a13xp0p0v
commented
11 months ago Thanks @jvoisin,
This will be added in the next release of kernel-hardening-checker.
Closed jvoisin closed 8 months ago
a13xp0p0v
commented
11 months ago Thanks @jvoisin,
This will be added in the next release of kernel-hardening-checker.
a13xp0p0v
commented
11 months ago Hello @jvoisin,
The ia32_emulation boot param was introduced in Linux v6.7.
I'm currently preparing the kernel-hardening-checker release corresponding to the kernel v6.6.
So this boot option and IA32_EMULATION_DEFAULT_DISABLED will be added in the next release.
Thanks!
a13xp0p0v
commented
8 months ago Hello @jvoisin and @winterknife,
The ia32_emulation check is added: https://github.com/a13xp0p0v/kernel-hardening-checker/commit/98ccb216ebc61a231207830f0b6b37c8133d0d48
It's not simple:
if arch == 'X86_64':
l += [OR(CmdlineCheck('cut_attack_surface', 'my', 'ia32_emulation', '0'),
KconfigCheck('cut_attack_surface', 'kspp', 'IA32_EMULATION', 'is not set'),
AND(KconfigCheck('cut_attack_surface', 'my', 'IA32_EMULATION_DEFAULT_DISABLED', 'y'),
CmdlineCheck('cut_attack_surface', 'my', 'ia32_emulation', 'is not set')))]Let's see how it works in the verbose mode:
1) If IA32_EMULATION is disabled, the check gives OK: CONFIG_IA32_EMULATION is "is not set":
-------------------------------------------------------------------------------------------------------------------------
<<< OR >>> | OK: CONFIG_IA32_EMULATION is "is not set"
ia32_emulation |cmdline| 0 | my |cut_attack_surface| FAIL: is not found
CONFIG_IA32_EMULATION |kconfig| is not set | kspp |cut_attack_surface| OK
<<< AND >>> | None
CONFIG_IA32_EMULATION_DEFAULT_DISABLED |kconfig| y | my |cut_attack_surface| None
ia32_emulation |cmdline| is not set | my |cut_attack_surface| None
-------------------------------------------------------------------------------------------------------------------------2) If we enable IA32_EMULATION and don't set IA32_EMULATION_DEFAULT_DISABLED and ia32_emulation, the check gives FAIL:
-------------------------------------------------------------------------------------------------------------------------
<<< OR >>> | FAIL: is not found
ia32_emulation |cmdline| 0 | my |cut_attack_surface| FAIL: is not found
CONFIG_IA32_EMULATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
<<< AND >>> | FAIL: "is not set"
CONFIG_IA32_EMULATION_DEFAULT_DISABLED |kconfig| y | my |cut_attack_surface| FAIL: "is not set"
ia32_emulation |cmdline| is not set | my |cut_attack_surface| OK: is not found
-------------------------------------------------------------------------------------------------------------------------3) If we then enable IA32_EMULATION_DEFAULT_DISABLED, the check gives OK: CONFIG_IA32_EMULATION_DEFAULT_DISABLED is "y":
-------------------------------------------------------------------------------------------------------------------------
<<< OR >>> | OK: CONFIG_IA32_EMULATION_DEFAULT_DISABLED is "y"
ia32_emulation |cmdline| 0 | my |cut_attack_surface| FAIL: is not found
CONFIG_IA32_EMULATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
<<< AND >>> | OK
CONFIG_IA32_EMULATION_DEFAULT_DISABLED |kconfig| y | my |cut_attack_surface| OK
ia32_emulation |cmdline| is not set | my |cut_attack_surface| OK: is not found
-------------------------------------------------------------------------------------------------------------------------4) But if we then enable ia32_emulation, it overrides the IA32_EMULATION_DEFAULT_DISABLED option and the check gives FAIL: "1":
-------------------------------------------------------------------------------------------------------------------------
<<< OR >>> | FAIL: "1"
ia32_emulation |cmdline| 0 | my |cut_attack_surface| FAIL: "1"
CONFIG_IA32_EMULATION |kconfig| is not set | kspp |cut_attack_surface| FAIL: "y"
<<< AND >>> | FAIL: ia32_emulation is not "is not set"
CONFIG_IA32_EMULATION_DEFAULT_DISABLED |kconfig| y | my |cut_attack_surface| None
ia32_emulation |cmdline| is not set | my |cut_attack_surface| FAIL: "1"
-------------------------------------------------------------------------------------------------------------------------5) Finally, setting ia32_emulation=0 gives OK:
-------------------------------------------------------------------------------------------------------------------------
<<< OR >>> | OK
ia32_emulation |cmdline| 0 | my |cut_attack_surface| OK
CONFIG_IA32_EMULATION |kconfig| is not set | kspp |cut_attack_surface| None
<<< AND >>> | None
CONFIG_IA32_EMULATION_DEFAULT_DISABLED |kconfig| y | my |cut_attack_surface| None
ia32_emulation |cmdline| is not set | my |cut_attack_surface| None
-------------------------------------------------------------------------------------------------------------------------Please comment if you see anything wrong.
winterknife
commented
8 months ago Ah, I wasn't aware of CONFIG_IA32_EMULATION_DEFAULT_DISABLED but yes, that logic seems sound to me.
jvoisin
commented
8 months ago Why can't we have nice and straightforward things, sigh.
But yes, it does look good to me.
As reported by phoronix, it's now possible to disable 32b support on amd64, to reduce attack surface.