From eec17478288683baa6f3b54ccf5862414f767e18 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Mon, 12 Jun 2023 17:46:25 +0300 Subject: [PATCH] Update the README Refers to #67. --- README.md | 42 +++++++++++++++++++++++++++--------------- 1 file changed, 27 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index dbdc1f3..735a891 100644 --- a/README.md +++ b/README.md @@ -63,24 +63,28 @@ Some Linux distributions also provide `kconfig-hardened-check` as a package. ## Usage ``` -usage: kconfig-hardened-check [-h] [--version] [-p {X86_64,X86_32,ARM64,ARM}] [-c CONFIG] - [-l CMDLINE] [-m {verbose,json,show_ok,show_fail}] +usage: kconfig-hardened-check [-h] [--version] [-m {verbose,json,show_ok,show_fail}] + [-c CONFIG] [-l CMDLINE] [-p {X86_64,X86_32,ARM64,ARM}] + [-g {X86_64,X86_32,ARM64,ARM}] A tool for checking the security hardening options of the Linux kernel options: -h, --help show this help message and exit --version show program's version number and exit - -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM} - print the security hardening recommendations for the selected - microarchitecture + -m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail} + choose the report mode -c CONFIG, --config CONFIG - check the security hardening options in the kernel kconfig file (also - supports *.gz files) + check the security hardening options in the kernel Kconfig file + (also supports *.gz files) -l CMDLINE, --cmdline CMDLINE check the security hardening options in the kernel cmdline file - -m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail} - choose the report mode + -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM} + print the security hardening recommendations for the selected + microarchitecture + -g {X86_64,X86_32,ARM64,ARM}, --generate {X86_64,X86_32,ARM64,ARM} + generate a Kconfig fragment with the security hardening options for + the selected microarchitecture ``` ## Output modes @@ -338,14 +342,22 @@ sysrq_always_enabled |cmdline| is not set | my |cut_att [+] Config check is finished: 'OK' - 122 / 'FAIL' - 101 ``` -## kconfig-hardened-check versioning - -I usually update the kernel security hardening recommendations every few kernel releases. +## Generating a Kconfig fragment with the security hardening options -So the version of `kconfig-hardened-check` is associated with the corresponding version of the kernel. - -The version format is: __[major_number].[kernel_version].[kernel_patchlevel]__ +With the `-g` argument the tool generates a Kconfig fragment with the security hardening options for the selected microarchitecture. +This Kconfig fragment can be merged with the existing Linux kernel config: +``` +$ ./bin/kconfig-hardened-check -g X86_64 > /tmp/fragment +$ cd ~/linux-src/ +$ ./scripts/kconfig/merge_config.sh .config /tmp/fragment +Using .config as base +Merging /tmp/fragment +Value of CONFIG_BUG_ON_DATA_CORRUPTION is redefined by fragment /tmp/fragment: +Previous value: # CONFIG_BUG_ON_DATA_CORRUPTION is not set +New value: CONFIG_BUG_ON_DATA_CORRUPTION=y + ... +``` ## Questions and answers -- 2.31.1