# fs.protected_regular=2
# fs.suid_dumpable=0
# kernel.modules_disabled=1
-# kernel.randomize_va_space = 2
+# kernel.randomize_va_space=2
# nosmt sysfs control file
+# dev.tty.legacy_tiocsti=0
#
# Think of these boot params:
# module.sig_enforce=1
l += [KconfigCheck('self_protection', 'defconfig', 'CPU_SW_DOMAIN_PAN', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_HISTORY', 'y')]
+ l += [KconfigCheck('self_protection', 'defconfig', 'DEBUG_ALIGN_RODATA', 'y')]
# 'self_protection', 'kspp'
l += [KconfigCheck('self_protection', 'kspp', 'BUG_ON_DATA_CORRUPTION', 'y')]
l += [bpf_syscall_not_set] # refers to LOCKDOWN
# 'cut_attack_surface', 'my'
+ l += [KconfigCheck('cut_attack_surface', 'my', 'LEGACY_TIOCSTI', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'my', 'MMIOTRACE', 'is not set')] # refers to LOCKDOWN (permissive)
l += [KconfigCheck('cut_attack_surface', 'my', 'LIVEPATCH', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'my', 'IP_DCCP', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger
l += [KconfigCheck('cut_attack_surface', 'my', 'KGDB', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'my', 'AIO', 'is not set')]
+ l += [KconfigCheck('cut_attack_surface', 'my', 'CORESIGHT', 'is not set')]
l += [OR(KconfigCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y'),
modules_not_set)]
# 'harden_userspace'
- if arch in ('X86_64', 'ARM64', 'X86_32'):
- l += [KconfigCheck('harden_userspace', 'defconfig', 'INTEGRITY', 'y')]
- if arch == 'ARM':
- l += [KconfigCheck('harden_userspace', 'my', 'INTEGRITY', 'y')]
if arch == 'ARM64':
l += [KconfigCheck('harden_userspace', 'defconfig', 'ARM64_PTR_AUTH', 'y')]
l += [KconfigCheck('harden_userspace', 'defconfig', 'ARM64_BTI', 'y')]