From 87db8c4fc519a655380aefe635de41e6df1568e3 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Thu, 28 Apr 2022 14:49:52 +0300 Subject: [PATCH] Update the README Ready for the release 0.5.17. --- README.md | 22 ++++++++++++++++------ kconfig_hardened_check/__about__.py | 2 +- 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index ceaf76b..68829b1 100644 --- a/README.md +++ b/README.md @@ -84,7 +84,7 @@ CONFIG_DEVMEM | is not set | kspp | cut_atta ## Example output for `Ubuntu 20.04 LTS (Focal Fossa)` kernel config ``` $ ./bin/kconfig-hardened-check -c kconfig_hardened_check/config_files/distros/ubuntu-focal.config -[+] Config file to check: kconfig_hardened_check/config_files/distros/ubuntu-focal.config +[+] Kconfig file to check: kconfig_hardened_check/config_files/distros/ubuntu-focal.config [+] Detected architecture: X86_64 [+] Detected kernel version: 5.4 ========================================================================================================================= @@ -93,13 +93,14 @@ $ ./bin/kconfig-hardened-check -c kconfig_hardened_check/config_files/distros/ub CONFIG_BUG |kconfig| y |defconfig | self_protection | OK CONFIG_SLUB_DEBUG |kconfig| y |defconfig | self_protection | OK CONFIG_GCC_PLUGINS |kconfig| y |defconfig | self_protection | FAIL: not found +CONFIG_STACKPROTECTOR |kconfig| y |defconfig | self_protection | OK CONFIG_STACKPROTECTOR_STRONG |kconfig| y |defconfig | self_protection | OK CONFIG_STRICT_KERNEL_RWX |kconfig| y |defconfig | self_protection | OK CONFIG_STRICT_MODULE_RWX |kconfig| y |defconfig | self_protection | OK CONFIG_REFCOUNT_FULL |kconfig| y |defconfig | self_protection | FAIL: "is not set" +CONFIG_THREAD_INFO_IN_TASK |kconfig| y |defconfig | self_protection | OK CONFIG_IOMMU_SUPPORT |kconfig| y |defconfig | self_protection | OK CONFIG_RANDOMIZE_BASE |kconfig| y |defconfig | self_protection | OK -CONFIG_THREAD_INFO_IN_TASK |kconfig| y |defconfig | self_protection | OK CONFIG_VMAP_STACK |kconfig| y |defconfig | self_protection | OK CONFIG_MICROCODE |kconfig| y |defconfig | self_protection | OK CONFIG_RETPOLINE |kconfig| y |defconfig | self_protection | OK @@ -124,6 +125,10 @@ CONFIG_DEBUG_CREDENTIALS |kconfig| y | kspp | self_p CONFIG_DEBUG_NOTIFIERS |kconfig| y | kspp | self_protection | FAIL: "is not set" CONFIG_INIT_ON_ALLOC_DEFAULT_ON |kconfig| y | kspp | self_protection | OK CONFIG_GCC_PLUGIN_LATENT_ENTROPY |kconfig| y | kspp | self_protection | FAIL: not found +CONFIG_KFENCE |kconfig| y | kspp | self_protection | FAIL: not found +CONFIG_WERROR |kconfig| y | kspp | self_protection | FAIL: not found +CONFIG_IOMMU_DEFAULT_DMA_STRICT |kconfig| y | kspp | self_protection | FAIL: not found +CONFIG_ZERO_CALL_USED_REGS |kconfig| y | kspp | self_protection | FAIL: not found CONFIG_GCC_PLUGIN_RANDSTRUCT |kconfig| y | kspp | self_protection | FAIL: not found CONFIG_HARDENED_USERCOPY |kconfig| y | kspp | self_protection | OK CONFIG_HARDENED_USERCOPY_FALLBACK |kconfig| is not set | kspp | self_protection | FAIL: "y" @@ -136,6 +141,7 @@ CONFIG_INIT_STACK_ALL_ZERO |kconfig| y | kspp | self_p CONFIG_INIT_ON_FREE_DEFAULT_ON |kconfig| y | kspp | self_protection | OK: CONFIG_PAGE_POISONING_ZERO "y" CONFIG_GCC_PLUGIN_STACKLEAK |kconfig| y | kspp | self_protection | FAIL: not found CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT |kconfig| y | kspp | self_protection | FAIL: not found +CONFIG_SCHED_CORE |kconfig| y | kspp | self_protection | FAIL: not found CONFIG_DEFAULT_MMAP_MIN_ADDR |kconfig| 65536 | kspp | self_protection | OK CONFIG_UBSAN_BOUNDS |kconfig| y |maintainer| self_protection | FAIL: not found CONFIG_UBSAN_SANITIZE_ALL |kconfig| y |maintainer| self_protection | FAIL: CONFIG_UBSAN_BOUNDS not "y" @@ -152,16 +158,19 @@ CONFIG_STACKLEAK_RUNTIME_DISABLE |kconfig| is not set | clipos | self_p CONFIG_INTEL_IOMMU_DEFAULT_ON |kconfig| y | clipos | self_protection | FAIL: "is not set" CONFIG_INTEL_IOMMU_SVM |kconfig| y | clipos | self_protection | OK CONFIG_RESET_ATTACK_MITIGATION |kconfig| y | my | self_protection | OK +CONFIG_SLS |kconfig| y | my | self_protection | FAIL: not found CONFIG_AMD_IOMMU_V2 |kconfig| y | my | self_protection | FAIL: "m" CONFIG_SECURITY |kconfig| y |defconfig | security_policy | OK CONFIG_SECURITY_YAMA |kconfig| y | kspp | security_policy | OK -CONFIG_SECURITY_WRITABLE_HOOKS |kconfig| is not set | my | security_policy | OK: not found +CONFIG_SECURITY_SELINUX_DISABLE |kconfig| is not set | kspp | security_policy | OK CONFIG_SECURITY_LOCKDOWN_LSM |kconfig| y | clipos | security_policy | OK CONFIG_SECURITY_LOCKDOWN_LSM_EARLY |kconfig| y | clipos | security_policy | OK CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY|kconfig| y | clipos | security_policy | FAIL: "is not set" +CONFIG_SECURITY_WRITABLE_HOOKS |kconfig| is not set | my | security_policy | OK: not found CONFIG_SECURITY_SAFESETID |kconfig| y | my | security_policy | OK CONFIG_SECURITY_LOADPIN |kconfig| y | my | security_policy | FAIL: "is not set" CONFIG_SECURITY_LOADPIN_ENFORCE |kconfig| y | my | security_policy | FAIL: CONFIG_SECURITY_LOADPIN not "y" +CONFIG_BPF_UNPRIV_DEFAULT_OFF |kconfig| y |defconfig |cut_attack_surface| FAIL: not found CONFIG_SECCOMP |kconfig| y |defconfig |cut_attack_surface| OK CONFIG_SECCOMP_FILTER |kconfig| y |defconfig |cut_attack_surface| OK CONFIG_STRICT_DEVMEM |kconfig| y |defconfig |cut_attack_surface| OK @@ -179,6 +188,7 @@ CONFIG_IA32_EMULATION |kconfig| is not set | kspp |cut_att CONFIG_X86_X32 |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y" CONFIG_MODIFY_LDT_SYSCALL |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y" CONFIG_OABI_COMPAT |kconfig| is not set | kspp |cut_attack_surface| OK: not found +CONFIG_X86_MSR |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m" CONFIG_MODULES |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y" CONFIG_DEVMEM |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y" CONFIG_IO_STRICT_DEVMEM |kconfig| y | kspp |cut_attack_surface| FAIL: "is not set" @@ -225,6 +235,7 @@ CONFIG_DRM_LEGACY |kconfig| is not set |maintainer|cut_att CONFIG_FB |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y" CONFIG_VT |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y" CONFIG_BLK_DEV_FD |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "m" +CONFIG_BLK_DEV_FD_RAWCMD |kconfig| is not set |maintainer|cut_attack_surface| OK: not found CONFIG_AIO |kconfig| is not set |grapheneos|cut_attack_surface| FAIL: "y" CONFIG_STAGING |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" CONFIG_KSM |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" @@ -233,15 +244,14 @@ CONFIG_X86_VSYSCALL_EMULATION |kconfig| is not set | clipos |cut_att CONFIG_MAGIC_SYSRQ |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" CONFIG_KEXEC_FILE |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" CONFIG_USER_NS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" -CONFIG_X86_MSR |kconfig| is not set | clipos |cut_attack_surface| FAIL: "m" CONFIG_X86_CPUID |kconfig| is not set | clipos |cut_attack_surface| FAIL: "m" CONFIG_X86_IOPL_IOPERM |kconfig| is not set | clipos |cut_attack_surface| OK: not found CONFIG_ACPI_TABLE_UPGRADE |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" CONFIG_EFI_CUSTOM_SSDT_OVERLAYS |kconfig| is not set | clipos |cut_attack_surface| OK: not found CONFIG_LDISC_AUTOLOAD |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y" CONFIG_X86_INTEL_TSX_MODE_OFF |kconfig| y | clipos |cut_attack_surface| OK -CONFIG_EFI_TEST |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "m" CONFIG_BPF_SYSCALL |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y" +CONFIG_EFI_TEST |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "m" CONFIG_MMIOTRACE_TEST |kconfig| is not set | lockdown |cut_attack_surface| OK CONFIG_KPROBES |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y" CONFIG_TRIM_UNUSED_KSYMS |kconfig| y | my |cut_attack_surface| FAIL: not found @@ -255,7 +265,7 @@ CONFIG_INPUT_EVBUG |kconfig| is not set | my |cut_att CONFIG_INTEGRITY |kconfig| y |defconfig | harden_userspace | OK CONFIG_ARCH_MMAP_RND_BITS |kconfig| 32 | clipos | harden_userspace | FAIL: "28" -[+] Config check is finished: 'OK' - 68 / 'FAIL' - 96 +[+] Config check is finished: 'OK' - 71 / 'FAIL' - 103 ``` ## kconfig-hardened-check versioning diff --git a/kconfig_hardened_check/__about__.py b/kconfig_hardened_check/__about__.py index 3c6f84b..ce0149a 100644 --- a/kconfig_hardened_check/__about__.py +++ b/kconfig_hardened_check/__about__.py @@ -1 +1 @@ -__version__ = '0.5.14' +__version__ = '0.5.17' -- 2.31.1