diff --git a/kernelctf/build_release.sh b/kernelctf/build_release.sh index daee92fb..26440ccd 100755 --- a/kernelctf/build_release.sh +++ b/kernelctf/build_release.sh @@ -29,9 +29,12 @@ case $TARGET in mitigation) REPO="https://github.com/thejh/linux" case $VERSION in - v3-6.1.55) + v3-* | v3b-*) DEFAULT_BRANCH="mitigations-next" - CONFIG_FN="mitigation-v3.config" + case $VERSION in + v3-6.1.55) CONFIG_FN="mitigation-v3.config" ;; + v3b-6.1.55) CONFIG_FN="mitigation-v3b.config" ;; + esac CONFIG_FULL_FN="mitigation-v3-full.config" ;; 6.1 | 6.1-v2) diff --git a/kernelctf/get_latest_kernel_versions.py b/kernelctf/get_latest_kernel_versions.py index 82bdd778..25debb26 100755 --- a/kernelctf/get_latest_kernel_versions.py +++ b/kernelctf/get_latest_kernel_versions.py @@ -17,12 +17,12 @@ def add_release(release_id, branch=None): global releases releases.append({ "releaseId": release_id, "branch": branch }) -for lts_version in ["6.1", "6.6"]: +for lts_version in ["6.6"]: latest_lts = run(f"git ls-remote --tags --sort='-v:refname' https://github.com/gregkh/linux 'v{lts_version}.*[0-9]'")[0].split("refs/tags/")[1] print(f"Latest LTS {lts_version}: {latest_lts}") add_release(f"lts-{latest_lts[1:]}") -for cos_milestone in [97, 105, 109]: +for cos_milestone in [105, 109]: release_notes = fetch(f"https://cloud.google.com/feeds/cos-{cos_milestone}-release-notes.xml") tree = etree.XML(release_notes.encode('utf-8')) entries = tree.xpath("//*[local-name() = 'content']/text()") diff --git a/kernelctf/kernel_configs/mitigation-v3b.config b/kernelctf/kernel_configs/mitigation-v3b.config new file mode 100644 index 00000000..b9d4eff7 --- /dev/null +++ b/kernelctf/kernel_configs/mitigation-v3b.config @@ -0,0 +1,27 @@ +# CONFIG_IO_URING is not set +CONFIG_SYSTEM_TRUSTED_KEYS="" + +## required by CONFIG_KMALLOC_SPLIT_VARSIZE +# CONFIG_SLAB_MERGE_DEFAULT is not set + +## turns on our mitigations +CONFIG_KMALLOC_SPLIT_VARSIZE=y +CONFIG_SLAB_VIRTUAL=y + +## turns on CONFIG_RANDOM_KMALLOC_CACHES +CONFIG_RANDOM_KMALLOC_CACHES=y + +## turns on additional hardenings +CONFIG_BUG_ON_DATA_CORRUPTION=y +CONFIG_FORTIFY_SOURCE=y +CONFIG_DEBUG_WX=y +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y +# CONFIG_FUSE_FS is not set + +### Make the kernel less annoying to debug +## Compile the kernel with debug info +CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y +# Have all symbols in kallsyms +CONFIG_KALLSYMS_ALL=y + +# CONFIG_NF_TABLES is not set diff --git a/kernelctf/server/server.py b/kernelctf/server/server.py index 3460cf9a..6fc7d49e 100755 --- a/kernelctf/server/server.py +++ b/kernelctf/server/server.py @@ -49,7 +49,7 @@ def get_releases(): del releases[release_id] continue - m = re.match(r'(?Plts|mitigation(-v3)?|cos-\d+)-(?P\d+(\.\d+)+)', release_id) + m = re.match(r'(?Plts|mitigation(-v3|-v3b)?|cos-\d+)-(?P\d+(\.\d+)+)', release_id) if m is None: warning(f'release {release_id} does not match regex') del releases[release_id] @@ -102,7 +102,7 @@ def print_filtered(name, status_filter): print_filtered('Deprecated targets', 'deprecated') else: print_filtered('Current targets', 'latest') - print_filtered('Future targets', 'future') + print_filtered('Future targets', 'future') def are_you_sure(prompt): print(prompt)