From 257c011fd0f24066420e755f29a60cbe61561fa6 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Mon, 4 Mar 2019 21:24:45 +0300 Subject: [PATCH] Add the RESET_ATTACK_MITIGATION check according to the feature request #11 Let's check the RESET_ATTACK_MITIGATION option. The description of this security feature: https://lwn.net/Articles/730006/ It needs support from the userspace side: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a5c03c31af2291f13689d11760c0b59fb70c9a5a Improve the comments about the userspace support by the way. --- README.md | 1 + kconfig-hardened-check.py | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 4a8f2ed..3f07f0d 100644 --- a/README.md +++ b/README.md @@ -93,6 +93,7 @@ optional arguments: CONFIG_SECURITY_DMESG_RESTRICT | y | my | self_protection || FAIL: "is not set" CONFIG_STATIC_USERMODEHELPER | y | my | self_protection || FAIL: "is not set" CONFIG_SECURITY_LOADPIN | y | my | self_protection || FAIL: "is not set" + CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection || OK CONFIG_PAGE_POISONING_NO_SANITY | is not set | my | self_protection || OK: not found CONFIG_PAGE_POISONING_ZERO | is not set | my | self_protection || OK: not found CONFIG_SLAB_MERGE_DEFAULT | is not set | my | self_protection || FAIL: "y" diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py index a139697..c92d352 100755 --- a/kconfig-hardened-check.py +++ b/kconfig-hardened-check.py @@ -207,8 +207,9 @@ def construct_checklist(arch): checklist.append(OptCheck('LOCK_DOWN_KERNEL', 'y', 'my', 'self_protection')) # remember about LOCK_DOWN_MANDATORY checklist.append(OptCheck('SLUB_DEBUG_ON', 'y', 'my', 'self_protection')) checklist.append(OptCheck('SECURITY_DMESG_RESTRICT', 'y', 'my', 'self_protection')) - checklist.append(OptCheck('STATIC_USERMODEHELPER', 'y', 'my', 'self_protection')) # breaks systemd? - checklist.append(OptCheck('SECURITY_LOADPIN', 'y', 'my', 'self_protection')) + checklist.append(OptCheck('STATIC_USERMODEHELPER', 'y', 'my', 'self_protection')) # needs userspace support (systemd) + checklist.append(OptCheck('SECURITY_LOADPIN', 'y', 'my', 'self_protection')) # needs userspace support + checklist.append(OptCheck('RESET_ATTACK_MITIGATION', 'y', 'my', 'self_protection')) # needs userspace support (systemd) checklist.append(OptCheck('PAGE_POISONING_NO_SANITY', 'is not set', 'my', 'self_protection')) checklist.append(OptCheck('PAGE_POISONING_ZERO', 'is not set', 'my', 'self_protection')) checklist.append(OptCheck('SLAB_MERGE_DEFAULT', 'is not set', 'my', 'self_protection')) # slab_nomerge -- 2.31.1