1 # kconfig-hardened-check
3 [](https://github.com/a13xp0p0v/kconfig-hardened-check/tags)<br />
4 [](https://github.com/a13xp0p0v/kconfig-hardened-check/actions/workflows/functional_test.yml)
5 [](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check)<br />
6 [](https://github.com/a13xp0p0v/kconfig-hardened-check/actions/workflows/engine_unit-test.yml)
7 [](https://codecov.io/gh/a13xp0p0v/kconfig-hardened-check)
11 There are plenty of security hardening options for the Linux kernel. A lot of them are
12 not enabled by the major distros. We have to enable these options ourselves to
13 make our systems more secure.
15 But nobody likes checking configs manually. So let the computers do their job!
17 __kconfig-hardened-check__ is a tool for checking the security hardening options of the Linux kernel.
18 The recommendations are based on
20 - [KSPP recommended settings][1]
21 - [CLIP OS kernel configuration][2]
22 - Last public [grsecurity][3] patch (options which they disable)
23 - [SECURITY_LOCKDOWN_LSM][5] patchset
24 - [Direct feedback from the Linux kernel maintainers][23]
26 This tool supports checking __Kconfig__ options and __kernel cmdline__ parameters.
28 I also created the [__Linux Kernel Defence Map__][4], which is a graphical representation of the
29 relationships between security hardening features and the corresponding vulnerability classes
30 or exploitation techniques.
32 __Attention!__ Changing Linux kernel security parameters may also affect system performance
33 and functionality of userspace software. So for choosing these parameters consider
34 the threat model of your Linux-based information system and perform thorough testing
35 of its typical workload.
39 - Main at GitHub <https://github.com/a13xp0p0v/kconfig-hardened-check>
40 - Mirror at Codeberg: <https://codeberg.org/a13xp0p0v/kconfig-hardened-check>
41 - Mirror at GitFlic: <https://gitflic.ru/project/a13xp0p0v/kconfig-hardened-check>
43 ## Supported microarchitectures
50 TODO: RISC-V (issue [#56][22])
54 You can install the package:
57 pip install git+https://github.com/a13xp0p0v/kconfig-hardened-check
60 or simply run `./bin/kconfig-hardened-check` from the cloned repository.
62 Some Linux distributions also provide `kconfig-hardened-check` as a package.
66 usage: kconfig-hardened-check [-h] [--version] [-m {verbose,json,show_ok,show_fail}]
67 [-c CONFIG] [-l CMDLINE] [-p {X86_64,X86_32,ARM64,ARM}]
68 [-g {X86_64,X86_32,ARM64,ARM}]
70 A tool for checking the security hardening options of the Linux kernel
73 -h, --help show this help message and exit
74 --version show program's version number and exit
75 -m {verbose,json,show_ok,show_fail}, --mode {verbose,json,show_ok,show_fail}
76 choose the report mode
77 -c CONFIG, --config CONFIG
78 check the security hardening options in the kernel Kconfig file
79 (also supports *.gz files)
80 -l CMDLINE, --cmdline CMDLINE
81 check the security hardening options in the kernel cmdline file
82 (contents of /proc/cmdline)
83 -p {X86_64,X86_32,ARM64,ARM}, --print {X86_64,X86_32,ARM64,ARM}
84 print the security hardening recommendations for the selected
86 -g {X86_64,X86_32,ARM64,ARM}, --generate {X86_64,X86_32,ARM64,ARM}
87 generate a Kconfig fragment with the security hardening options
88 for the selected microarchitecture
93 - no `-m` argument for the default output mode (see the example below)
94 - `-m verbose` for printing additional info:
95 - config options without a corresponding check
96 - internals of complex checks with AND/OR, like this:
98 -------------------------------------------------------------------------------------------
100 CONFIG_STRICT_DEVMEM | y |defconfig | cut_attack_surface
101 CONFIG_DEVMEM | is not set | kspp | cut_attack_surface
102 -------------------------------------------------------------------------------------------
104 - `-m show_fail` for showing only the failed checks
105 - `-m show_ok` for showing only the successful checks
106 - `-m json` for printing the results in JSON format (for combining `kconfig-hardened-check` with other tools)
108 ## Example output for `Fedora 36` kernel configuration
110 $ ./bin/kconfig-hardened-check -c /boot/config-6.0.18-200.fc36.x86_64 -l /proc/cmdline
111 [+] Kconfig file to check: /boot/config-6.0.18-200.fc36.x86_64
112 [+] Kernel cmdline file to check: /proc/cmdline
113 [+] Detected architecture: X86_64
114 [+] Detected kernel version: 6.0
115 [+] Detected compiler: GCC 120201
116 =========================================================================================================================
117 option name | type |desired val | decision | reason | check result
118 =========================================================================================================================
119 CONFIG_BUG |kconfig| y |defconfig | self_protection | OK
120 CONFIG_SLUB_DEBUG |kconfig| y |defconfig | self_protection | OK
121 CONFIG_THREAD_INFO_IN_TASK |kconfig| y |defconfig | self_protection | OK
122 CONFIG_GCC_PLUGINS |kconfig| y |defconfig | self_protection | OK
123 CONFIG_IOMMU_SUPPORT |kconfig| y |defconfig | self_protection | OK
124 CONFIG_STACKPROTECTOR |kconfig| y |defconfig | self_protection | OK
125 CONFIG_STACKPROTECTOR_STRONG |kconfig| y |defconfig | self_protection | FAIL: "is not set"
126 CONFIG_STRICT_KERNEL_RWX |kconfig| y |defconfig | self_protection | OK
127 CONFIG_STRICT_MODULE_RWX |kconfig| y |defconfig | self_protection | OK
128 CONFIG_REFCOUNT_FULL |kconfig| y |defconfig | self_protection | OK: version >= 5.5
129 CONFIG_RANDOMIZE_BASE |kconfig| y |defconfig | self_protection | OK
130 CONFIG_VMAP_STACK |kconfig| y |defconfig | self_protection | OK
131 CONFIG_DEBUG_WX |kconfig| y |defconfig | self_protection | OK
132 CONFIG_WERROR |kconfig| y |defconfig | self_protection | FAIL: "is not set"
133 CONFIG_X86_MCE |kconfig| y |defconfig | self_protection | OK
134 CONFIG_X86_MCE_INTEL |kconfig| y |defconfig | self_protection | OK
135 CONFIG_X86_MCE_AMD |kconfig| y |defconfig | self_protection | OK
136 CONFIG_MICROCODE |kconfig| y |defconfig | self_protection | OK
137 CONFIG_RETPOLINE |kconfig| y |defconfig | self_protection | OK
138 CONFIG_SYN_COOKIES |kconfig| y |defconfig | self_protection | OK
139 CONFIG_X86_SMAP |kconfig| y |defconfig | self_protection | OK: version >= 5.19
140 CONFIG_X86_UMIP |kconfig| y |defconfig | self_protection | OK
141 CONFIG_PAGE_TABLE_ISOLATION |kconfig| y |defconfig | self_protection | OK
142 CONFIG_RANDOMIZE_MEMORY |kconfig| y |defconfig | self_protection | OK
143 CONFIG_INTEL_IOMMU |kconfig| y |defconfig | self_protection | OK
144 CONFIG_AMD_IOMMU |kconfig| y |defconfig | self_protection | OK
145 CONFIG_BUG_ON_DATA_CORRUPTION |kconfig| y | kspp | self_protection | OK
146 CONFIG_SCHED_STACK_END_CHECK |kconfig| y | kspp | self_protection | OK
147 CONFIG_SLAB_FREELIST_HARDENED |kconfig| y | kspp | self_protection | OK
148 CONFIG_SLAB_FREELIST_RANDOM |kconfig| y | kspp | self_protection | OK
149 CONFIG_SHUFFLE_PAGE_ALLOCATOR |kconfig| y | kspp | self_protection | OK
150 CONFIG_FORTIFY_SOURCE |kconfig| y | kspp | self_protection | OK
151 CONFIG_DEBUG_LIST |kconfig| y | kspp | self_protection | OK
152 CONFIG_DEBUG_VIRTUAL |kconfig| y | kspp | self_protection | FAIL: "is not set"
153 CONFIG_DEBUG_SG |kconfig| y | kspp | self_protection | FAIL: "is not set"
154 CONFIG_DEBUG_CREDENTIALS |kconfig| y | kspp | self_protection | FAIL: "is not set"
155 CONFIG_DEBUG_NOTIFIERS |kconfig| y | kspp | self_protection | FAIL: "is not set"
156 CONFIG_INIT_ON_ALLOC_DEFAULT_ON |kconfig| y | kspp | self_protection | FAIL: "is not set"
157 CONFIG_KFENCE |kconfig| y | kspp | self_protection | OK
158 CONFIG_ZERO_CALL_USED_REGS |kconfig| y | kspp | self_protection | FAIL: "is not set"
159 CONFIG_HW_RANDOM_TPM |kconfig| y | kspp | self_protection | OK
160 CONFIG_STATIC_USERMODEHELPER |kconfig| y | kspp | self_protection | FAIL: "is not set"
161 CONFIG_RANDSTRUCT_FULL |kconfig| y | kspp | self_protection | FAIL: "is not set"
162 CONFIG_RANDSTRUCT_PERFORMANCE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_RANDSTRUCT_FULL is not "y"
163 CONFIG_HARDENED_USERCOPY |kconfig| y | kspp | self_protection | OK
164 CONFIG_HARDENED_USERCOPY_FALLBACK |kconfig| is not set | kspp | self_protection | OK: is not found
165 CONFIG_HARDENED_USERCOPY_PAGESPAN |kconfig| is not set | kspp | self_protection | OK: is not found
166 CONFIG_GCC_PLUGIN_LATENT_ENTROPY |kconfig| y | kspp | self_protection | FAIL: "is not set"
167 CONFIG_MODULE_SIG |kconfig| y | kspp | self_protection | OK
168 CONFIG_MODULE_SIG_ALL |kconfig| y | kspp | self_protection | OK
169 CONFIG_MODULE_SIG_SHA512 |kconfig| y | kspp | self_protection | OK
170 CONFIG_MODULE_SIG_FORCE |kconfig| y | kspp | self_protection | FAIL: "is not set"
171 CONFIG_INIT_STACK_ALL_ZERO |kconfig| y | kspp | self_protection | OK
172 CONFIG_INIT_ON_FREE_DEFAULT_ON |kconfig| y | kspp | self_protection | FAIL: "is not set"
173 CONFIG_EFI_DISABLE_PCI_DMA |kconfig| y | kspp | self_protection | FAIL: "is not set"
174 CONFIG_RESET_ATTACK_MITIGATION |kconfig| y | kspp | self_protection | FAIL: "is not set"
175 CONFIG_UBSAN_BOUNDS |kconfig| y | kspp | self_protection | FAIL: is not found
176 CONFIG_UBSAN_LOCAL_BOUNDS |kconfig| y | kspp | self_protection | FAIL: is not found
177 CONFIG_UBSAN_TRAP |kconfig| y | kspp | self_protection | FAIL: CONFIG_UBSAN_BOUNDS is not "y"
178 CONFIG_UBSAN_SANITIZE_ALL |kconfig| y | kspp | self_protection | FAIL: CONFIG_UBSAN_BOUNDS is not "y"
179 CONFIG_GCC_PLUGIN_STACKLEAK |kconfig| y | kspp | self_protection | FAIL: "is not set"
180 CONFIG_STACKLEAK_METRICS |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is not "y"
181 CONFIG_STACKLEAK_RUNTIME_DISABLE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is not "y"
182 CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT |kconfig| y | kspp | self_protection | OK
183 CONFIG_CFI_CLANG |kconfig| y | kspp | self_protection | FAIL: is not found
184 CONFIG_CFI_PERMISSIVE |kconfig| is not set | kspp | self_protection | FAIL: CONFIG_CFI_CLANG is not "y"
185 CONFIG_SCHED_CORE |kconfig| y | kspp | self_protection | OK
186 CONFIG_DEFAULT_MMAP_MIN_ADDR |kconfig| 65536 | kspp | self_protection | OK
187 CONFIG_IOMMU_DEFAULT_DMA_STRICT |kconfig| y | kspp | self_protection | FAIL: "is not set"
188 CONFIG_IOMMU_DEFAULT_PASSTHROUGH |kconfig| is not set | kspp | self_protection | OK
189 CONFIG_INTEL_IOMMU_DEFAULT_ON |kconfig| y | kspp | self_protection | FAIL: "is not set"
190 CONFIG_SLS |kconfig| y | kspp | self_protection | OK
191 CONFIG_INTEL_IOMMU_SVM |kconfig| y | kspp | self_protection | OK
192 CONFIG_AMD_IOMMU_V2 |kconfig| y | kspp | self_protection | FAIL: "m"
193 CONFIG_SLAB_MERGE_DEFAULT |kconfig| is not set | clipos | self_protection | OK
194 CONFIG_SECURITY |kconfig| y |defconfig | security_policy | OK
195 CONFIG_SECURITY_YAMA |kconfig| y | kspp | security_policy | OK
196 CONFIG_SECURITY_LANDLOCK |kconfig| y | kspp | security_policy | OK
197 CONFIG_SECURITY_SELINUX_DISABLE |kconfig| is not set | kspp | security_policy | OK
198 CONFIG_SECURITY_SELINUX_BOOTPARAM |kconfig| is not set | kspp | security_policy | FAIL: "y"
199 CONFIG_SECURITY_SELINUX_DEVELOP |kconfig| is not set | kspp | security_policy | FAIL: "y"
200 CONFIG_SECURITY_LOCKDOWN_LSM |kconfig| y | kspp | security_policy | OK
201 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY |kconfig| y | kspp | security_policy | OK
202 CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY|kconfig| y | kspp | security_policy | FAIL: "is not set"
203 CONFIG_SECURITY_WRITABLE_HOOKS |kconfig| is not set | kspp | security_policy | OK: is not found
204 CONFIG_SECCOMP |kconfig| y |defconfig |cut_attack_surface| OK
205 CONFIG_SECCOMP_FILTER |kconfig| y |defconfig |cut_attack_surface| OK
206 CONFIG_BPF_UNPRIV_DEFAULT_OFF |kconfig| y |defconfig |cut_attack_surface| OK
207 CONFIG_STRICT_DEVMEM |kconfig| y |defconfig |cut_attack_surface| OK
208 CONFIG_X86_INTEL_TSX_MODE_OFF |kconfig| y |defconfig |cut_attack_surface| OK
209 CONFIG_SECURITY_DMESG_RESTRICT |kconfig| y | kspp |cut_attack_surface| FAIL: "is not set"
210 CONFIG_ACPI_CUSTOM_METHOD |kconfig| is not set | kspp |cut_attack_surface| OK
211 CONFIG_COMPAT_BRK |kconfig| is not set | kspp |cut_attack_surface| OK
212 CONFIG_DEVKMEM |kconfig| is not set | kspp |cut_attack_surface| OK: is not found
213 CONFIG_COMPAT_VDSO |kconfig| is not set | kspp |cut_attack_surface| OK
214 CONFIG_BINFMT_MISC |kconfig| is not set | kspp |cut_attack_surface| FAIL: "m"
215 CONFIG_INET_DIAG |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
216 CONFIG_KEXEC |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
217 CONFIG_PROC_KCORE |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
218 CONFIG_LEGACY_PTYS |kconfig| is not set | kspp |cut_attack_surface| OK
219 CONFIG_HIBERNATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
220 CONFIG_COMPAT |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
221 CONFIG_IA32_EMULATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
222 CONFIG_X86_X32 |kconfig| is not set | kspp |cut_attack_surface| OK: is not found
223 CONFIG_X86_X32_ABI |kconfig| is not set | kspp |cut_attack_surface| OK
224 CONFIG_MODIFY_LDT_SYSCALL |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
225 CONFIG_OABI_COMPAT |kconfig| is not set | kspp |cut_attack_surface| OK: is not found
226 CONFIG_X86_MSR |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
227 CONFIG_MODULES |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
228 CONFIG_DEVMEM |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
229 CONFIG_IO_STRICT_DEVMEM |kconfig| y | kspp |cut_attack_surface| OK
230 CONFIG_LDISC_AUTOLOAD |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
231 CONFIG_LEGACY_VSYSCALL_NONE |kconfig| y | kspp |cut_attack_surface| FAIL: "is not set"
232 CONFIG_ZSMALLOC_STAT |kconfig| is not set | grsec |cut_attack_surface| OK
233 CONFIG_PAGE_OWNER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
234 CONFIG_DEBUG_KMEMLEAK |kconfig| is not set | grsec |cut_attack_surface| OK
235 CONFIG_BINFMT_AOUT |kconfig| is not set | grsec |cut_attack_surface| OK: is not found
236 CONFIG_KPROBE_EVENTS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
237 CONFIG_UPROBE_EVENTS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
238 CONFIG_GENERIC_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
239 CONFIG_FUNCTION_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
240 CONFIG_STACK_TRACER |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
241 CONFIG_HIST_TRIGGERS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
242 CONFIG_BLK_DEV_IO_TRACE |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
243 CONFIG_PROC_VMCORE |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
244 CONFIG_PROC_PAGE_MONITOR |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
245 CONFIG_USELIB |kconfig| is not set | grsec |cut_attack_surface| OK
246 CONFIG_CHECKPOINT_RESTORE |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
247 CONFIG_USERFAULTFD |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
248 CONFIG_HWPOISON_INJECT |kconfig| is not set | grsec |cut_attack_surface| FAIL: "m"
249 CONFIG_MEM_SOFT_DIRTY |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
250 CONFIG_DEVPORT |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
251 CONFIG_DEBUG_FS |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
252 CONFIG_NOTIFIER_ERROR_INJECTION |kconfig| is not set | grsec |cut_attack_surface| OK
253 CONFIG_FAIL_FUTEX |kconfig| is not set | grsec |cut_attack_surface| OK: is not found
254 CONFIG_PUNIT_ATOM_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK
255 CONFIG_ACPI_CONFIGFS |kconfig| is not set | grsec |cut_attack_surface| OK
256 CONFIG_EDAC_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK
257 CONFIG_DRM_I915_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK: is not found
258 CONFIG_BCACHE_CLOSURES_DEBUG |kconfig| is not set | grsec |cut_attack_surface| OK
259 CONFIG_DVB_C8SECTPFE |kconfig| is not set | grsec |cut_attack_surface| OK: is not found
260 CONFIG_MTD_SLRAM |kconfig| is not set | grsec |cut_attack_surface| OK
261 CONFIG_MTD_PHRAM |kconfig| is not set | grsec |cut_attack_surface| OK
262 CONFIG_IO_URING |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
263 CONFIG_KCMP |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
264 CONFIG_RSEQ |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
265 CONFIG_LATENCYTOP |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
266 CONFIG_KCOV |kconfig| is not set | grsec |cut_attack_surface| OK
267 CONFIG_PROVIDE_OHCI1394_DMA_INIT |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
268 CONFIG_SUNRPC_DEBUG |kconfig| is not set | grsec |cut_attack_surface| FAIL: "y"
269 CONFIG_PTDUMP_DEBUGFS |kconfig| is not set | grsec |cut_attack_surface| OK
270 CONFIG_DRM_LEGACY |kconfig| is not set |maintainer|cut_attack_surface| OK
271 CONFIG_FB |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
272 CONFIG_VT |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "y"
273 CONFIG_BLK_DEV_FD |kconfig| is not set |maintainer|cut_attack_surface| FAIL: "m"
274 CONFIG_BLK_DEV_FD_RAWCMD |kconfig| is not set |maintainer|cut_attack_surface| OK
275 CONFIG_STAGING |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
276 CONFIG_KSM |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
277 CONFIG_KALLSYMS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
278 CONFIG_X86_VSYSCALL_EMULATION |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
279 CONFIG_MAGIC_SYSRQ |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
280 CONFIG_KEXEC_FILE |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
281 CONFIG_USER_NS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
282 CONFIG_X86_CPUID |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
283 CONFIG_X86_IOPL_IOPERM |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
284 CONFIG_ACPI_TABLE_UPGRADE |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
285 CONFIG_EFI_CUSTOM_SSDT_OVERLAYS |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
286 CONFIG_COREDUMP |kconfig| is not set | clipos |cut_attack_surface| FAIL: "y"
287 CONFIG_EFI_TEST |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "m"
288 CONFIG_MMIOTRACE_TEST |kconfig| is not set | lockdown |cut_attack_surface| OK
289 CONFIG_KPROBES |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
290 CONFIG_BPF_SYSCALL |kconfig| is not set | lockdown |cut_attack_surface| FAIL: "y"
291 CONFIG_MMIOTRACE |kconfig| is not set | my |cut_attack_surface| FAIL: "y"
292 CONFIG_LIVEPATCH |kconfig| is not set | my |cut_attack_surface| FAIL: "y"
293 CONFIG_IP_DCCP |kconfig| is not set | my |cut_attack_surface| OK
294 CONFIG_IP_SCTP |kconfig| is not set | my |cut_attack_surface| FAIL: "m"
295 CONFIG_FTRACE |kconfig| is not set | my |cut_attack_surface| FAIL: "y"
296 CONFIG_VIDEO_VIVID |kconfig| is not set | my |cut_attack_surface| OK: is not found
297 CONFIG_INPUT_EVBUG |kconfig| is not set | my |cut_attack_surface| OK
298 CONFIG_KGDB |kconfig| is not set | my |cut_attack_surface| FAIL: "y"
299 CONFIG_TRIM_UNUSED_KSYMS |kconfig| y | my |cut_attack_surface| FAIL: is not found
300 CONFIG_INTEGRITY |kconfig| y |defconfig | harden_userspace | OK
301 CONFIG_ARCH_MMAP_RND_BITS |kconfig| 32 | clipos | harden_userspace | FAIL: "28"
302 nosmep |cmdline| is not set |defconfig | self_protection | OK: is not found
303 nosmap |cmdline| is not set |defconfig | self_protection | OK: is not found
304 nokaslr |cmdline| is not set |defconfig | self_protection | OK: is not found
305 nopti |cmdline| is not set |defconfig | self_protection | OK: is not found
306 nospectre_v1 |cmdline| is not set |defconfig | self_protection | OK: is not found
307 nospectre_v2 |cmdline| is not set |defconfig | self_protection | OK: is not found
308 nospectre_bhb |cmdline| is not set |defconfig | self_protection | OK: is not found
309 nospec_store_bypass_disable |cmdline| is not set |defconfig | self_protection | OK: is not found
310 arm64.nobti |cmdline| is not set |defconfig | self_protection | OK: is not found
311 arm64.nopauth |cmdline| is not set |defconfig | self_protection | OK: is not found
312 arm64.nomte |cmdline| is not set |defconfig | self_protection | OK: is not found
313 mitigations |cmdline| is not off |defconfig | self_protection | OK: mitigations is not found
314 spectre_v2 |cmdline| is not off |defconfig | self_protection | OK: spectre_v2 is not found
315 spectre_v2_user |cmdline| is not off |defconfig | self_protection | OK: spectre_v2_user is not found
316 spec_store_bypass_disable |cmdline| is not off |defconfig | self_protection | OK: spec_store_bypass_disable is not found
317 l1tf |cmdline| is not off |defconfig | self_protection | OK: l1tf is not found
318 mds |cmdline| is not off |defconfig | self_protection | OK: mds is not found
319 tsx_async_abort |cmdline| is not off |defconfig | self_protection | OK: tsx_async_abort is not found
320 srbds |cmdline| is not off |defconfig | self_protection | OK: srbds is not found
321 mmio_stale_data |cmdline| is not off |defconfig | self_protection | OK: mmio_stale_data is not found
322 retbleed |cmdline| is not off |defconfig | self_protection | OK: retbleed is not found
323 kpti |cmdline| is not off |defconfig | self_protection | OK: kpti is not found
324 kvm.nx_huge_pages |cmdline| is not off |defconfig | self_protection | OK: kvm.nx_huge_pages is not found
325 rodata |cmdline| 1 |defconfig | self_protection | OK: rodata is not found
326 nosmt |cmdline| is present | kspp | self_protection | FAIL: is not present
327 init_on_alloc |cmdline| 1 | kspp | self_protection | FAIL: is not found
328 init_on_free |cmdline| 1 | kspp | self_protection | FAIL: is not found
329 slab_nomerge |cmdline| is present | kspp | self_protection | OK: CONFIG_SLAB_MERGE_DEFAULT is "is not set"
330 iommu.strict |cmdline| 1 | kspp | self_protection | FAIL: is not found
331 iommu.passthrough |cmdline| 0 | kspp | self_protection | OK: CONFIG_IOMMU_DEFAULT_PASSTHROUGH is "is not set"
332 hardened_usercopy |cmdline| 1 | kspp | self_protection | OK: CONFIG_HARDENED_USERCOPY is "y"
333 slab_common.usercopy_fallback |cmdline| 0 | kspp | self_protection | OK: CONFIG_HARDENED_USERCOPY_FALLBACK is not found
334 randomize_kstack_offset |cmdline| 1 | kspp | self_protection | OK: CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT is "y"
335 pti |cmdline| on | kspp | self_protection | FAIL: is not found
336 page_alloc.shuffle |cmdline| 1 | clipos | self_protection | FAIL: is not found
337 iommu |cmdline| force | clipos | self_protection | FAIL: is not found
338 tsx |cmdline| off |defconfig |cut_attack_surface| OK: CONFIG_X86_INTEL_TSX_MODE_OFF is "y"
339 vsyscall |cmdline| none | kspp |cut_attack_surface| FAIL: is not found
340 debugfs |cmdline| off | grsec |cut_attack_surface| FAIL: is not found
341 sysrq_always_enabled |cmdline| is not set | my |cut_attack_surface| OK: is not found
343 [+] Config check is finished: 'OK' - 122 / 'FAIL' - 101
346 ## Generating a Kconfig fragment with the security hardening options
348 With the `-g` argument, the tool generates a Kconfig fragment with the security hardening options for the selected microarchitecture.
350 This Kconfig fragment can be merged with the existing Linux kernel config:
352 $ ./bin/kconfig-hardened-check -g X86_64 > /tmp/fragment
354 $ ./scripts/kconfig/merge_config.sh .config /tmp/fragment
355 Using .config as base
356 Merging /tmp/fragment
357 Value of CONFIG_BUG_ON_DATA_CORRUPTION is redefined by fragment /tmp/fragment:
358 Previous value: # CONFIG_BUG_ON_DATA_CORRUPTION is not set
359 New value: CONFIG_BUG_ON_DATA_CORRUPTION=y
363 ## Questions and answers
365 __Q:__ How all these kernel parameters influence the Linux kernel security?
367 __A:__ To answer this question, you can use the `kconfig-hardened-check` [sources of recommendations][24]
368 and the [Linux Kernel Defence Map][4] with its references.
372 __Q:__ How disabling `CONFIG_USER_NS` cuts the attack surface? It's needed for containers!
374 __A:__ Yes, the `CONFIG_USER_NS` option provides some isolation between the userspace programs,
375 but the tool recommends disabling it to cut the attack surface __of the kernel__.
379 - An LWN article about the corresponding LKML discussion: https://lwn.net/Articles/673597/
381 - A twitter thread about `CONFIG_USER_NS` and security: https://twitter.com/robertswiecki/status/1095447678949953541
383 - A good overview of the trade-off between having user namespaces enabled, disabled and available only for root: https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601
387 __Q:__ KSPP and CLIP OS recommend `CONFIG_PANIC_ON_OOPS=y`. Why doesn't this tool do the same?
389 __A:__ I personally don't support this recommendation because:
390 - It decreases system safety (kernel oops is still not a rare situation)
391 - It allows easier denial-of-service attacks for the whole system
393 I think having `CONFIG_BUG` is enough here.
394 If a kernel oops happens in the process context, the offending/attacking process is killed.
395 In other cases, the kernel panics, which is similar to `CONFIG_PANIC_ON_OOPS=y`.
399 __Q:__ Why enabling `CONFIG_STATIC_USERMODEHELPER` breaks various things in my GNU/Linux system?
400 Do I really need that feature?
402 __A:__ Linux kernel usermode helpers can be used for privilege escalation in kernel exploits
403 ([example 1][9], [example 2][10]). `CONFIG_STATIC_USERMODEHELPER` prevents that method. But it
404 requires the corresponding support in the userspace: see the [example implementation][11] by
405 Tycho Andersen [@tych0][12].
409 __Q:__ What about performance impact of these security hardening options?
411 __A:__ Ike Devolder [@BlackIkeEagle][7] made some performance tests and described the results in [this article][8].
412 A more detailed evaluation is in the TODO list (the issue [#66][21]).
416 __Q:__ Can I easily check which kernel versions support some Kconfig option?
418 __A:__ Yes. See the [LKDDb][18] project (Linux Kernel Driver Database) by Giacomo Catenazzi [@cateee][19].
419 You can use it for the `mainline` or `stable` tree from [kernel.org][20] or for your custom kernel sources.
423 __Q:__ Does my kernel have all those mitigations of Transient Execution Vulnerabilities in my hardware?
425 __A:__ Checking the kernel config is not enough to answer this question.
426 I highly recommend using [spectre-meltdown-checker][13] tool maintained by Stéphane Lesimple [@speed47][14].
430 __Q:__ Why the `CONFIG_GCC_PLUGINS` option is automatically disabled during the kernel compilation?
432 __A:__ It means that your gcc doesn't support plugins. For example, if you have `gcc-7` on Ubuntu,
433 try to install `gcc-7-plugin-dev` package, it should help.
436 [1]: http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
437 [2]: https://docs.clip-os.org/clipos/kernel.html#configuration
438 [3]: https://grsecurity.net/
439 [4]: https://github.com/a13xp0p0v/linux-kernel-defence-map
440 [5]: https://lwn.net/Articles/791863/
441 [6]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/38
442 [7]: https://github.com/BlackIkeEagle
443 [8]: https://blog.herecura.eu/blog/2020-05-30-kconfig-hardening-tests/
444 [9]: https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html
445 [10]: https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html
446 [11]: https://github.com/tych0/huldufolk
447 [12]: https://github.com/tych0
448 [13]: https://github.com/speed47/spectre-meltdown-checker
449 [14]: https://github.com/speed47
450 [15]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/53
451 [16]: https://github.com/a13xp0p0v/kconfig-hardened-check/pull/54
452 [17]: https://github.com/a13xp0p0v/kconfig-hardened-check/pull/62
453 [18]: https://cateee.net/lkddb/web-lkddb/
454 [19]: https://github.com/cateee/lkddb
455 [20]: https://kernel.org/
456 [21]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/66
457 [22]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/56
458 [23]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues?q=label%3Akernel_maintainer_feedback
459 [24]: https://github.com/a13xp0p0v/kconfig-hardened-check#motivation
projects / kconfig-hardened-check.git / blob