From 1c7d6584a7811b7785ae5c1e378f14b5ba0971cf Mon Sep 17 00:00:00 2001 From: takeshi_hoshina Date: Mon, 2 Nov 2020 11:07:33 +0900 Subject: basesystem-jj recipes --- .../lib/isafw/isaplugins/configs/kca/x86.py | 38 ++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/x86.py (limited to 'external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/x86.py') diff --git a/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/x86.py b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/x86.py new file mode 100644 index 00000000..cbaddf87 --- /dev/null +++ b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/x86.py @@ -0,0 +1,38 @@ +############################################################################################ +# Kernel Hardening Configurations +############################################################################################ +hardening_kco = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': 'not set', + 'CONFIG_RANDOMIZE_BASE_MAX_OFFSET': 'not set', + 'CONFIG_X86_INTEL_MPX': 'not set', + 'CONFIG_X86_MSR': 'not set' + } +hardening_kco_ref = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': '65536', # x86 specific + 'CONFIG_RANDOMIZE_BASE_MAX_OFFSET': '0x20000000,0x40000000', # x86 specific + 'CONFIG_X86_INTEL_MPX': 'y', # x86 and certain HW variants specific + 'CONFIG_X86_MSR': 'not set' + } +############################################################################################ +# Keys Kernel Configuration +############################################################################################ +keys_kco = {} +keys_kco_ref = {} +############################################################################################ +# Security Kernel Configuration +############################################################################################ +security_kco = {'CONFIG_LSM_MMAP_MIN_ADDR': 'not set', + 'CONFIG_INTEL_TXT': 'not set'} +security_kco_ref = {'CONFIG_LSM_MMAP_MIN_ADDR': '65536', # x86 specific + 'CONFIG_INTEL_TXT': 'y'} +############################################################################################ +# Integrity Kernel Configuration +############################################################################################ +integrity_kco = {} +integrity_kco_ref = {} +############################################################################################ +# Comments +############################################################################################ +comments = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': 'Defines the portion of low virtual memory that should be protected from userspace allocation. Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs.', + 'CONFIG_RANDOMIZE_BASE_MAX_OFFSET': 'Defines the maximal offset in bytes that will be applied to the kernel when kernel Address Space Layout Randomization (kASLR) is active.', + 'CONFIG_X86_INTEL_MPX': 'Enables MPX hardware features that can be used with compiler-instrumented code to check memory references. It is designed to detect buffer overflow or underflow bugs.', + 'CONFIG_X86_MSR': 'Enables privileged processes access to the x86 Model-Specific Registers (MSRs). MSR accesses are directed to a specific CPU on multi-processor systems. This alone does not provide security.' + } -- cgit 1.2.3-korg