# Please don't cry if my Python code looks like C.
#
#
-# N.B Hardening command line parameters:
+# N.B Missing hardening command line parameters:
# iommu=force (does it help against DMA attacks?)
#
-# The list of disabled mitigations of CPU vulnerabilities:
-# mitigations=off
-# pti=off
-# spectre_v2=off
-# spectre_v2_user=off
-# spec_store_bypass_disable=off
-# l1tf=off
-# mds=off
-# tsx_async_abort=off
-# srbds=off
-# mmio_stale_data=off
-# retbleed=off
-# nopti
-# nokaslr
-# nospectre_v1
-# nospectre_v2
-# nospectre_bhb
-# nospec_store_bypass_disable
-# kpti=0
-# ssbd=force-off
-# nosmt (enabled)
-#
# Hardware tag-based KASAN with arm64 Memory Tagging Extension (MTE):
# kasan=on
# kasan.stacktrace=off
# fs.suid_dumpable=0
# kernel.modules_disabled=1
# kernel.randomize_va_space = 2
+# nosmt sysfs control file
# pylint: disable=missing-module-docstring,missing-class-docstring,missing-function-docstring
l += [KconfigCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD', 'is not set')] # recommended by Denis Efremov in /pull/54
l += [KconfigCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD_RAWCMD', 'is not set')] # recommended by Denis Efremov in /pull/62
- # 'cut_attack_surface', 'grapheneos'
- l += [KconfigCheck('cut_attack_surface', 'grapheneos', 'AIO', 'is not set')]
-
# 'cut_attack_surface', 'clipos'
l += [KconfigCheck('cut_attack_surface', 'clipos', 'STAGING', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'clipos', 'KSM', 'is not set')] # to prevent FLUSH+RELOAD attack