Comments (5)
a13xp0p0v
commented on July 21, 2024
1
Thanks @jvoisin,
This will be added in the next release of kernel-hardening-checker.
from kernel-hardening-checker.
a13xp0p0v
commented on July 21, 2024
1
Hello @jvoisin,
The ia32_emulation boot param was introduced in Linux v6.7.
I'm currently preparing the kernel-hardening-checker release corresponding to the kernel v6.6.
So this boot option and IA32_EMULATION_DEFAULT_DISABLED will be added in the next release.
Thanks!
from kernel-hardening-checker.
a13xp0p0v
commented on July 21, 2024
1
Hello @jvoisin and @winterknife,
The ia32_emulation check is added: 98ccb21
It's not simple:
if arch == 'X86_64':
l += [OR(CmdlineCheck('cut_attack_surface', 'my', 'ia32_emulation', '0'),
KconfigCheck('cut_attack_surface', 'kspp', 'IA32_EMULATION', 'is not set'),
AND(KconfigCheck('cut_attack_surface', 'my', 'IA32_EMULATION_DEFAULT_DISABLED', 'y'),
CmdlineCheck('cut_attack_surface', 'my', 'ia32_emulation', 'is not set')))]
Let's see how it works in the verbose mode:
- If
IA32_EMULATIONis disabled, the check givesOK: CONFIG_IA32_EMULATION is "is not set":
-------------------------------------------------------------------------------------------------------------------------
<<< OR >>> | OK: CONFIG_IA32_EMULATION is "is not set"
ia32_emulation |cmdline| 0 | my |cut_attack_surface| FAIL: is not found
CONFIG_IA32_EMULATION |kconfig| is not set | kspp |cut_attack_surface| OK
<<< AND >>> | None
CONFIG_IA32_EMULATION_DEFAULT_DISABLED |kconfig| y | my |cut_attack_surface| None
ia32_emulation |cmdline| is not set | my |cut_attack_surface| None
-------------------------------------------------------------------------------------------------------------------------
- If we enable
IA32_EMULATIONand don't setIA32_EMULATION_DEFAULT_DISABLEDandia32_emulation, the check givesFAIL:
-------------------------------------------------------------------------------------------------------------------------
<<< OR >>> | FAIL: is not found
ia32_emulation |cmdline| 0 | my |cut_attack_surface| FAIL: is not found
CONFIG_IA32_EMULATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
<<< AND >>> | FAIL: "is not set"
CONFIG_IA32_EMULATION_DEFAULT_DISABLED |kconfig| y | my |cut_attack_surface| FAIL: "is not set"
ia32_emulation |cmdline| is not set | my |cut_attack_surface| OK: is not found
-------------------------------------------------------------------------------------------------------------------------
- If we then enable
IA32_EMULATION_DEFAULT_DISABLED, the check givesOK: CONFIG_IA32_EMULATION_DEFAULT_DISABLED is "y":
-------------------------------------------------------------------------------------------------------------------------
<<< OR >>> | OK: CONFIG_IA32_EMULATION_DEFAULT_DISABLED is "y"
ia32_emulation |cmdline| 0 | my |cut_attack_surface| FAIL: is not found
CONFIG_IA32_EMULATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
<<< AND >>> | OK
CONFIG_IA32_EMULATION_DEFAULT_DISABLED |kconfig| y | my |cut_attack_surface| OK
ia32_emulation |cmdline| is not set | my |cut_attack_surface| OK: is not found
-------------------------------------------------------------------------------------------------------------------------
- But if we then enable
ia32_emulation, it overrides theIA32_EMULATION_DEFAULT_DISABLEDoption and the check givesFAIL: "1":
-------------------------------------------------------------------------------------------------------------------------
<<< OR >>> | FAIL: "1"
ia32_emulation |cmdline| 0 | my |cut_attack_surface| FAIL: "1"
CONFIG_IA32_EMULATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
<<< AND >>> | FAIL: ia32_emulation is not "is not set"
CONFIG_IA32_EMULATION_DEFAULT_DISABLED |kconfig| y | my |cut_attack_surface| None
ia32_emulation |cmdline| is not set | my |cut_attack_surface| FAIL: "1"
-------------------------------------------------------------------------------------------------------------------------
- Finally, setting
ia32_emulation=0givesOK:
-------------------------------------------------------------------------------------------------------------------------
<<< OR >>> | OK
ia32_emulation |cmdline| 0 | my |cut_attack_surface| OK
CONFIG_IA32_EMULATION |kconfig| is not set | kspp |cut_attack_surface| None
<<< AND >>> | None
CONFIG_IA32_EMULATION_DEFAULT_DISABLED |kconfig| y | my |cut_attack_surface| None
ia32_emulation |cmdline| is not set | my |cut_attack_surface| None
-------------------------------------------------------------------------------------------------------------------------
Please comment if you see anything wrong.
from kernel-hardening-checker.
winterknife
commented on July 21, 2024
Ah, I wasn't aware of CONFIG_IA32_EMULATION_DEFAULT_DISABLED but yes, that logic seems sound to me.
from kernel-hardening-checker.
jvoisin
commented on July 21, 2024
Why can't we have nice and straightforward things, sigh.
But yes, it does look good to me.
from kernel-hardening-checker.
Related Issues (20)
- CONFIG_COMPAT_VDSO has a completely different meaning for arm64 and recommending disabling it doesn't make sense there HOT 3
- CONFIG_ARCH_MMAP_RND_BITS check is wrong for arm64 HOT 3
- drop check for dependency-only CONFIG_GCC_PLUGINS due to Clang HOT 3
- add disabling CONFIG_AIO (legacy POSIX AIO) as a recommendation HOT 1
- add check for CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x0 too HOT 4
- add check for UNWIND_PATCH_PAC_INTO_SCS, which reduces security compared to using both PAC + SCS HOT 4
- Minimal kernel version ? HOT 1
- New CONFIG_MODULE_SIG_SHA3_512 option in kernel 6.7 HOT 1
- Better json output HOT 4
- Add io_uring_disabled sysctl to disable/limit io_uring creation
- Reducing Kernel Symbols on File System by Disabling CONFIG_VMLINUX_MAP and CONFIG_DEBUG_KERNEL HOT 2
- Kernel Debug Metadata Access with CONFIG_DYNAMIC_DEBUG HOT 3
- Add ia32_emulation kernel cmdline parameter to disable 32-bit emulation support on 64-bit x86 CPUs HOT 1
- Suggestions for kernel-hardening-checker HOT 3
- new make hardening.config available HOT 2
- Check for module force loading? HOT 1
- new tag? HOT 2
- Get rid of CONFIG_DEBUG_CREDENTIALS HOT 3
- skip CONFIG_SCHED_STACK_END_CHECK requirement when CONFIG_VMAP_STACK is set HOT 2
- skip CONFIG_DEBUG_NOTIFIERS requirement when CONFIG_CFI_CLANG is set with CONFIG_CFI_PERMISSIVE disabled HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kernel-hardening-checker.