tue, 24 Jul 2018 22:39:31 +0000 (01:39 +0300)]
Update the README

6 years agoImprove the OR result calculation
Alexander Popov [Tue, 24 Jul 2018 22:36:25 +0000 (01:36 +0300)]
Improve the OR result calculation

1. don't duplicate opts[0].name in the successful output;
2. fix the bug with printing None state, just reuse the OptCheck.result.

6 years agoAdjust the output format
Alexander Popov [Tue, 24 Jul 2018 21:30:21 +0000 (00:30 +0300)]
Adjust the output format

6 years agosupport DEVMEM not set when considering STRICT_DEVMEM/IO_STRICT_DEVMEM
anthraxx [Mon, 25 Jun 2018 22:26:50 +0000 (00:26 +0200)]
support DEVMEM not set when considering STRICT_DEVMEM/IO_STRICT_DEVMEM

Detect STRICT_DEVMEM and IO_STRICT_DEVMEM as not being needed whenever
DEVMEM is not set.

Conflicts resolved by @a13xp0p0v

6 years agoAdd the comment describing OR use case
Alexander Popov [Tue, 24 Jul 2018 20:33:57 +0000 (23:33 +0300)]
Add the comment describing OR use case

6 years agoOR needs OptCheck.check() return values
Alexander Popov [Tue, 24 Jul 2018 20:33:26 +0000 (23:33 +0300)]
OR needs OptCheck.check() return values

6 years agosupport logical OR operations on options
anthraxx [Mon, 25 Jun 2018 22:21:10 +0000 (00:21 +0200)]
support logical OR operations on options

The OR class implementation supports combining Opt's logically
with an or-operator. If any of the Opt's provided to the OR class
returns True, the check is considered OK.

Fixes #1

Conflicts resolved by @a13xp0p0v

6 years agoUpdate usage in README.md
Alexander Popov [Fri, 20 Jul 2018 17:53:52 +0000 (20:53 +0300)]
Update usage in README.md