# iommu.passthrough=0
# iommu.strict=1
# slub_debug=FZ (slow)
-# init_on_free=1 (since v5.3, otherwise slub_debug=P and page_poison=1)
+# slub_debug=P
# loadpin.enforce=1
# debugfs=no-mount (or off if possible)
#
# ssbd=force-on
#
# Should NOT be set:
-# slab_merge
# nokaslr
# rodata=off
# sysrq_always_enabled
l += [OR(KconfigCheck('self_protection', 'kspp', 'INIT_STACK_ALL_ZERO', 'y'),
KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y'))]
l += [OR(KconfigCheck('self_protection', 'kspp', 'INIT_ON_FREE_DEFAULT_ON', 'y'),
- KconfigCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'))]
+ AND(KconfigCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'),
+ CmdlineCheck('self_protection', 'kspp', 'page_poison', '1')))]
# CONFIG_INIT_ON_FREE_DEFAULT_ON was added in v5.3.
# CONFIG_PAGE_POISONING_ZERO was removed in v5.11.
# Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks
if arch in ('X86_64', 'ARM64', 'X86_32'):
stackleak_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y')
l += [stackleak_is_set]
- l += [OR(KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y'),
- CmdlineCheck('self_protection', 'kspp', 'randomize_kstack_offset', '1'))]
+ l += [KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y')]
if arch in ('X86_64', 'X86_32'):
l += [KconfigCheck('self_protection', 'kspp', 'SCHED_CORE', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '65536')]
l += [KconfigCheck('self_protection', 'clipos', 'STATIC_USERMODEHELPER', 'y')] # needs userspace support
l += [OR(KconfigCheck('self_protection', 'clipos', 'EFI_DISABLE_PCI_DMA', 'y'),
efi_not_set)]
- l += [OR(KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set'),
- CmdlineCheck('self_protection', 'kspp', 'slab_nomerge'))] # option presence check
+ l += [KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set')]
l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_BOOTLOADER', 'is not set')]
l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_CPU', 'is not set')]
l += [AND(KconfigCheck('self_protection', 'clipos', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'),
l += [OR(CmdlineCheck('self_protection', 'kspp', 'init_on_alloc', '1'),
AND(KconfigCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y'),
CmdlineCheck('self_protection', 'kspp', 'init_on_alloc', 'is not set')))]
-
+ l += [OR(CmdlineCheck('self_protection', 'kspp', 'init_on_free', '1'),
+ AND(KconfigCheck('self_protection', 'kspp', 'INIT_ON_FREE_DEFAULT_ON', 'y'),
+ CmdlineCheck('self_protection', 'kspp', 'init_on_free', 'is not set')))]
+ l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_nomerge'),
+ AND(KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set'),
+ CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set')))] # option presence check
+ if arch in ('X86_64', 'ARM64', 'X86_32'):
+ l += [OR(CmdlineCheck('self_protection', 'kspp', 'randomize_kstack_offset', '1'),
+ AND(KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y'),
+ CmdlineCheck('self_protection', 'kspp', 'randomize_kstack_offset', 'is not set')))]
if arch in ('X86_64', 'X86_32'):
l += [CmdlineCheck('self_protection', 'kspp', 'pti', 'on')]
# TODO: add other