diff --git a/Scripts/Common/Functions.sh b/Scripts/Common/Functions.sh index cff0ddae..7baad2f6 100644 --- a/Scripts/Common/Functions.sh +++ b/Scripts/Common/Functions.sh @@ -663,12 +663,109 @@ hardenDefconfig() { local defconfigPath=$(getDefconfig) #Enable supported options + #Linux <3.0 + declare -a optionsYes=("BUG" "DEBUG_CREDENTIALS" "DEBUG_KERNEL" "DEBUG_LIST" "DEBUG_NOTIFIERS" "DEBUG_RODATA" "DEBUG_SET_MODULE_RONX" "DEBUG_VIRTUAL" "IPV6_PRIVACY" "SECCOMP" "SECURITY" "SECURITY_DMESG_RESTRICT" "SLUB_DEBUG" "STRICT_DEVMEM" "SYN_COOKIES"); #Disabled: DEBUG_SG (bootloops - https://patchwork.kernel.org/patch/8989981) - declare -a optionsYes=("ARM64_PTR_AUTH" "ARM64_SW_TTBR0_PAN" "ARM64_UAO" "ASYMMETRIC_KEY_TYPE" "ASYMMETRIC_PUBLIC_KEY_SUBTYPE" "BUG" "BUG_ON_DATA_CORRUPTION" "CC_STACKPROTECTOR" "CC_STACKPROTECTOR_STRONG" "CPU_SW_DOMAIN_PAN" "DEBUG_CREDENTIALS" "DEBUG_KERNEL" "DEBUG_LIST" "DEBUG_NOTIFIERS" "DEBUG_RODATA" "DEBUG_SET_MODULE_RONX" "DEBUG_VIRTUAL" "DEBUG_WX" "FORTIFY_SOURCE" "HARDEN_BRANCH_PREDICTOR" "HARDENED_USERCOPY" "HARDEN_EL2_VECTORS" "INIT_ON_ALLOC_DEFAULT_ON" "INIT_ON_FREE_DEFAULT_ON" "INIT_STACK_ALL" "INIT_STACK_ALL_ZERO" "IO_STRICT_DEVMEM" "IPV6_PRIVACY" "KAISER" "KGSL_PER_PROCESS_PAGE_TABLE" "LEGACY_VSYSCALL_NONE" "MMC_SECDISCARD" "PAGE_POISONING" "PAGE_POISONING_NO_SANITY" "PAGE_POISONING_ZERO" "PAGE_TABLE_ISOLATION" "PANIC_ON_OOPS" "PKCS7_MESSAGE_PARSER" "RANDOMIZE_BASE" "RANDOMIZE_MEMORY" "REFCOUNT_FULL" "RETPOLINE" "RODATA_FULL_DEFAULT_ENABLED" "SCHED_STACK_END_CHECK" "SECCOMP" "SECCOMP_FILTER" "SECURITY" "SECURITY_DMESG_RESTRICT" "SECURITY_PERF_EVENTS_RESTRICT" "SECURITY_YAMA" "SECURITY_YAMA_STACKED" "SHUFFLE_PAGE_ALLOCATOR" "SLAB_FREELIST_HARDENED" "SLAB_FREELIST_RANDOM" "SLAB_HARDENED" "SLUB_DEBUG" "SLUB_HARDENED" "STACKPROTECTOR" "STACKPROTECTOR_PER_TASK" "STACKPROTECTOR_STRONG" "STRICT_DEVMEM" "STRICT_KERNEL_RWX" "STRICT_MEMORY_RWX" "STRICT_MODULE_RWX" "SYN_COOKIES" "SYSTEM_TRUSTED_KEYRING" "THREAD_INFO_IN_TASK" "UNMAP_KERNEL_AT_EL0" "VMAP_STACK" "X509_CERTIFICATE_PARSER"); - #optionsYes+="GCC_PLUGINS" "GCC_PLUGIN_LATENT_ENTROPY" "GCC_PLUGIN_RANDSTRUCT" "GCC_PLUGIN_STRUCTLEAK" "GCC_PLUGIN_STRUCTLEAK_BYREF_ALL"); - optionsYes+=("PAGE_SANITIZE" "PAGE_SANITIZE_VERIFY" "SLAB_CANARY" "SLAB_SANITIZE" "SLAB_SANITIZE_VERIFY"); + + #Linux 3.4 + optionsYes+=("SECURITY_YAMA"); + + #Linux 3.5 + optionsYes+=("PANIC_ON_OOPS" "SECCOMP_FILTER"); + + #Linux 3.7 + optionsYes+=("ASYMMETRIC_PUBLIC_KEY_SUBTYPE" "SECURITY_YAMA_STACKED" "X509_CERTIFICATE_PARSER"); + + #Linux 3.13 + optionsYes+=("SYSTEM_TRUSTED_KEYRING"); + + #Linux 3.14 + optionsYes+=("CC_STACKPROTECTOR" "CC_STACKPROTECTOR_STRONG"); + + #Linux 3.17 + optionsYes+=("PKCS7_MESSAGE_PARSER"); + + #Linux 3.18 + optionsYes+=("HARDENED_USERCOPY" "SCHED_STACK_END_CHECK"); + + #Linux 4.3 + optionsYes+=("ARM64_PAN" "CPU_SW_DOMAIN_PAN"); + + #Linux 4.4 + optionsYes+=("LEGACY_VSYSCALL_NONE"); + + #Linux 4.5 + optionsYes+=("IO_STRICT_DEVMEM"); + + #Linux 4.6 + optionsYes+=("ARM64_UAO" "PAGE_POISONING" "PAGE_POISONING_NO_SANITY"); + + #Linux 4.7 + optionsYes+=("ASYMMETRIC_KEY_TYPE" "RANDOMIZE_BASE" "SLAB_FREELIST_RANDOM"); + + #Linux 4.8 + optionsYes+=("RANDOMIZE_MEMORY"); + + #Linux 4.9 + optionsYes+=("THREAD_INFO_IN_TASK" "VMAP_STACK"); + + #Linux 4.10 + optionsYes+=("ARM64_SW_TTBR0_PAN" "BUG_ON_DATA_CORRUPTION"); + + #Linux 4.11 + optionsYes+=("STRICT_KERNEL_RWX" "STRICT_MODULE_RWX"); + + #Linux 4.13 + optionsYes+=("FORTIFY_SOURCE" "REFCOUNT_FULL"); + + #Linux 4.14 + optionsYes+=("SLAB_FREELIST_HARDENED"); + + #Linux 4.15 + optionsYes+=("PAGE_TABLE_ISOLATION" "RETPOLINE"); + + #Linux 4.16 + optionsYes+=("UNMAP_KERNEL_AT_EL0"); + + #Linux 4.17 + optionsYes+=("HARDEN_EL2_VECTORS"); + + #Linux 4.18 + optionsYes+=("HARDEN_BRANCH_PREDICTOR" "STACKPROTECTOR" "STACKPROTECTOR_STRONG"); + + #Linux 4.19 + optionsYes+=("PAGE_POISONING_ZERO"); + + #Linux 5.0 + optionsYes+=("ARM64_PTR_AUTH" "RODATA_FULL_DEFAULT_ENABLED" "STACKPROTECTOR_PER_TASK"); + + #Linux 5.2 + optionsYes+=("INIT_STACK_ALL" "SHUFFLE_PAGE_ALLOCATOR"); + + #Linux 5.3 + optionsYes+=("INIT_ON_ALLOC_DEFAULT_ON" "INIT_ON_FREE_DEFAULT_ON"); + + #Linux 5.8 + optionsYes+=("ARM64_BTI_KERNEL" "DEBUG_WX"); + + #Linux 5.9 + optionsYes+=("INIT_STACK_ALL_ZERO"); + + #GCC Plugins - 4.19 - 5.2 + #optionsYes+=("GCC_PLUGINS" "GCC_PLUGIN_LATENT_ENTROPY" "GCC_PLUGIN_RANDSTRUCT" "GCC_PLUGIN_STRUCTLEAK" "GCC_PLUGIN_STRUCTLEAK_BYREF_ALL"); + + #GrapheneOS Patches + optionsYes+=("PAGE_SANITIZE" "PAGE_SANITIZE_VERIFY" "SLAB_CANARY" "SLAB_HARDENED" "SLAB_SANITIZE" "SLAB_SANITIZE_VERIFY"); + + #out of tree or renamed or removed ? + optionsYes+=("KAISER" "KGSL_PER_PROCESS_PAGE_TABLE" "MMC_SECDISCARD" "SECURITY_PERF_EVENTS_RESTRICT" "SLUB_HARDENED" "STRICT_MEMORY_RWX"); + + #Time hardware #if [ "$DOS_DEBLOBBER_REPLACE_TIME" = true ]; then optionsYes+=("RTC_DRV_MSM" "RTC_DRV_PM8XXX" "RTC_DRV_MSM7X00A" "RTC_DRV_QPNP"); fi; - optionsYes+=("HID_GENERIC" "HID_STEAM" "HID_SONY" "HID_WIIMOTE" "INPUT_JOYSTICK" "JOYSTICK_XPAD" "USB_USBNET" "USB_NET_CDCETHER"); #XXX: This needs a better home + + #Hardware enablement #XXX: This needs a better home + optionsYes+=("HID_GENERIC" "HID_STEAM" "HID_SONY" "HID_WIIMOTE" "INPUT_JOYSTICK" "JOYSTICK_XPAD" "USB_USBNET" "USB_NET_CDCETHER"); + for option in "${optionsYes[@]}" do sed -i 's/# '"CONFIG_$option"' is not set/'"CONFIG_$option"'=y/' $defconfigPath &>/dev/null || true; @@ -682,12 +779,11 @@ hardenDefconfig() { #Disable supported options #Disabled: MSM_SMP2P_TEST, MAGIC_SYSRQ (breaks compile), KALLSYMS (breaks boot on select devices), IKCONFIG (breaks recovery), MSM_DLOAD_MODE (breaks compile) declare -a optionsNo=("ACPI_APEI_EINJ" "ACPI_CUSTOM_METHOD" "ACPI_TABLE_UPGRADE" "BINFMT_AOUT" "BINFMT_MISC" "BT_HS" "CHECKPOINT_RESTORE" "COMPAT_BRK" "COMPAT_VDSO" "CP_ACCESS64" "DEBUG_KMEMLEAK" "DEVKMEM" "DEVMEM" "DEVPORT" "EARJACK_DEBUGGER" "GCC_PLUGIN_RANDSTRUCT_PERFORMANCE" "HARDENED_USERCOPY_FALLBACK" "HIBERNATION" "HWPOISON_INJECT" "IA32_EMULATION" "IOMMU_NON_SECURE" "INPUT_EVBUG" "IO_URING" "IP_DCCP" "IP_SCTP" "KEXEC" "KEXEC_FILE" "KSM" "LDISC_AUTOLOAD" "LEGACY_PTYS" "LIVEPATCH" "MEM_SOFT_DIRTY" "MMIOTRACE" "MMIOTRACE_TEST" "MODIFY_LDT_SYSCALL" "MSM_BUSPM_DEV" "NEEDS_SYSCALL_FOR_CMPXCHG" "NOTIFIER_ERROR_INJECTION" "OABI_COMPAT" "PAGE_OWNER" "PROC_KCORE" "PROC_PAGE_MONITOR" "PROC_VMCORE" "RDS" "RDS_TCP" "SECURITY_SELINUX_DISABLE" "SECURITY_WRITABLE_HOOKS" "SLAB_MERGE_DEFAULT" "STACKLEAK_METRICS" "STACKLEAK_RUNTIME_DISABLE" "TIMER_STATS" "TSC" "TSPP2" "UKSM" "UPROBES" "USELIB" "USERFAULTFD" "VIDEO_VIVID" "WLAN_FEATURE_MEMDUMP" "X86_IOPL_IOPERM" "X86_PTDUMP" "X86_VSYSCALL_EMULATION" "ZSMALLOC_STAT"); - #if [[ "$1" != *"kernel/htc/msm8994"* ]] && [[ "$1" != *"kernel/samsung/smdk4412"* ]] && [[ "$1" != *"kernel/htc/flounder"* ]] && [[ "$1" != *"kernel/amazon/hdx-common"* ]] && [[ "$1" != *"msm899"* ]] && [[ "$1" != *"sdm8"* ]] && [[ "$1" != *"sdm6"* ]]; then - #optionsNo+=("DIAG_CHAR" "DIAG_OVER_USB" "USB_QCOM_DIAG_BRIDGE" "DIAGFWD_BRIDGE_CODE" "DIAG_SDIO_PIPE" "DIAG_HSIC_PIPE"); - #fi; + if [ "$DOS_DEBLOBBER_REMOVE_IPA" = true ]; then optionsNo+=("IPA" "RMNET_IPA"); fi; optionsNo+=("WIREGUARD"); #Requires root access, which we do not provide #optionsNo+=("LTO_CLANG"); #Can easily require 64GB of RAM on host system to compile + for option in "${optionsNo[@]}" do sed -i 's/'"CONFIG_$option"'=y/# '"CONFIG_$option"' is not set/' $defconfigPath &>/dev/null || true; @@ -699,6 +795,7 @@ hardenDefconfig() { fi; fi; done + #Extras sed -i 's/CONFIG_ARCH_MMAP_RND_BITS=8/CONFIG_ARCH_MMAP_RND_BITS=16/' $defconfigPath &>/dev/null || true; sed -i 's/CONFIG_ARCH_MMAP_RND_BITS=18/CONFIG_ARCH_MMAP_RND_BITS=24/' $defconfigPath &>/dev/null || true;