Breakup hardenDefconfig for readbility and debugging purposes

Signed-off-by: Tad <tad@spotco.us>
2024-10-01 01:35:54 -04:00 · 2021-08-13 22:40:12 -04:00 · 2021-08-13 22:40:12 -04:00 · 441a66bbb0
commit 441a66bbb0
parent 79132fddef
1 changed files with 104 additions and 7 deletions
--- a/Scripts/Common/Functions.sh
+++ b/Scripts/Common/Functions.sh
@ -663,12 +663,109 @@ hardenDefconfig() {
 	local defconfigPath=$(getDefconfig)

 	#Enable supported options
+	#Linux <3.0
+	declare -a optionsYes=("BUG" "DEBUG_CREDENTIALS" "DEBUG_KERNEL" "DEBUG_LIST" "DEBUG_NOTIFIERS" "DEBUG_RODATA" "DEBUG_SET_MODULE_RONX" "DEBUG_VIRTUAL" "IPV6_PRIVACY" "SECCOMP" "SECURITY" "SECURITY_DMESG_RESTRICT" "SLUB_DEBUG" "STRICT_DEVMEM" "SYN_COOKIES");
 	#Disabled: DEBUG_SG (bootloops - https://patchwork.kernel.org/patch/8989981)
-	declare -a optionsYes=("ARM64_PTR_AUTH" "ARM64_SW_TTBR0_PAN" "ARM64_UAO" "ASYMMETRIC_KEY_TYPE" "ASYMMETRIC_PUBLIC_KEY_SUBTYPE" "BUG" "BUG_ON_DATA_CORRUPTION" "CC_STACKPROTECTOR" "CC_STACKPROTECTOR_STRONG" "CPU_SW_DOMAIN_PAN" "DEBUG_CREDENTIALS" "DEBUG_KERNEL" "DEBUG_LIST" "DEBUG_NOTIFIERS" "DEBUG_RODATA" "DEBUG_SET_MODULE_RONX" "DEBUG_VIRTUAL" "DEBUG_WX" "FORTIFY_SOURCE" "HARDEN_BRANCH_PREDICTOR" "HARDENED_USERCOPY" "HARDEN_EL2_VECTORS" "INIT_ON_ALLOC_DEFAULT_ON" "INIT_ON_FREE_DEFAULT_ON" "INIT_STACK_ALL" "INIT_STACK_ALL_ZERO" "IO_STRICT_DEVMEM" "IPV6_PRIVACY" "KAISER" "KGSL_PER_PROCESS_PAGE_TABLE" "LEGACY_VSYSCALL_NONE" "MMC_SECDISCARD" "PAGE_POISONING" "PAGE_POISONING_NO_SANITY" "PAGE_POISONING_ZERO" "PAGE_TABLE_ISOLATION" "PANIC_ON_OOPS" "PKCS7_MESSAGE_PARSER" "RANDOMIZE_BASE" "RANDOMIZE_MEMORY" "REFCOUNT_FULL" "RETPOLINE" "RODATA_FULL_DEFAULT_ENABLED" "SCHED_STACK_END_CHECK" "SECCOMP" "SECCOMP_FILTER" "SECURITY" "SECURITY_DMESG_RESTRICT" "SECURITY_PERF_EVENTS_RESTRICT" "SECURITY_YAMA" "SECURITY_YAMA_STACKED" "SHUFFLE_PAGE_ALLOCATOR" "SLAB_FREELIST_HARDENED" "SLAB_FREELIST_RANDOM" "SLAB_HARDENED" "SLUB_DEBUG" "SLUB_HARDENED" "STACKPROTECTOR" "STACKPROTECTOR_PER_TASK" "STACKPROTECTOR_STRONG" "STRICT_DEVMEM" "STRICT_KERNEL_RWX" "STRICT_MEMORY_RWX" "STRICT_MODULE_RWX" "SYN_COOKIES" "SYSTEM_TRUSTED_KEYRING" "THREAD_INFO_IN_TASK" "UNMAP_KERNEL_AT_EL0" "VMAP_STACK" "X509_CERTIFICATE_PARSER");
-	#optionsYes+="GCC_PLUGINS" "GCC_PLUGIN_LATENT_ENTROPY" "GCC_PLUGIN_RANDSTRUCT" "GCC_PLUGIN_STRUCTLEAK" "GCC_PLUGIN_STRUCTLEAK_BYREF_ALL");
-	optionsYes+=("PAGE_SANITIZE" "PAGE_SANITIZE_VERIFY" "SLAB_CANARY" "SLAB_SANITIZE" "SLAB_SANITIZE_VERIFY");
+
+	#Linux 3.4
+	optionsYes+=("SECURITY_YAMA");
+
+	#Linux 3.5
+	optionsYes+=("PANIC_ON_OOPS" "SECCOMP_FILTER");
+
+	#Linux 3.7
+	optionsYes+=("ASYMMETRIC_PUBLIC_KEY_SUBTYPE" "SECURITY_YAMA_STACKED" "X509_CERTIFICATE_PARSER");
+
+	#Linux 3.13
+	optionsYes+=("SYSTEM_TRUSTED_KEYRING");
+
+	#Linux 3.14
+	optionsYes+=("CC_STACKPROTECTOR" "CC_STACKPROTECTOR_STRONG");
+
+	#Linux 3.17
+	optionsYes+=("PKCS7_MESSAGE_PARSER");
+
+	#Linux 3.18
+	optionsYes+=("HARDENED_USERCOPY" "SCHED_STACK_END_CHECK");
+
+	#Linux 4.3
+	optionsYes+=("ARM64_PAN" "CPU_SW_DOMAIN_PAN");
+
+	#Linux 4.4
+	optionsYes+=("LEGACY_VSYSCALL_NONE");
+
+	#Linux 4.5
+	optionsYes+=("IO_STRICT_DEVMEM");
+
+	#Linux 4.6
+	optionsYes+=("ARM64_UAO" "PAGE_POISONING" "PAGE_POISONING_NO_SANITY");
+
+	#Linux 4.7
+	optionsYes+=("ASYMMETRIC_KEY_TYPE" "RANDOMIZE_BASE" "SLAB_FREELIST_RANDOM");
+
+	#Linux 4.8
+	optionsYes+=("RANDOMIZE_MEMORY");
+
+	#Linux 4.9
+	optionsYes+=("THREAD_INFO_IN_TASK" "VMAP_STACK");
+
+	#Linux 4.10
+	optionsYes+=("ARM64_SW_TTBR0_PAN" "BUG_ON_DATA_CORRUPTION");
+
+	#Linux 4.11
+	optionsYes+=("STRICT_KERNEL_RWX" "STRICT_MODULE_RWX");
+
+	#Linux 4.13
+	optionsYes+=("FORTIFY_SOURCE" "REFCOUNT_FULL");
+
+	#Linux 4.14
+	optionsYes+=("SLAB_FREELIST_HARDENED");
+
+	#Linux 4.15
+	optionsYes+=("PAGE_TABLE_ISOLATION" "RETPOLINE");
+
+	#Linux 4.16
+	optionsYes+=("UNMAP_KERNEL_AT_EL0");
+
+	#Linux 4.17
+	optionsYes+=("HARDEN_EL2_VECTORS");
+
+	#Linux 4.18
+	optionsYes+=("HARDEN_BRANCH_PREDICTOR" "STACKPROTECTOR" "STACKPROTECTOR_STRONG");
+
+	#Linux 4.19
+	optionsYes+=("PAGE_POISONING_ZERO");
+
+	#Linux 5.0
+	optionsYes+=("ARM64_PTR_AUTH" "RODATA_FULL_DEFAULT_ENABLED" "STACKPROTECTOR_PER_TASK");
+
+	#Linux 5.2
+	optionsYes+=("INIT_STACK_ALL" "SHUFFLE_PAGE_ALLOCATOR");
+
+	#Linux 5.3
+	optionsYes+=("INIT_ON_ALLOC_DEFAULT_ON" "INIT_ON_FREE_DEFAULT_ON");
+
+	#Linux 5.8
+	optionsYes+=("ARM64_BTI_KERNEL" "DEBUG_WX");
+
+	#Linux 5.9
+	optionsYes+=("INIT_STACK_ALL_ZERO");
+
+	#GCC Plugins - 4.19								- 5.2
+	#optionsYes+=("GCC_PLUGINS" "GCC_PLUGIN_LATENT_ENTROPY" "GCC_PLUGIN_RANDSTRUCT" "GCC_PLUGIN_STRUCTLEAK" "GCC_PLUGIN_STRUCTLEAK_BYREF_ALL");
+
+	#GrapheneOS Patches
+	optionsYes+=("PAGE_SANITIZE" "PAGE_SANITIZE_VERIFY" "SLAB_CANARY" "SLAB_HARDENED" "SLAB_SANITIZE" "SLAB_SANITIZE_VERIFY");
+
+	#out of tree or renamed or removed ?
+	optionsYes+=("KAISER" "KGSL_PER_PROCESS_PAGE_TABLE" "MMC_SECDISCARD" "SECURITY_PERF_EVENTS_RESTRICT" "SLUB_HARDENED" "STRICT_MEMORY_RWX");
+
+	#Time hardware
 	#if [ "$DOS_DEBLOBBER_REPLACE_TIME" = true ]; then optionsYes+=("RTC_DRV_MSM" "RTC_DRV_PM8XXX" "RTC_DRV_MSM7X00A" "RTC_DRV_QPNP"); fi;
-	optionsYes+=("HID_GENERIC" "HID_STEAM" "HID_SONY" "HID_WIIMOTE" "INPUT_JOYSTICK" "JOYSTICK_XPAD" "USB_USBNET" "USB_NET_CDCETHER"); #XXX: This needs a better home
+
+	#Hardware enablement #XXX: This needs a better home
+	optionsYes+=("HID_GENERIC" "HID_STEAM" "HID_SONY" "HID_WIIMOTE" "INPUT_JOYSTICK" "JOYSTICK_XPAD" "USB_USBNET" "USB_NET_CDCETHER");
+
 	for option in "${optionsYes[@]}"
 	do
 		sed -i 's/# '"CONFIG_$option"' is not set/'"CONFIG_$option"'=y/' $defconfigPath &>/dev/null || true;
@ -682,12 +779,11 @@ hardenDefconfig() {
 	#Disable supported options
 	#Disabled: MSM_SMP2P_TEST, MAGIC_SYSRQ (breaks compile), KALLSYMS (breaks boot on select devices), IKCONFIG (breaks recovery), MSM_DLOAD_MODE (breaks compile)
 	declare -a optionsNo=("ACPI_APEI_EINJ" "ACPI_CUSTOM_METHOD" "ACPI_TABLE_UPGRADE" "BINFMT_AOUT" "BINFMT_MISC" "BT_HS" "CHECKPOINT_RESTORE" "COMPAT_BRK" "COMPAT_VDSO" "CP_ACCESS64" "DEBUG_KMEMLEAK" "DEVKMEM" "DEVMEM" "DEVPORT" "EARJACK_DEBUGGER" "GCC_PLUGIN_RANDSTRUCT_PERFORMANCE" "HARDENED_USERCOPY_FALLBACK" "HIBERNATION" "HWPOISON_INJECT" "IA32_EMULATION" "IOMMU_NON_SECURE" "INPUT_EVBUG" "IO_URING" "IP_DCCP" "IP_SCTP" "KEXEC" "KEXEC_FILE" "KSM" "LDISC_AUTOLOAD" "LEGACY_PTYS" "LIVEPATCH" "MEM_SOFT_DIRTY" "MMIOTRACE" "MMIOTRACE_TEST" "MODIFY_LDT_SYSCALL" "MSM_BUSPM_DEV" "NEEDS_SYSCALL_FOR_CMPXCHG" "NOTIFIER_ERROR_INJECTION" "OABI_COMPAT" "PAGE_OWNER" "PROC_KCORE" "PROC_PAGE_MONITOR" "PROC_VMCORE" "RDS" "RDS_TCP" "SECURITY_SELINUX_DISABLE" "SECURITY_WRITABLE_HOOKS" "SLAB_MERGE_DEFAULT" "STACKLEAK_METRICS" "STACKLEAK_RUNTIME_DISABLE" "TIMER_STATS" "TSC" "TSPP2" "UKSM" "UPROBES" "USELIB" "USERFAULTFD" "VIDEO_VIVID" "WLAN_FEATURE_MEMDUMP" "X86_IOPL_IOPERM" "X86_PTDUMP" "X86_VSYSCALL_EMULATION" "ZSMALLOC_STAT");
-	#if [[ "$1" != *"kernel/htc/msm8994"* ]] && [[ "$1" != *"kernel/samsung/smdk4412"* ]] && [[ "$1" != *"kernel/htc/flounder"* ]] && [[ "$1" != *"kernel/amazon/hdx-common"* ]] && [[ "$1" != *"msm899"* ]] && [[ "$1" != *"sdm8"* ]] && [[ "$1" != *"sdm6"* ]]; then
-		#optionsNo+=("DIAG_CHAR" "DIAG_OVER_USB" "USB_QCOM_DIAG_BRIDGE" "DIAGFWD_BRIDGE_CODE" "DIAG_SDIO_PIPE" "DIAG_HSIC_PIPE");
-	#fi;
+
 	if [ "$DOS_DEBLOBBER_REMOVE_IPA" = true ]; then optionsNo+=("IPA" "RMNET_IPA"); fi;
 	optionsNo+=("WIREGUARD"); #Requires root access, which we do not provide
 	#optionsNo+=("LTO_CLANG"); #Can easily require 64GB of RAM on host system to compile
+
 	for option in "${optionsNo[@]}"
 	do
 		sed -i 's/'"CONFIG_$option"'=y/# '"CONFIG_$option"' is not set/' $defconfigPath &>/dev/null || true;
@ -699,6 +795,7 @@ hardenDefconfig() {
 			fi;
 		fi;
 	done
+
 	#Extras
 	sed -i 's/CONFIG_ARCH_MMAP_RND_BITS=8/CONFIG_ARCH_MMAP_RND_BITS=16/' $defconfigPath &>/dev/null || true;
 	sed -i 's/CONFIG_ARCH_MMAP_RND_BITS=18/CONFIG_ARCH_MMAP_RND_BITS=24/' $defconfigPath &>/dev/null || true;