a13xp0p0v / kernel-hardening-checker Goto Github PK
View Code? Open in Web Editor NEWA tool for checking the security hardening options of the Linux kernel
License: GNU General Public License v3.0
A tool for checking the security hardening options of the Linux kernel
License: GNU General Public License v3.0
Hello,
The X86_SMAP option is no longer present in 5.19.X kernels. It is now enforced.
( commit )
Since it has been removed, the script mark the entry as failed.
[+] Special report mode: show_fail
[+] Kconfig file to check: /opt/KERNEL/linux-5.19.5/.config
[+] Detected architecture: X86_64
[+] Detected kernel version: 5.19
=========================================================================================================================
option name | type |desired val | decision | reason | check result
=========================================================================================================================
CONFIG_X86_SMAP |kconfig| y |defconfig | self_protection | FAIL: not found
The GCC_PLUGIN_RANDSTRUCT and GCC_PLUGIN_RANDSTRUCT_PERFORMANCE have changed now that CLANG has the feature. ( commit ). They are now nammed RANDSTRUCT_FULL and RANDSTRUCT_PERFORMANCE respectively.
At the moment they don't fail but the new entries should be added in the script I think.
grep RANDSTRUCT ./.config
# CONFIG_RANDSTRUCT_NONE is not set
CONFIG_RANDSTRUCT_FULL=y
# CONFIG_RANDSTRUCT_PERFORMANCE is not set
CONFIG_RANDSTRUCT=y
CONFIG_GCC_PLUGIN_RANDSTRUCT=y
Hey,
Im trying do my best with security options based on your script. I have a litte problems with few options.
When im adding these options:
# Enable GCC Plugins
CONFIG_GCC_PLUGINS=y
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y
# Force all structures to be initialized before they are passed to other functions.
CONFIG_GCC_PLUGIN_STRUCTLEAK=y
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
# Randomize the layout of system structures. This may have dramatic performance impact, so
# use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y
CONFIG_GCC_PLUGIN_RANDSTRUCT=y
And make a "make -j 8 deb-pkg" on ubuntu or "make -j8 bzImage ...." on centos, these options are removing immediately from ".config" in kernel-4.19.6 . I have no idea what's going on. Could you tell me what am i doing wrong ?
Some people use CONFIG_INIT_ON_ALLOC_DEFAULT_ON
/CONFIG_INIT_ON_FREE_DEFAULT_ON
or linux-hardened's CONFIG_PAGE_SANITIZE
(for LTS kernels) instead of CONFIG_PAGE_POISONING
. People using these alternatives will get pointless errors that may confuse them.
It would be better if the errors were only shown when not using these.
PAGE_POISONING_NO_SANITY
and PAGE_POISONING_ZERO
depend on PAGE_POISONING
. Checking distro config which doesn't enable PAGE_POISONING
(like Fedora) will show OK: not found
for the first two even as it's far from ok in this case.
Currently script checks only for MODULE_SIG_SHA512
. Some distros (like Fedora) may use SHA256
which I think should be fine as well even if KSPP chose different example.
Hey guys,
When i setup server Centos 7 with kspp settings (config below) and i install www hosting panels like Cpanel, CWP panel or ISPmanager and then reboot server, many services are freezed. My network is disabled i cant run with command systemct start network, i cant reboot server and etc... when i push these commend nothing happen, just waiting and waiting.
My KSPP config:
CONFIG_BUG | y |defconfig | self_protection || OK
CONFIG_STRICT_KERNEL_RWX | y |defconfig | self_protection || OK
CONFIG_STACKPROTECTOR_STRONG | y |defconfig | self_protection || OK
CONFIG_SLUB_DEBUG | y |defconfig | self_protection || OK
CONFIG_STRICT_MODULE_RWX | y |defconfig | self_protection || OK
CONFIG_PAGE_TABLE_ISOLATION | y |defconfig | self_protection || OK
CONFIG_RANDOMIZE_MEMORY | y |defconfig | self_protection || OK
CONFIG_RANDOMIZE_BASE | y |defconfig | self_protection || OK
CONFIG_RETPOLINE | y |defconfig | self_protection || OK
CONFIG_X86_SMAP | y |defconfig | self_protection || OK
CONFIG_X86_INTEL_UMIP | y |defconfig | self_protection || OK
CONFIG_SYN_COOKIES | y |defconfig | self_protection || OK
CONFIG_VMAP_STACK | y |defconfig | self_protection || OK
CONFIG_THREAD_INFO_IN_TASK | y |defconfig | self_protection || OK
CONFIG_BUG_ON_DATA_CORRUPTION | y | kspp | self_protection || OK
CONFIG_DEBUG_WX | y | kspp | self_protection || OK
CONFIG_SCHED_STACK_END_CHECK | y | kspp | self_protection || OK
CONFIG_SLAB_FREELIST_HARDENED | y | kspp | self_protection || OK
CONFIG_SLAB_FREELIST_RANDOM | y | kspp | self_protection || OK
CONFIG_FORTIFY_SOURCE | y | kspp | self_protection || OK
CONFIG_GCC_PLUGINS | y | kspp | self_protection || OK
CONFIG_GCC_PLUGIN_RANDSTRUCT | y | kspp | self_protection || OK
CONFIG_GCC_PLUGIN_STRUCTLEAK | y | kspp | self_protection || OK
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL | y | kspp | self_protection || OK
CONFIG_GCC_PLUGIN_LATENT_ENTROPY | y | kspp | self_protection || OK
CONFIG_DEBUG_LIST | y | kspp | self_protection || OK
CONFIG_DEBUG_SG | y | kspp | self_protection || OK
CONFIG_DEBUG_CREDENTIALS | y | kspp | self_protection || OK
CONFIG_DEBUG_NOTIFIERS | y | kspp | self_protection || OK
CONFIG_PAGE_POISONING | y | kspp | self_protection || OK
CONFIG_HARDENED_USERCOPY | y | kspp | self_protection || OK
CONFIG_HARDENED_USERCOPY_FALLBACK | is not set | kspp | self_protection || OK
CONFIG_MODULE_SIG | y | kspp | self_protection || OK
CONFIG_MODULE_SIG_ALL | y | kspp | self_protection || OK
CONFIG_MODULE_SIG_SHA512 | y | kspp | self_protection || FAIL: "is not set"
CONFIG_MODULE_SIG_FORCE | y | kspp | self_protection || FAIL: "is not set"
CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | kspp | self_protection || OK
CONFIG_REFCOUNT_FULL | y | kspp | self_protection || OK
CONFIG_GCC_PLUGIN_STACKLEAK | y | my | self_protection || OK
CONFIG_LOCK_DOWN_KERNEL | y | my | self_protection || FAIL: not found
CONFIG_SLUB_DEBUG_ON | y | my | self_protection || OK
CONFIG_SECURITY_DMESG_RESTRICT | y | my | self_protection || OK
CONFIG_STATIC_USERMODEHELPER | y | my | self_protection || FAIL: "is not set"
CONFIG_SECURITY_LOADPIN | y | my | self_protection || FAIL: "is not set"
CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection || OK
CONFIG_SLAB_MERGE_DEFAULT | is not set | my | self_protection || FAIL: "y"
CONFIG_PAGE_POISONING_NO_SANITY | is not set | my | self_protection || OK
CONFIG_PAGE_POISONING_ZERO | is not set | my | self_protection || OK
CONFIG_SECURITY | y |defconfig | security_policy || OK
CONFIG_SECURITY_YAMA | y | kspp | security_policy || OK
CONFIG_SECURITY_SELINUX_DISABLE | is not set | kspp | security_policy || OK
CONFIG_SECCOMP | y |defconfig | cut_attack_surface || OK
CONFIG_SECCOMP_FILTER | y |defconfig | cut_attack_surface || OK
CONFIG_STRICT_DEVMEM | y |defconfig | cut_attack_surface || OK
CONFIG_MODULES | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_DEVMEM | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_IO_STRICT_DEVMEM | y | kspp | cut_attack_surface || FAIL: "is not set"
CONFIG_ACPI_CUSTOM_METHOD | is not set | kspp | cut_attack_surface || FAIL: "m"
CONFIG_COMPAT_BRK | is not set | kspp | cut_attack_surface || OK
CONFIG_DEVKMEM | is not set | kspp | cut_attack_surface || OK
CONFIG_COMPAT_VDSO | is not set | kspp | cut_attack_surface || OK
CONFIG_BINFMT_MISC | is not set | kspp | cut_attack_surface || FAIL: "m"
CONFIG_INET_DIAG | is not set | kspp | cut_attack_surface || FAIL: "m"
CONFIG_KEXEC | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_PROC_KCORE | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_LEGACY_PTYS | is not set | kspp | cut_attack_surface || OK
CONFIG_HIBERNATION | is not set | kspp | cut_attack_surface || OK
CONFIG_LEGACY_VSYSCALL_NONE | y | kspp | cut_attack_surface || FAIL: "is not set"
CONFIG_IA32_EMULATION | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_X86_X32 | is not set | kspp | cut_attack_surface || OK
CONFIG_MODIFY_LDT_SYSCALL | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_X86_PTDUMP | is not set |grsecurity| cut_attack_surface || OK
CONFIG_ZSMALLOC_STAT | is not set |grsecurity| cut_attack_surface || OK
CONFIG_PAGE_OWNER | is not set |grsecurity| cut_attack_surface || OK
CONFIG_DEBUG_KMEMLEAK | is not set |grsecurity| cut_attack_surface || OK
CONFIG_BINFMT_AOUT | is not set |grsecurity| cut_attack_surface || OK: not found
CONFIG_KPROBES | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_UPROBES | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_GENERIC_TRACER | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_PROC_VMCORE | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_PROC_PAGE_MONITOR | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_USELIB | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_CHECKPOINT_RESTORE | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_USERFAULTFD | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_HWPOISON_INJECT | is not set |grsecurity| cut_attack_surface || FAIL: "m"
CONFIG_MEM_SOFT_DIRTY | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_DEVPORT | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_DEBUG_FS | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_NOTIFIER_ERROR_INJECTION | is not set |grsecurity| cut_attack_surface || OK
CONFIG_ACPI_TABLE_UPGRADE | is not set | lockdown | cut_attack_surface || FAIL: "y"
CONFIG_ACPI_APEI_EINJ | is not set | lockdown | cut_attack_surface || FAIL: "m"
CONFIG_PROFILING | is not set | lockdown | cut_attack_surface || FAIL: "y"
CONFIG_BPF_SYSCALL | is not set | lockdown | cut_attack_surface || FAIL: "y"
CONFIG_MMIOTRACE_TEST | is not set | lockdown | cut_attack_surface || OK: not found
CONFIG_MMIOTRACE | is not set | my | cut_attack_surface || OK
CONFIG_KEXEC_FILE | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_LIVEPATCH | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_USER_NS | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_IP_DCCP | is not set | my | cut_attack_surface || FAIL: "m"
CONFIG_IP_SCTP | is not set | my | cut_attack_surface || FAIL: "m"
CONFIG_FTRACE | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_BPF_JIT | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_ARCH_MMAP_RND_BITS | 32 | my |userspace_protection|| FAIL: "28"
[+] config check is finished: 'OK' - 62 / 'FAIL' - 41
Someone can help me with this, i would be graceful ?
Could be impact because of this ?
CONFIG_GCC_PLUGINS | y | kspp | self_protection || OK
CONFIG_GCC_PLUGIN_RANDSTRUCT | y | kspp | self_protection || OK
CONFIG_GCC_PLUGIN_STRUCTLEAK | y | kspp | self_protection || OK
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL | y | kspp | self_protection || OK
CONFIG_GCC_PLUGIN_LATENT_ENTROPY | y | kspp | self_protection || OK
Parrot OS 5.0, python 3
kconfig-hardened-check version 5.14
I've tried all options in help menu and I didn't find anything similar to my idea
/usr/lib/python3/dist-packages/kconfig_hardened_check/config_files/
and users don't know where to search configs / modules.__init__.py
file into config_files
. By this, folder configs
is a module of the whole project.from kconfig-hardnerned-check.<any path> import config_files
. Absolute path of the module will be config_files.__path__[0]
walk_dir(config_files.__path__[0])
. By this, you can have an option in argv to list all configs-c
flag, like -c distros/debian.config
, absolute path is merged with config_files.__path__[0]
so there's no need to know absolute path.Hello Alexander,
After kernel compilation im getting issue "unknow filesystem type ext4", "Failed to mount /sysroot"
I was wondering which KSSP feature could be responsible for it ? I was trying many times and always getting the same issue as i mentioned. Sceenshot
https://www.centos.org/forums/download/file.php?id=2571
It looks like my initramfs doesn't have the kernel module for ext4 but why.
Im using Centos 7 with gcc 7.2
Currently, UBSAN
-related choices are as follows:
It is unclear to me why the last two are chosen. UBSAN_MISC=y
seems like a good thing, as it enables more checks. UBSAN_TRAP=y
seems like a bad thing, as it enables denial of service attacks. Furthermore, if I understand things correctly, UBSAN_SANITIZE_ALL=y
would be needed to practically activate UBSAN
.
Is my understanding correct, or a misunderstanding (which is perfectly possible). In the latter case, I would be grateful for a pointer to an appropriate resource.
Hello @Mic92, could you help with this Nix problem?
I tested the installation of kconfig-hardened-check
in a Docker container with Ubuntu 20.04.4 LTS.
It failed with the following error:
a13x@dc92d9d74557:~/src/1/kconfig-hardened-check/contrib$ ./get-nix-kconfig.py
these 50 paths will be fetched (94.58 MiB download, 374.80 MiB unpacked):
/nix/store/058drky7qcyd04rzqcmxh86xmifw96dx-glibc-2.34-115-bin
/nix/store/1442kn5q9ah0bhhqm99f8nr76diczqgm-gnused-4.8
/nix/store/19xbyxc31snlk60cil7cx6l4xw126ids-gcc-11.2.0
/nix/store/4r26nvzfa1qfjaqgr2bpw2fz8c6qnk3s-gnutar-1.34
/nix/store/58pwclg9yr437h0pfgrnbd0jis8fqasd-gcc-wrapper-11.2.0
/nix/store/5h6q8cmqjd8iqpd99566hrg2a56pwdkc-acl-2.3.1
/nix/store/6rbwy3mf0w8z119bwqs7dcrc2vyql9sf-expand-response-params
/nix/store/7b2vmi7cq7lzw8g6kaihzg2kyilj4slm-bash-interactive-5.1-p16-dev
/nix/store/87xq1difvspida4391y23vylkjdcgllf-linux-headers-5.16
/nix/store/9l06npv9sp8avdraahzi4kqhcp607d8p-tzdata-2022a
/nix/store/9pxskbhf92x9cxvg87nbzw2q1kmkrym6-bash-interactive-5.1-p16-info
/nix/store/9wq21cbqsxpdx4dk0q6gab00fcir04d1-gzip-1.12
/nix/store/a0k6rfn47h9f69p15pg415x6pfpxhsl5-gdbm-1.23
/nix/store/a5xpjds3mlln26469h72v1jmd00jq6lv-xz-5.2.5
/nix/store/ayrsyv7npr0lcbann4k9lxr19x813f0z-glibc-2.34-115
/nix/store/b36ilvc5hhfpcp7kv1kvrkgcxxpmxfsd-zlib-1.2.12
/nix/store/bavmqg7c4366hbiccpsdawbilh68dajy-xz-5.2.5-bin
/nix/store/bndvc0y3v4djij152wiqbyn13zs2xivy-pcre-8.45
/nix/store/bqkx3pi50phcglv0l551jhp96bq8njl0-gnugrep-3.7
/nix/store/c7062r0rh84w3v77pqwdcggrsdlvy1df-findutils-4.9.0
/nix/store/clkdigybx5w29rjxnwnsk76q49gb12k7-ncurses-6.3
/nix/store/d60gkg5dkw4y5kc055n4m0xyvcjz65im-bash-interactive-5.1-p16
/nix/store/dgic5ks4yixhh0havidjwd02rskmqlgp-binutils-wrapper-2.38
/nix/store/dxj6b99zh4fh5z65rqirmcfvffxx5ig0-readline-8.1p2
/nix/store/f2fnhhjanmxganm3xa5inwgvi6wj2ran-bash-interactive-5.1-p16-doc
/nix/store/fcd0m68c331j7nkdxvnnpb8ggwsaiqac-bash-5.1-p16
/nix/store/gm6q7jmajjmnwd29wgbq2jm3x37vsw3h-libffi-3.4.2
/nix/store/hgl0ydlkgs6y6hx9h7k209shw3v7z77j-coreutils-9.0
/nix/store/hym1n0ygqp9wcm7pxn4sfrql3fg7xa09-python3-3.9.12
/nix/store/ik4qlj53grwmg7avzrfrn34bjf6a30ch-libunistring-1.0
/nix/store/jm3nxvmxcm5nvalbv28acvygismcykvj-gnumake-4.3
/nix/store/k3wp5kdxwa4ysb6nh5y9yll5n30cja5m-patch-2.7.6
/nix/store/m2vh2ny7bqpwij1gpmvl5gxj7y4dgr4f-binutils-2.38
/nix/store/n239ln3v669s5fkir2fd8niqawyg6qrv-attr-2.5.1
/nix/store/pmyiksh5sgqzakbr84qsfxqy8fgirmic-stdenv-linux
/nix/store/psijdi9190zgbp053y6dj3ax4y2l70gk-gcc-11.2.0-lib
/nix/store/pvn23vycg674bj6nypjcfyhqbr85rqxa-glibc-2.34-115-dev
/nix/store/qd3g8rk5hx5zkb70idjh6fa12sh6bipg-mailcap-2.1.53
/nix/store/qvs678k05yrv566dmqdnxfbzi4s6ir1n-sqlite-3.38.2
/nix/store/rf3j3p8cvn0dr5wdl65ns9f8wnlca8h6-readline-6.3p08
/nix/store/sj2plsn7wz94dkwvg1wlb11pjch6r70v-diffutils-3.8
/nix/store/v8vpzh3slc5hm4d9id5bim4dsb4d2ndh-openssl-1.1.1n
/nix/store/v990x4cib4dssspn4778rlz46jmm3a9k-expat-2.4.7
/nix/store/vz05jxs509mgp5i5jbrgvgvg4a2p3a3m-ed-1.18
/nix/store/w3zngkrag7vnm7v1q8vnqb71q6a1w8gn-libidn2-2.3.2
/nix/store/wcj03nlvxsjrc1cmpl2nhpn80l5wvf8j-gawk-5.1.1
/nix/store/x6jr3j9hxs8ld8cy69gy9aykrm3iz8rv-patchelf-0.14.5
/nix/store/yjndwl7872iqhw7m97gv7kwgwd5d66s5-bzip2-1.0.6.0.2-bin
/nix/store/zf03nlnk9h724gz7qzzbrzyqif8gbwhq-bzip2-1.0.6.0.2
/nix/store/zghsxxqb2gyz460q4r7jfdc2lpg3rgjw-bash-interactive-5.1-p16-man
copying path '/nix/store/f2fnhhjanmxganm3xa5inwgvi6wj2ran-bash-interactive-5.1-p16-doc' from 'https://cache.nixos.org'...
copying path '/nix/store/9pxskbhf92x9cxvg87nbzw2q1kmkrym6-bash-interactive-5.1-p16-info' from 'https://cache.nixos.org'...
copying path '/nix/store/zghsxxqb2gyz460q4r7jfdc2lpg3rgjw-bash-interactive-5.1-p16-man' from 'https://cache.nixos.org'...
copying path '/nix/store/ik4qlj53grwmg7avzrfrn34bjf6a30ch-libunistring-1.0' from 'https://cache.nixos.org'...
copying path '/nix/store/87xq1difvspida4391y23vylkjdcgllf-linux-headers-5.16' from 'https://cache.nixos.org'...
copying path '/nix/store/w3zngkrag7vnm7v1q8vnqb71q6a1w8gn-libidn2-2.3.2' from 'https://cache.nixos.org'...
copying path '/nix/store/qd3g8rk5hx5zkb70idjh6fa12sh6bipg-mailcap-2.1.53' from 'https://cache.nixos.org'...
copying path '/nix/store/ayrsyv7npr0lcbann4k9lxr19x813f0z-glibc-2.34-115' from 'https://cache.nixos.org'...
copying path '/nix/store/9l06npv9sp8avdraahzi4kqhcp607d8p-tzdata-2022a' from 'https://cache.nixos.org'...
copying path '/nix/store/n239ln3v669s5fkir2fd8niqawyg6qrv-attr-2.5.1' from 'https://cache.nixos.org'...
copying path '/nix/store/fcd0m68c331j7nkdxvnnpb8ggwsaiqac-bash-5.1-p16' from 'https://cache.nixos.org'...
copying path '/nix/store/5h6q8cmqjd8iqpd99566hrg2a56pwdkc-acl-2.3.1' from 'https://cache.nixos.org'...
copying path '/nix/store/zf03nlnk9h724gz7qzzbrzyqif8gbwhq-bzip2-1.0.6.0.2' from 'https://cache.nixos.org'...
copying path '/nix/store/hgl0ydlkgs6y6hx9h7k209shw3v7z77j-coreutils-9.0' from 'https://cache.nixos.org'...
copying path '/nix/store/yjndwl7872iqhw7m97gv7kwgwd5d66s5-bzip2-1.0.6.0.2-bin' from 'https://cache.nixos.org'...
copying path '/nix/store/sj2plsn7wz94dkwvg1wlb11pjch6r70v-diffutils-3.8' from 'https://cache.nixos.org'...
copying path '/nix/store/vz05jxs509mgp5i5jbrgvgvg4a2p3a3m-ed-1.18' from 'https://cache.nixos.org'...
copying path '/nix/store/6rbwy3mf0w8z119bwqs7dcrc2vyql9sf-expand-response-params' from 'https://cache.nixos.org'...
copying path '/nix/store/v990x4cib4dssspn4778rlz46jmm3a9k-expat-2.4.7' from 'https://cache.nixos.org'...
copying path '/nix/store/c7062r0rh84w3v77pqwdcggrsdlvy1df-findutils-4.9.0' from 'https://cache.nixos.org'...
copying path '/nix/store/wcj03nlvxsjrc1cmpl2nhpn80l5wvf8j-gawk-5.1.1' from 'https://cache.nixos.org'...
copying path '/nix/store/psijdi9190zgbp053y6dj3ax4y2l70gk-gcc-11.2.0-lib' from 'https://cache.nixos.org'...
copying path '/nix/store/a0k6rfn47h9f69p15pg415x6pfpxhsl5-gdbm-1.23' from 'https://cache.nixos.org'...
copying path '/nix/store/058drky7qcyd04rzqcmxh86xmifw96dx-glibc-2.34-115-bin' from 'https://cache.nixos.org'...
copying path '/nix/store/jm3nxvmxcm5nvalbv28acvygismcykvj-gnumake-4.3' from 'https://cache.nixos.org'...
copying path '/nix/store/pvn23vycg674bj6nypjcfyhqbr85rqxa-glibc-2.34-115-dev' from 'https://cache.nixos.org'...
copying path '/nix/store/1442kn5q9ah0bhhqm99f8nr76diczqgm-gnused-4.8' from 'https://cache.nixos.org'...
copying path '/nix/store/4r26nvzfa1qfjaqgr2bpw2fz8c6qnk3s-gnutar-1.34' from 'https://cache.nixos.org'...
copying path '/nix/store/9wq21cbqsxpdx4dk0q6gab00fcir04d1-gzip-1.12' from 'https://cache.nixos.org'...
copying path '/nix/store/gm6q7jmajjmnwd29wgbq2jm3x37vsw3h-libffi-3.4.2' from 'https://cache.nixos.org'...
copying path '/nix/store/clkdigybx5w29rjxnwnsk76q49gb12k7-ncurses-6.3' from 'https://cache.nixos.org'...
copying path '/nix/store/v8vpzh3slc5hm4d9id5bim4dsb4d2ndh-openssl-1.1.1n' from 'https://cache.nixos.org'...
copying path '/nix/store/k3wp5kdxwa4ysb6nh5y9yll5n30cja5m-patch-2.7.6' from 'https://cache.nixos.org'...
copying path '/nix/store/x6jr3j9hxs8ld8cy69gy9aykrm3iz8rv-patchelf-0.14.5' from 'https://cache.nixos.org'...
copying path '/nix/store/bndvc0y3v4djij152wiqbyn13zs2xivy-pcre-8.45' from 'https://cache.nixos.org'...
copying path '/nix/store/rf3j3p8cvn0dr5wdl65ns9f8wnlca8h6-readline-6.3p08' from 'https://cache.nixos.org'...
copying path '/nix/store/bqkx3pi50phcglv0l551jhp96bq8njl0-gnugrep-3.7' from 'https://cache.nixos.org'...
copying path '/nix/store/dxj6b99zh4fh5z65rqirmcfvffxx5ig0-readline-8.1p2' from 'https://cache.nixos.org'...
copying path '/nix/store/a5xpjds3mlln26469h72v1jmd00jq6lv-xz-5.2.5' from 'https://cache.nixos.org'...
copying path '/nix/store/d60gkg5dkw4y5kc055n4m0xyvcjz65im-bash-interactive-5.1-p16' from 'https://cache.nixos.org'...
copying path '/nix/store/bavmqg7c4366hbiccpsdawbilh68dajy-xz-5.2.5-bin' from 'https://cache.nixos.org'...
copying path '/nix/store/7b2vmi7cq7lzw8g6kaihzg2kyilj4slm-bash-interactive-5.1-p16-dev' from 'https://cache.nixos.org'...
copying path '/nix/store/b36ilvc5hhfpcp7kv1kvrkgcxxpmxfsd-zlib-1.2.12' from 'https://cache.nixos.org'...
copying path '/nix/store/m2vh2ny7bqpwij1gpmvl5gxj7y4dgr4f-binutils-2.38' from 'https://cache.nixos.org'...
copying path '/nix/store/19xbyxc31snlk60cil7cx6l4xw126ids-gcc-11.2.0' from 'https://cache.nixos.org'...
copying path '/nix/store/dgic5ks4yixhh0havidjwd02rskmqlgp-binutils-wrapper-2.38' from 'https://cache.nixos.org'...
copying path '/nix/store/qvs678k05yrv566dmqdnxfbzi4s6ir1n-sqlite-3.38.2' from 'https://cache.nixos.org'...
copying path '/nix/store/58pwclg9yr437h0pfgrnbd0jis8fqasd-gcc-wrapper-11.2.0' from 'https://cache.nixos.org'...
copying path '/nix/store/hym1n0ygqp9wcm7pxn4sfrql3fg7xa09-python3-3.9.12' from 'https://cache.nixos.org'...
copying path '/nix/store/pmyiksh5sgqzakbr84qsfxqy8fgirmic-stdenv-linux' from 'https://cache.nixos.org'...
Traceback (most recent call last):
File "/home/a13x/src/1/kconfig-hardened-check/contrib/./get-nix-kconfig.py", line 30, in <module>
main()
File "/home/a13x/src/1/kconfig-hardened-check/contrib/./get-nix-kconfig.py", line 16, in main
data = json.loads(proc.stdout)
File "/nix/store/hym1n0ygqp9wcm7pxn4sfrql3fg7xa09-python3-3.9.12/lib/python3.9/json/__init__.py", line 346, in loads
return _default_decoder.decode(s)
File "/nix/store/hym1n0ygqp9wcm7pxn4sfrql3fg7xa09-python3-3.9.12/lib/python3.9/json/decoder.py", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/nix/store/hym1n0ygqp9wcm7pxn4sfrql3fg7xa09-python3-3.9.12/lib/python3.9/json/decoder.py", line 355, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
Hoping for your help with Nix, @Mic92!
It should use the JSON output of kconfig-hardened-check.
Hi. This repository has been incredibly useful to me as of late. I’m trying to do the following: create a COPR repository for example such that it takes the kernel configuration from Fedora’s latest kernel build for say 36 and then applies the recommended options here, handles setting everything on/off etc for everything that depends on that option and everything setting that option depends on while blacklisting certain recommendations such that it doesn’t break certain apps etc. Post doing this it would grab the source code for that kernel versions and build it with those configs and then one would just install the kernel normally.
How would one go about implementing this? Thank you!
It would be nice to have kconfig-hardened-check
adapted for RISC-V
kernel configs.
Hi,
I would like to integrate your project into a Python script which would check the security settings automatically and provide a report.
Would it be possible to have an easily parsable JSON output ?
Otherwise processing with your data will be very difficult, if you are not human.
Thanks !
Would the maintainers be open to adding colors to the output of the "check result" column? For example, the output would be red for FAIL, and green for OK?
Hello,
Thank you for this awesome project!
It seems that "LOCK_DOWN_KERNEL" / "LOCK_DOWN MANDATORY" enable other flags.
http://lkml.iu.edu/hypermail/linux/kernel/1704.0/02933.html
Is it possible to reflect this in the script?
I have a minimal kernel without modules for a server. I get a warning about CONFIG_MODULE_SIG_FORCE, which should not apply for a kernel without module support.
For several other module-related options the script behaves correctly (saying 'CONFIG_MODULES: OK ("is not set")' indicating this does not apply), but for CONFIG_MODULE_SIG_FORCE it does not do so.
Output is:
CONFIG_MODULE_SIG_FORCE | y | kspp | self_protection || FAIL: not found
CONFIG_ZERO_CALL_USED_REGS is useless at best, with a significant performance impact.
This is a security theatre knob, and the performance budget would be better spent elsewhere.
Hi Alexander,
I monitoring an interesting project (CLIP OS ) in my country and some options should be compared with your project.
Here are some options that are missing or different from kconfig-hardened-check :
CONFIG_AUDIT=y
CONFIG_IKCONFIG=n
CONFIG_KALLSYMS=n
CONFIG_SLAB_HARDENED=y
CONFIG_SLAB_CANARY=y
CONFIG_SLAB_SANITIZE=y
CONFIG_SLAB_SANITIZE_VERIFY=y
CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=n
CONFIG_LOCAL_INIT=n
CONFIG_X86_VSYSCALL_EMULATION=n
CONFIG_MICROCODE=y
CONFIG_X86_MSR=y
CONFIG_KSM=n
CONFIG_MTRR=y
CONFIG_X86_PAT=y
CONFIG_ARCH_RANDOM=y
CONFIG_X86_INTEL_MPX=n
CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=n
CONFIG_CRASH_DUMP=n
CONFIG_COREDUMP=n
CONFIG_TCG_TPM=n
CONFIG_RANDOM_TRUST_CPU=n
CONFIG_IOMMU_SUPPORT=y
CONFIG_INTEL_IOMMU=y
CONFIG_INTEL_IOMMU_SVM=y
CONFIG_INTEL_IOMMU_DEFAULT_ON=y
CONFIG_MAGIC_SYSRQ=n
CONFIG_DEBUG_KERNEL=y
CONFIG_DEBUG_VIRTUAL=y
CONFIG_SLUB_DEBUG_ON=n
CONFIG_PANIC_ON_OOPS=y
CONFIG_PANIC_TIMEOUT=-1
CONFIG_INTEL_TXT=n
CONFIG_FORTIFY_SOURCE_STRICT_STRING=n
CONFIG_STATIC_USERMODEHELPER_PATH=""
CONFIG_SECURITY_SELINUX_BOOTPARAM=n
CONFIG_INTEGRITY=n
CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
CONFIG_PAGE_SANITIZE_VERIFY=y
CONFIG_SECURITY_TIOCSTI_RESTRICT=y
CONFIG_LOCK_DOWN_MANDATORY=y
CONFIG_STACKLEAK_TRACK_MIN_SIZE=100
CONFIG_STACKLEAK_METRICS=n
CONFIG_STACKLEAK_RUNTIME_DISABLE=n
Details of the options are available here:
https://docs.clip-os.org/clipos/kernel.html#configuration
Best regards,
CONFIG_AMD_IOMMU = y
CONFIG_AMD_IOMMU_V2 = m
appears to correctly setup the AMD v2 IOMMU on supported hardware (tested on NixOS) and is the config option used by Fedora/RHEL.
If you agree with this assessment, any pointers on how to add an OR to the existing AND conditional for CONFIG_AMD_IOMMU
?
Shouldn't NAMESPACES be replaced by USER_NS
? AFAIK only user namespaces have security concerns, others are fine. Disabling them all will negatively affect many applications which use various namespaces for sandboxing.
Since linux 4.16 there is CC_STACKPROTECTOR_AUTO
kconfig which effectively replaces CC_STACKPROTECTOR_STRONG and make it false negative in script.
Script doesn't check for DEVMEM which when set to n
make STRICT_DEVMEM and IO_STRICT_DEVMEM false negative.
I did not go through them all, but these in particular stuck out to me:
CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_RANDSTRUCT not "y"
CONFIG_STACKLEAK_METRICS | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y"
CONFIG_STACKLEAK_RUNTIME_DISABLE | is not set | clipos | self_protection | FAIL: CONFIG_GCC_PLUGIN_STACKLEAK not "y"
If I'm reading this properly, the recommended setting for these is not set
However, the specific tests show as FAIL
because they are not "y"
Perhaps I'm just interpreting the report incorrectly, but at first glance it would appear that the check for the desired result is wrong.
Hey everyone,
Im trying to configure Kernel-5.5 config and i don't see CONFIG_REFCOUNT_FULL option and the same with VMAP_STACK.
I use Kernel-5.3 for now and there is an option available. Soo should i think that this option is no longer available ?
Thanks !
CONFIG_REFCOUNT_FULL conflict with PAX_REFCOUNT
PAGE_TABLE_ISOLATION conflict with PAX_MEMORY_UDEREF
VMAP_STACK conflict with GRKERNSEC_KSTACKOVERFLOW
SECURITY_YAMA conflict with GRKERNSEC
RANDOMIZE_BASE also can not enable.
According to this, the slub_debug
is a hardening cmd line parameter. But when you use this option, you will see the following in the syslog on newer kernels:
kernel: **********************************************************
kernel: ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
kernel: ** **
kernel: ** This system shows unhashed kernel memory addresses **
kernel: ** via the console, logs, and other interfaces. This **
kernel: ** might reduce the security of your system. **
kernel: ** **
kernel: ** If you see this message and you are not debugging **
kernel: ** the kernel, report this immediately to your system **
kernel: ** administrator! **
kernel: ** **
kernel: ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
kernel: **********************************************************
So, should users use slub_debug=FZP or slub_debug=ZP?
Currently only uncompressed config-*
files in /boot/ are supported, but the current kernel config can also be accessed via /proc/config.gz
. There's no way to use this file. Please support this path as well.
It seems it helps indirectly from DMA attacks (from what I understand). It is recommended by ANSSI.
From this PDF (in french) at the chapter "5.2.1 Configuration de la mémoire"
Or from this older version of the same PDF but in english : chapter "4.3 IOMMU Service (input/output virtualization)"
The RDK Linux Hardening specification lists many flags that are not checked in this tool. The first five I looked for were not there: CONFIG_DEBUG_KERNEL
CONFIG_MARKERS
CONFIG_DEBUG_MEMLEAK
and CONFIG_ELF_CORE
Perhaps these can be added as part of a new 'RDK security policy' check for the 'decision' column
It seems there is a problem with the current stable kernel (5.15.14 at the date of this issue).
The kernel option TRIM_UNUSED_KSYMS is defined in my config as:
Symbol: TRIM_UNUSED_KSYMS [=n]
Type : bool
Defined at init/Kconfig:2301
Prompt: Trim unused exported kernel symbols
Depends on: MODULES [=n] && !COMPILE_TEST [=n]
Visible if: MODULES [=n] && !COMPILE_TEST [=n] && EXPERT [=y]
Location:
(1) -> Enable loadable module support (MODULES [=n])
Or the script (with the setup above) outputs me:
CONFIG_TRIM_UNUSED_KSYMS | y | my | cut_attack_surface | FAIL: not found
But as the hardening requires to have MODULES = n (is not set) it is impossible to set TRIM_UNUSED_KSYMS through menuconfig.
A kernel config specialized for better security inside virtual machines is in development.
The development preview version can be found here:
https://github.com/Whonix/hardened-kernel/blob/master/usr/share/hardened-kernel/hardened-vm-kernel
This work is being done by @madaidan who also contributed pull requests to linux-hardened.
https://github.com/anthraxx/linux-hardened/pulls?utf8=%E2%9C%93&q=author%3Amadaidan
Discussions about the kernel config happen mostly in Whonix forums.
https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/214
The hardened kernel config was contributed by @madaidan to the @Whonix project but as the maintainer of Whonix I think that it is not the most suitable project to maintain a kernel config. It would be more impactful and would get more eyes on it if it was hosted here.
Therefore I am wondering if there is any chance you would accept a pull request for a hardened (VM) config file? Which folder would be suitable for such a config file?
@madaidan is also working on a hardened bare metal (i.e. non-VM) kernel config:
https://github.com/Whonix/hardened-kernel/blob/master/usr/share/hardened-kernel/hardened-host-kernel
null
i was try to some book(Billimoria, Kaiwan N. Linux Kernel Debugging: Leverage proven tools and advanced techniques to effectively debug Linux kernels and kernel modules (p. 61). Packt Publishing. Kindle Edition. ).
but.
$ bin/kconfig-hardened-check -p X86_64 -c ~/lkd_kernels/kconfig.prod01/.config
[!] ERROR: --config and --print can't be used together
what should i do?
Thanks for this tool.
I'd propose to add a check for CONFIG_RESET_ATTACK_MITIGATION.
This is a feature that on modern systems will set a flag on boot that signals the BIOS to wipe the memory if an unclean shutdown happened. This can protect against some forms of cold boot attacks where you reboot into another system and try to read out the memory from the previous run.
Here's the Kernel submission with some explanation:
https://lwn.net/Articles/730006/
It's also explained in this talk:
https://www.youtube.com/watch?v=RqvPZnLkP70 (around minute 35)
If I try to do:
diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index 3fcb5e0..1c31c40 100755
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -251,8 +251,8 @@ def construct_checklist(checklist, arch):
checklist.append(OptCheck('MICROCODE', 'y', 'defconfig', 'self_protection')) # is needed for mitigating CPU bugs
checklist.append(OptCheck('RETPOLINE', 'y', 'defconfig', 'self_protection'))
checklist.append(OptCheck('X86_SMAP', 'y', 'defconfig', 'self_protection'))
- checklist.append(OR(OptCheck('X86_UMIP', 'y', 'defconfig', 'self_protection'), \
- OptCheck('X86_INTEL_UMIP', 'y', 'defconfig', 'self_protection')))
+ checklist.append(OR(AND(OptCheck('X86_UMIP', 'y', 'defconfig', 'self_protection'), VerCheck((5, 5))), \
+ AND(OptCheck('X86_INTEL_UMIP', 'y', 'defconfig', 'self_protection'), VerCheck((4, 14)))))
checklist.append(OptCheck('SYN_COOKIES', 'y', 'defconfig', 'self_protection')) # another reason?
if arch == 'X86_64':
checklist.append(OptCheck('PAGE_TABLE_ISOLATION', 'y', 'defconfig', 'self_protection'))
I get:
Traceback (most recent call last):
File "/home/tycho/.local/bin/kconfig-hardened-check", line 10, in <module>
sys.exit(main())
File "/home/tycho/.local/lib/python3.7/site-packages/kconfig_hardened_check/__init__.py", line 611, in main
check_config_file(config_checklist, args.config, arch)
File "/home/tycho/.local/lib/python3.7/site-packages/kconfig_hardened_check/__init__.py", line 554, in check_config_file
perform_checks(checklist, parsed_options)
File "/home/tycho/.local/lib/python3.7/site-packages/kconfig_hardened_check/__init__.py", line 519, in perform_checks
o.state = parsed_options.get(o.name, None)
AttributeError: can't set attribute
I have an Intel CPU, and when I run kconfig-hardened-check
I get the following FAILs:
CONFIG_AMD_IOMMU | y |defconfig | self_protection | FAIL: "is not set"
CONFIG_AMD_IOMMU_V2 | y | my | self_protection | FAIL: not found
It would be nice to have such CPU specific options hidden in the results.
The behavior of some options can be controlled via the kernel cmd line, for instance:
CONFIG_SLUB_DEBUG_ON | y | my | self_protection | FAIL: "is not set"
CONFIG_X86_VSYSCALL_EMULATION | is not set | clipos | cut_attack_surface | FAIL: "y"
If a user set slub_debug=FZP
and vsyscall=none
in the kernel cmd line, I think he would achieve the same behavior. So, kconfig-hardened-check
could check such kernel cmd line options before giving a FAIL.
What do you think about such improvements?
As reported by phoronix, it's now possible to disable 32b support on amd64, to reduce attack surface.
I'd like to request command line options to reduce output to OK/FAIL items only, e.g.
-o, --ok only list items checked as OK
-f, --fail only list items checked as FAIL
This would make it much easier to work through the list of settings when hardening kernel configurations, especially if one only applies few at a time to test their impact.
This tool is great, many thanks!
Hello a13xp0p0v :))
Im using centos 7 and i have a weird problem after kernel compilation. Below is my config kernel with KSPP options enabled.
I have no idea why after kernel compiling, modules like for example ext4, xfs and iptables are disabled. I can't login to the system because ext4 module is disable. The only way is to compiling permanently not as a module. But iptables still dosen't work. Which options are responsible for these "issues" ?
Thanks for help :)
As the first step, @BlackIkeEagle made some performance tests and described the results in this article.
The Integrity Measurement Architecture is a subsystem that is responsible
for calculating file hashes. this allows greater security . This option would be ideal
to be integrated,
Kernel Config -
CONFIG_IMA=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_LSM_RULES=y
CONFIG_IMA_NG_TEMPLATE=y
# CONFIG_IMA_SIG_TEMPLATE is not set
CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
CONFIG_IMA_DEFAULT_HASH_SHA512=y
CONFIG_IMA_DEFAULT_HASH="sha512"
CONFIG_IMA_WRITE_POLICY=y
CONFIG_IMA_READ_POLICY=y
CONFIG_IMA_APPRAISE=y
CONFIG_IMA_ARCH_POLICY=y
CONFIG_IMA_APPRAISE_BUILD_POLICY=y
CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS=y
CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS=y
CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS=y
CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS=y
CONFIG_IMA_APPRAISE_BOOTPARAM=y
CONFIG_IMA_APPRAISE_MODSIG=y
CONFIG_IMA_TRUSTED_KEYRING=y
CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
CONFIG_IMA_BLACKLIST_KEYRING=y
CONFIG_IMA_LOAD_X509=y
CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
CONFIG_IMA_APPRAISE_SIGNED_INIT is not set (This option breaks memory, do not select)
CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
CONFIG_IMA_DISABLE_HTABLE=y
CONFIG_EVM=y
CONFIG_EVM_ATTR_FSUUID=y
CONFIG_EVM_EXTRA_SMACK_XATTRS=y
CONFIG_EVM_ADD_XATTRS=y
CONFIG_EVM_LOAD_X509=y
CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"
My system integrates this security
https://sourceforge.net/projects/anti-ransomware/
Thank you very much
https://www.phoronix.com/news/Linux-Randomize-Kmalloc-Cache
Thanks and
Best regards
Hello,
Im just curious what is the status of implementing KSPP to default kernel of linux GNU distribution ? Why linux distributions dont impelment for example most of kspp solutions for example steackleak or gcc hardeneing ? I use most of kspp feature based on your script Alexander and kernel works like a charm. Someone can explain to me ?
Maybe I'm wrong, but at least with Kernel 5.0 USER_NS is activated by default, so "is not set" or "y" should be equivalent. At the moment, it fails because it is "y" on my configuration.
I know that activating USER_NS can cut the attack surface if it is not needed on a system. But on my system which are running containers, I want to have USER_NS activated. True this is not pure hardening of the Kernel, but if we take into account the whole kernel including the possibilities to use it to make containers, then USER_NS should be part of the whole hardening.
The OptCheck
class inheritance now allows to implement this feature.
I have found this tool quite helpful for quickly auditing embedded kernel configs. However, I've been finding that on embedded systems, I often have unique, application-specific security requirements:
I propose moving the config tests currently hard-coded in __init__
into a set of yaml configs that can be included by a top-level config, like this:
# Includes are optional. Recursively walk through them, each test/error will be tagged with the source yaml
# Last included definition for a CONFIG_ is used
includes:
- kspp.yaml
- clipos.yaml
- my.yaml
- soc_a.yaml
# Tests
tests: !!seq [
# Description of test
RANDOMIZE_BASE: {
# Test passes if CONFIG=value
require: value,
# Test passes if config not found, or "is not set"
# require: is not set,
# Optional: only test if other config is set to something
if_config: MODULES,
# Optional: only test specific kernel versions
if_kernel_ver_gt_eq: 5.9,
if_kernel_ver_lt: 5.8,
# Optional: only test specific architectures
if_arch: [X86_64, ARM64, X86_32],
},
# Example: require CONFIG_BUG=y
BUG: {
require: y,
},
]
This would enable the config requirements to be layered, similar to the way kernel defconfigs
can be layered (i.e. arch | Android | SoC vendor | device). I have some free time next week to implement this if you're open to it.
I read over the CLIP OS notes regarding this option, and they also mention that they are not currently using it in the second paragraph.
It seems to be that this option isn't actually helpful unless you've already got a usermode helper program?
Just questioning the wisdom of this option as I imagine some people will just enable everything they see here, and may wind up with this pointing at a non-existent binary.
Similar to #30, CONFIG_REFCOUNT_FULL
was removed from 5.4.x kernels starting with v5.4.208, because full refcount became always-on, in this commit:
Currently we complain when it is not found, like:
CONFIG_REFCOUNT_FULL |kconfig| y |defconfig | self_protection | FAIL: is not found
I don't know an easier way to find which kernel first included that commit other than:
$ egrep url .git/config
url = https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
$ git tag --contains d0d583484d2ed9f5903edbbfa7e2a68f78b950b0 | head -n2
v5.4.208
v5.4.209
I think the fix is to return OK for 5.4.x where x >= 208.
Except... that's done via VersionCheck
in engine.py
which, if I'm reading it right, takes only major and minor versions, no third parameter:
class VersionCheck:
def __init__(self, ver_expected):
assert(ver_expected and isinstance(ver_expected, tuple) and len(ver_expected) == 2), \
f'invalid version "{ver_expected}" for VersionCheck'
So that function would have to be made a bit more flexible.
I don't know if other CONFIG_*
knobs disappeared / became defaults in the middle of a given major.minor kernel version, but it would not surprise me.
Discussion with dmitry yukov on twitter:
CONFIG_DRM_LEGACY: Really old drivers from the 90s, with unfixable by design security holes. Unfortunately userspace for one modern driver (drm/nouveau) has used until just a few years ago by accident (we didn't delete all the old legacy driver setup code), so can't remove it all completely yet from kernel sources.
CONFIG_FB: Old display subsystem from the 90s, essentially unmaintained for over 10 years, would need serious effort to get up to speed with modern security best practices. This even includes the minimal fbdev emulation support built on top of drm gpu drivers, since the issues are in core fbdev code.
CONFIG_VT: Maybe the most disputed of all, but a lot of the console drivers this exposes to userspace are also from the 90s, and without CONFIG_FB this isn't really useful even for a desktop. A hardened distro definitely wants to make sure this is not set at all.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.