- checklist.append(OptCheck('CPU_SW_DOMAIN_PAN', 'y', 'defconfig', 'self_protection'))
- checklist.append(OptCheck('STACKPROTECTOR_PER_TASK', 'y', 'defconfig', 'self_protection'))
- if arch == 'ARM64' or arch == 'ARM':
- checklist.append(OptCheck('HARDEN_BRANCH_PREDICTOR', 'y', 'defconfig', 'self_protection'))
-
- checklist.append(OptCheck('BUG_ON_DATA_CORRUPTION', 'y', 'kspp', 'self_protection'))
- checklist.append(OptCheck('DEBUG_WX', 'y', 'kspp', 'self_protection'))
- checklist.append(OptCheck('SCHED_STACK_END_CHECK', 'y', 'kspp', 'self_protection'))
- checklist.append(OptCheck('SLAB_FREELIST_HARDENED', 'y', 'kspp', 'self_protection'))
- checklist.append(OptCheck('SLAB_FREELIST_RANDOM', 'y', 'kspp', 'self_protection'))
- checklist.append(OptCheck('SHUFFLE_PAGE_ALLOCATOR', 'y', 'kspp', 'self_protection'))
- checklist.append(OptCheck('FORTIFY_SOURCE', 'y', 'kspp', 'self_protection'))
- randstruct_is_set = OptCheck('GCC_PLUGIN_RANDSTRUCT', 'y', 'kspp', 'self_protection')
- checklist.append(randstruct_is_set)
- checklist.append(OptCheck('GCC_PLUGIN_LATENT_ENTROPY', 'y', 'kspp', 'self_protection'))
- checklist.append(OptCheck('DEBUG_LIST', 'y', 'kspp', 'self_protection'))
- checklist.append(OptCheck('DEBUG_SG', 'y', 'kspp', 'self_protection'))
- checklist.append(OptCheck('DEBUG_CREDENTIALS', 'y', 'kspp', 'self_protection'))
- checklist.append(OptCheck('DEBUG_NOTIFIERS', 'y', 'kspp', 'self_protection'))
- hardened_usercopy_is_set = OptCheck('HARDENED_USERCOPY', 'y', 'kspp', 'self_protection')
- checklist.append(hardened_usercopy_is_set)
- checklist.append(AND(OptCheck('HARDENED_USERCOPY_FALLBACK', 'is not set', 'kspp', 'self_protection'), \
- hardened_usercopy_is_set))
- checklist.append(OR(OptCheck('MODULE_SIG', 'y', 'kspp', 'self_protection'), \
- modules_not_set))
- checklist.append(OR(OptCheck('MODULE_SIG_ALL', 'y', 'kspp', 'self_protection'), \
- modules_not_set))
- checklist.append(OR(OptCheck('MODULE_SIG_SHA512', 'y', 'kspp', 'self_protection'), \
- modules_not_set))
- checklist.append(OR(OptCheck('MODULE_SIG_FORCE', 'y', 'kspp', 'self_protection'), \
- modules_not_set)) # refers to LOCKDOWN
- checklist.append(OR(OptCheck('INIT_STACK_ALL', 'y', 'kspp', 'self_protection'), \
- OptCheck('GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y', 'kspp', 'self_protection')))
- checklist.append(OptCheck('INIT_ON_ALLOC_DEFAULT_ON', 'y', 'kspp', 'self_protection'))
- checklist.append(OR(OptCheck('INIT_ON_FREE_DEFAULT_ON', 'y', 'kspp', 'self_protection'), \
- OptCheck('PAGE_POISONING', 'y', 'kspp', 'self_protection'))) # before v5.3
- if arch == 'X86_64' or arch == 'ARM64' or arch == 'X86_32':
- stackleak_is_set = OptCheck('GCC_PLUGIN_STACKLEAK', 'y', 'kspp', 'self_protection')
- checklist.append(stackleak_is_set)
- checklist.append(AND(OptCheck('STACKLEAK_METRICS', 'is not set', 'clipos', 'self_protection'), \
- stackleak_is_set))
- checklist.append(AND(OptCheck('STACKLEAK_RUNTIME_DISABLE', 'is not set', 'clipos', 'self_protection'), \
- stackleak_is_set))
- if arch == 'X86_64' or arch == 'X86_32':
- checklist.append(OptCheck('DEFAULT_MMAP_MIN_ADDR', '65536', 'kspp', 'self_protection'))
- if arch == 'X86_32':
- checklist.append(OptCheck('PAGE_TABLE_ISOLATION', 'y', 'kspp', 'self_protection'))
- checklist.append(OptCheck('HIGHMEM64G', 'y', 'kspp', 'self_protection'))
- checklist.append(OptCheck('X86_PAE', 'y', 'kspp', 'self_protection'))
+ l += [KconfigCheck('self_protection', 'defconfig', 'CPU_SW_DOMAIN_PAN', 'y')]
+ l += [KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y')]
+ l += [KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_HISTORY', 'y')]
+
+ # 'self_protection', 'kspp'
+ l += [KconfigCheck('self_protection', 'kspp', 'BUG_ON_DATA_CORRUPTION', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_WX', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'SCHED_STACK_END_CHECK', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'SLAB_FREELIST_HARDENED', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'SLAB_FREELIST_RANDOM', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'SHUFFLE_PAGE_ALLOCATOR', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'FORTIFY_SOURCE', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_LIST', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_VIRTUAL', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_SG', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_CREDENTIALS', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_NOTIFIERS', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y')]
+ l += [AND(KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_LATENT_ENTROPY', 'y'),
+ gcc_plugins_support_is_set)]
+ l += [KconfigCheck('self_protection', 'kspp', 'KFENCE', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'WERROR', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_PASSTHROUGH', 'is not set')] # true if IOMMU_DEFAULT_DMA_STRICT is set
+ l += [KconfigCheck('self_protection', 'kspp', 'ZERO_CALL_USED_REGS', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'HW_RANDOM_TPM', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'STATIC_USERMODEHELPER', 'y')] # needs userspace support
+ l += [KconfigCheck('self_protection', 'kspp', 'SCHED_CORE', 'y')]
+ randstruct_is_set = OR(KconfigCheck('self_protection', 'kspp', 'RANDSTRUCT_FULL', 'y'),
+ KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT', 'y'))
+ l += [randstruct_is_set]
+ l += [AND(KconfigCheck('self_protection', 'kspp', 'RANDSTRUCT_PERFORMANCE', 'is not set'),
+ KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'),
+ randstruct_is_set)]
+ hardened_usercopy_is_set = KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y')
+ l += [hardened_usercopy_is_set]
+ l += [AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'),
+ hardened_usercopy_is_set)]
+ l += [AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_PAGESPAN', 'is not set'),
+ hardened_usercopy_is_set)]
+ l += [OR(KconfigCheck('self_protection', 'kspp', 'MODULE_SIG', 'y'),
+ modules_not_set)]
+ l += [OR(KconfigCheck('self_protection', 'kspp', 'MODULE_SIG_ALL', 'y'),
+ modules_not_set)]
+ l += [OR(KconfigCheck('self_protection', 'kspp', 'MODULE_SIG_SHA512', 'y'),
+ modules_not_set)]
+ l += [OR(KconfigCheck('self_protection', 'kspp', 'MODULE_SIG_FORCE', 'y'),
+ modules_not_set)] # refers to LOCKDOWN
+ l += [OR(KconfigCheck('self_protection', 'kspp', 'INIT_STACK_ALL_ZERO', 'y'),
+ KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y'))]
+ l += [OR(KconfigCheck('self_protection', 'kspp', 'INIT_ON_FREE_DEFAULT_ON', 'y'),
+ KconfigCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'))]
+ # CONFIG_INIT_ON_FREE_DEFAULT_ON was added in v5.3.
+ # CONFIG_PAGE_POISONING_ZERO was removed in v5.11.
+ # Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks
+ # the 0xAA poison pattern on allocation.
+ # That brings higher performance penalty.
+ l += [OR(KconfigCheck('self_protection', 'kspp', 'EFI_DISABLE_PCI_DMA', 'y'),
+ efi_not_set)]
+ l += [OR(KconfigCheck('self_protection', 'kspp', 'RESET_ATTACK_MITIGATION', 'y'),
+ efi_not_set)] # needs userspace support (systemd)
+ ubsan_bounds_is_set = KconfigCheck('self_protection', 'kspp', 'UBSAN_BOUNDS', 'y')
+ l += [ubsan_bounds_is_set]
+ l += [OR(KconfigCheck('self_protection', 'kspp', 'UBSAN_LOCAL_BOUNDS', 'y'),
+ AND(ubsan_bounds_is_set,
+ cc_is_gcc))]
+ l += [AND(KconfigCheck('self_protection', 'kspp', 'UBSAN_TRAP', 'y'),
+ ubsan_bounds_is_set,
+ KconfigCheck('self_protection', 'kspp', 'UBSAN_SHIFT', 'is not set'),
+ KconfigCheck('self_protection', 'kspp', 'UBSAN_DIV_ZERO', 'is not set'),
+ KconfigCheck('self_protection', 'kspp', 'UBSAN_UNREACHABLE', 'is not set'),
+ KconfigCheck('self_protection', 'kspp', 'UBSAN_BOOL', 'is not set'),
+ KconfigCheck('self_protection', 'kspp', 'UBSAN_ENUM', 'is not set'),
+ KconfigCheck('self_protection', 'kspp', 'UBSAN_ALIGNMENT', 'is not set'))] # only array index bounds checking with traps
+ if arch in ('X86_64', 'ARM64', 'X86_32'):
+ l += [AND(KconfigCheck('self_protection', 'kspp', 'UBSAN_SANITIZE_ALL', 'y'),
+ ubsan_bounds_is_set)] # ARCH_HAS_UBSAN_SANITIZE_ALL is not enabled for ARM
+ stackleak_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y')
+ l += [AND(stackleak_is_set, gcc_plugins_support_is_set)]
+ l += [AND(KconfigCheck('self_protection', 'kspp', 'STACKLEAK_METRICS', 'is not set'),
+ stackleak_is_set,
+ gcc_plugins_support_is_set)]
+ l += [AND(KconfigCheck('self_protection', 'kspp', 'STACKLEAK_RUNTIME_DISABLE', 'is not set'),
+ stackleak_is_set,
+ gcc_plugins_support_is_set)]
+ l += [KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y')]
+ if arch in ('X86_64', 'ARM64'):
+ cfi_clang_is_set = KconfigCheck('self_protection', 'kspp', 'CFI_CLANG', 'y')
+ l += [cfi_clang_is_set]
+ l += [AND(KconfigCheck('self_protection', 'kspp', 'CFI_PERMISSIVE', 'is not set'),
+ cfi_clang_is_set)]
+ if arch in ('X86_64', 'X86_32'):
+ l += [KconfigCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '65536')]
+ l += [AND(KconfigCheck('self_protection', 'kspp', 'INTEL_IOMMU_DEFAULT_ON', 'y'),
+ iommu_support_is_set)]
+ if arch in ('ARM64', 'ARM'):
+ l += [KconfigCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '32768')]
+ l += [KconfigCheck('self_protection', 'kspp', 'SYN_COOKIES', 'y')] # another reason?
+ if arch == 'X86_64':
+ l += [KconfigCheck('self_protection', 'kspp', 'SLS', 'y')] # vs CVE-2021-26341 in Straight-Line-Speculation
+ l += [AND(KconfigCheck('self_protection', 'kspp', 'INTEL_IOMMU_SVM', 'y'),
+ iommu_support_is_set)]
+ l += [AND(KconfigCheck('self_protection', 'kspp', 'AMD_IOMMU_V2', 'y'),
+ iommu_support_is_set)]