+ if arch in ('X86_64', 'X86_32'):
+ l += [CmdlineCheck('self_protection', 'clipos', 'iommu', 'force')]
+
+ # 'cut_attack_surface', 'defconfig'
+ if arch in ('X86_64', 'X86_32'):
+ l += [OR(CmdlineCheck('cut_attack_surface', 'defconfig', 'tsx', 'off'),
+ AND(KconfigCheck('cut_attack_surface', 'defconfig', 'X86_INTEL_TSX_MODE_OFF', 'y'),
+ CmdlineCheck('cut_attack_surface', 'defconfig', 'tsx', 'is not set')))]