# Please don't cry if my Python code looks like C.
#
#
-# N.B Hardening command line parameters:
+# N.B Missing hardening command line parameters:
# iommu=force (does it help against DMA attacks?)
#
-# Mitigations of CPU vulnerabilities:
-# Аrch-independent:
-# X86:
-# l1d_flush=on (a part of the l1tf option)
-# ARM64:
-# kpti=on
-#
# Hardware tag-based KASAN with arm64 Memory Tagging Extension (MTE):
# kasan=on
# kasan.stacktrace=off
# fs.suid_dumpable=0
# kernel.modules_disabled=1
# kernel.randomize_va_space = 2
+# nosmt sysfs control file
# pylint: disable=missing-module-docstring,missing-class-docstring,missing-function-docstring
if self.expected == 'is not off':
if self.state == 'off':
self.result = 'FAIL: is off'
+ if self.state == '0':
+ self.result = 'FAIL: is off, "0"'
elif self.state is None:
self.result = 'FAIL: is off, not found'
else:
self.result = 'FAIL: {} is not "{}"'.format(opt.name, opt.expected)
elif opt.result == 'FAIL: is not present':
self.result = 'FAIL: {} is not present'.format(opt.name)
- elif opt.result == 'FAIL: is off':
+ elif opt.result == 'FAIL: is off' or opt.result == 'FAIL: is off, "0"':
self.result = 'FAIL: {} is off'.format(opt.name)
elif opt.result == 'FAIL: is off, not found':
self.result = 'FAIL: {} is off, not found'.format(opt.name)
l += [CmdlineCheck('self_protection', 'defconfig', 'nopti', 'is not set')]
l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_v1', 'is not set')]
l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_v2', 'is not set')]
+ l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_bhb', 'is not set')]
l += [CmdlineCheck('self_protection', 'defconfig', 'nospec_store_bypass_disable', 'is not set')]
l += [CmdlineCheck('self_protection', 'defconfig', 'arm64.nobti', 'is not set')]
l += [CmdlineCheck('self_protection', 'defconfig', 'arm64.nopauth', 'is not set')]
CmdlineCheck('self_protection', 'defconfig', 'mmio_stale_data', 'is not set'))]
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not off'),
CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not set'))]
+ l += [OR(CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not off'),
+ CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not set'))]
if arch == 'ARM64':
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'ssbd', 'kernel'),
CmdlineCheck('self_protection', 'my', 'ssbd', 'force-on'),