This project contains tools, scripts, and best-known-configurtion (BKC) for Linux guest kernel hardening in context of Confidential Cloud Computing threat model.
Project overview:
- bkc/
- audit/ # threat surface enumaration using static analysis
- kafl/ # configs and tools for Linux fuzzing with kAFL
- syzkaller/ # configs and tools for generating guest activity with Syzkaller
- coverage/ # tools for matching coverage and trace data against audit list
- manifest/west.yml # manifest of required sub-components
We use Python pipenv and west repo management to manage the installation.
Clone this repo to a new directory and run make env to initialize your workspace:
git clone $this_repo_url ~/tdx
cd ~/tdx
make env # create + enter Python venv; initialize westFor any new session, run make env again to initialize the Python environment
and source the .env file. All subsequent steps assume an active workspace.
Use west to fetch or update one or more sub-repos. The complete list of active
repos can be viewed with west list. For fuzzing, download everything:
west update smatch linux-guest # just Smatch audit analysis
west update # everything for fuzzing & analysisSee west basics for introduction to west.
This generates a file smatch_warns.txt in the target folder, containing the
list of code locations found to consume potentially malicious input by an
untrusted hypervisor. This list should be generated for the desired Linux kernel
code and configuration to be audited or fuzzed:
cp ./bkc/kafl/linux_kernel_tdx_guest.config $LINUX_GUEST/.config
make -C $LINUX_GUEST prepare
./bkc/audit/gen_smatch_warns.sh $LINUX_GUEST- Follow kAFL Installation Steps
- Run a Boot Fuzzing Example
- Familiarize yourself with kAFL Fuzzer Status and Tools
echo $KAFL_WORKDIR
./bkc/kafl/fuzz.sh cov $KAFL_WORKDIR
./bkc/kafl/fuzz.sh smatch $KAFL_WORKDIRTODO:
- explain what this does and provide a single-campaign example
- expand harness descriptions to document basic performance and known issues
./bkc/kafl/run_experiments.sh ....