projects / kconfig-hardened-check.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 26ae3b0)
Add the RESET_ATTACK_MITIGATION check according to the feature request #11
authorAlexander Popov <alex.popov@linux.com>
Mon, 4 Mar 2019 18:24:45 +0000 (21:24 +0300)
committerAlexander Popov <alex.popov@linux.com>
Mon, 4 Mar 2019 18:24:45 +0000 (21:24 +0300)
Let's check the RESET_ATTACK_MITIGATION option.

The description of this security feature:
https://lwn.net/Articles/730006/

It needs support from the userspace side:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a5c03c31af2291f13689d11760c0b59fb70c9a5a

Improve the comments about the userspace support by the way.

README.md patch | blob | history
kconfig-hardened-check.py patch | blob | history

diff --git a/README.md b/README.md
index 4a8f2ed4ca3783361927e8a13db6ebd35ae5984e..3f07f0d1798dd669fa87bd240526ed4eb84a014f 100644 (file)
--- a/README.md
+++ b/README.md
@@ -93,6 +93,7 @@ optional arguments:
   CONFIG_SECURITY_DMESG_RESTRICT         |      y      |    my    |  self_protection   ||     FAIL: "is not set"     
   CONFIG_STATIC_USERMODEHELPER           |      y      |    my    |  self_protection   ||     FAIL: "is not set"     
   CONFIG_SECURITY_LOADPIN                |      y      |    my    |  self_protection   ||     FAIL: "is not set"     
+  CONFIG_RESET_ATTACK_MITIGATION         |      y      |    my    |  self_protection   ||             OK             
   CONFIG_PAGE_POISONING_NO_SANITY        | is not set  |    my    |  self_protection   ||       OK: not found        
   CONFIG_PAGE_POISONING_ZERO             | is not set  |    my    |  self_protection   ||       OK: not found        
   CONFIG_SLAB_MERGE_DEFAULT              | is not set  |    my    |  self_protection   ||         FAIL: "y"          
diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py
index a13969714daf4c445642711da306ad8bf29fd6f9..c92d3529f8db88ef9c93c9af420ffdcc4e2e81c2 100755 (executable)
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -207,8 +207,9 @@ def construct_checklist(arch):
     checklist.append(OptCheck('LOCK_DOWN_KERNEL',                 'y', 'my', 'self_protection')) # remember about LOCK_DOWN_MANDATORY
     checklist.append(OptCheck('SLUB_DEBUG_ON',                    'y', 'my', 'self_protection'))
     checklist.append(OptCheck('SECURITY_DMESG_RESTRICT',          'y', 'my', 'self_protection'))
-    checklist.append(OptCheck('STATIC_USERMODEHELPER',            'y', 'my', 'self_protection')) # breaks systemd?
-    checklist.append(OptCheck('SECURITY_LOADPIN',                 'y', 'my', 'self_protection'))
+    checklist.append(OptCheck('STATIC_USERMODEHELPER',            'y', 'my', 'self_protection')) # needs userspace support (systemd)
+    checklist.append(OptCheck('SECURITY_LOADPIN',                 'y', 'my', 'self_protection')) # needs userspace support
+    checklist.append(OptCheck('RESET_ATTACK_MITIGATION',          'y', 'my', 'self_protection')) # needs userspace support (systemd)
     checklist.append(OptCheck('PAGE_POISONING_NO_SANITY',         'is not set', 'my', 'self_protection'))
     checklist.append(OptCheck('PAGE_POISONING_ZERO',              'is not set', 'my', 'self_protection'))
     checklist.append(OptCheck('SLAB_MERGE_DEFAULT',               'is not set', 'my', 'self_protection')) # slab_nomerge
kconfig-hardened-check