'invalid expected value "{}" for "{}" check (1)'.format(expected, name)
val_len = len(expected.split())
if val_len == 3:
- assert(expected == 'is not set' or expected == 'is not off'), \
+ assert(expected in ('is not set', 'is not off')), \
'invalid expected value "{}" for "{}" check (2)'.format(expected, name)
elif val_len == 2:
assert(expected == 'is present'), \
self.result = 'FAIL: {} is not "{}"'.format(opt.name, opt.expected)
elif opt.result == 'FAIL: is not present':
self.result = 'FAIL: {} is not present'.format(opt.name)
- elif opt.result == 'FAIL: is off' or opt.result == 'FAIL: is off, "0"':
+ elif opt.result in ('FAIL: is off', 'FAIL: is off, "0"'):
self.result = 'FAIL: {} is off'.format(opt.name)
elif opt.result == 'FAIL: is off, not found':
self.result = 'FAIL: {} is off, not found'.format(opt.name)
l += [KconfigCheck('cut_attack_surface', 'maintainer', 'VT', 'is not set')] # recommended by Daniel Vetter in /issues/38
l += [KconfigCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD', 'is not set')] # recommended by Denis Efremov in /pull/54
l += [KconfigCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD_RAWCMD', 'is not set')] # recommended by Denis Efremov in /pull/62
+ l += [KconfigCheck('cut_attack_surface', 'maintainer', 'NOUVEAU_LEGACY_CTX_SUPPORT', 'is not set')]
+ # recommended by Dave Airlie in kernel commit b30a43ac7132cdda
# 'cut_attack_surface', 'clipos'
l += [KconfigCheck('cut_attack_surface', 'clipos', 'STAGING', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'my', 'VIDEO_VIVID', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger
l += [KconfigCheck('cut_attack_surface', 'my', 'KGDB', 'is not set')]
+ l += [KconfigCheck('cut_attack_surface', 'my', 'AIO', 'is not set')]
l += [OR(KconfigCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y'),
modules_not_set)]
CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not set'))]
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not off'),
CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not set'))]
+ l += [OR(CmdlineCheck('self_protection', 'defconfig', 'kvm.nx_huge_pages', 'is not off'),
+ CmdlineCheck('self_protection', 'defconfig', 'kvm.nx_huge_pages', 'is not set'))]
if arch == 'ARM64':
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'ssbd', 'kernel'),
CmdlineCheck('self_protection', 'my', 'ssbd', 'force-on'),
l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_nomerge', 'is present'),
AND(KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set'),
CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set'),
- CmdlineCheck('self_protection', 'kspp', 'slub_merge', 'is not set')))]
+ CmdlineCheck('self_protection', 'clipos', 'slub_merge', 'is not set')))]
l += [OR(CmdlineCheck('self_protection', 'kspp', 'iommu.strict', '1'),
AND(KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y'),
CmdlineCheck('self_protection', 'kspp', 'iommu.strict', 'is not set')))]
if mode == 'verbose':
# print the parsed options without the checks (for debugging)
all_parsed_options = parsed_kconfig_options # assignment does not copy
- all_parsed_options.update(parsed_cmdline_options)
+ if args.cmdline:
+ all_parsed_options.update(parsed_cmdline_options)
print_unknown_options(config_checklist, all_parsed_options)
# finally print the results