- checklist.append(OptCheck('self_protection', 'kspp', 'BUG_ON_DATA_CORRUPTION', 'y'))
- checklist.append(OptCheck('self_protection', 'kspp', 'DEBUG_WX', 'y'))
- checklist.append(OptCheck('self_protection', 'kspp', 'SCHED_STACK_END_CHECK', 'y'))
- checklist.append(OptCheck('self_protection', 'kspp', 'SLAB_FREELIST_HARDENED', 'y'))
- checklist.append(OptCheck('self_protection', 'kspp', 'SLAB_FREELIST_RANDOM', 'y'))
- checklist.append(OptCheck('self_protection', 'kspp', 'SHUFFLE_PAGE_ALLOCATOR', 'y'))
- checklist.append(OptCheck('self_protection', 'kspp', 'FORTIFY_SOURCE', 'y'))
- checklist.append(OptCheck('self_protection', 'kspp', 'DEBUG_LIST', 'y'))
- checklist.append(OptCheck('self_protection', 'kspp', 'DEBUG_SG', 'y'))
- checklist.append(OptCheck('self_protection', 'kspp', 'DEBUG_CREDENTIALS', 'y'))
- checklist.append(OptCheck('self_protection', 'kspp', 'DEBUG_NOTIFIERS', 'y'))
- checklist.append(OptCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y'))
- checklist.append(OptCheck('self_protection', 'kspp', 'GCC_PLUGIN_LATENT_ENTROPY', 'y'))
- randstruct_is_set = OptCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT', 'y')
- checklist.append(randstruct_is_set)
- hardened_usercopy_is_set = OptCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y')
- checklist.append(hardened_usercopy_is_set)
- checklist.append(AND(OptCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'), \
- hardened_usercopy_is_set))
- checklist.append(OR(OptCheck('self_protection', 'kspp', 'MODULE_SIG', 'y'), \
- modules_not_set))
- checklist.append(OR(OptCheck('self_protection', 'kspp', 'MODULE_SIG_ALL', 'y'), \
- modules_not_set))
- checklist.append(OR(OptCheck('self_protection', 'kspp', 'MODULE_SIG_SHA512', 'y'), \
- modules_not_set))
- checklist.append(OR(OptCheck('self_protection', 'kspp', 'MODULE_SIG_FORCE', 'y'), \
- modules_not_set)) # refers to LOCKDOWN
- checklist.append(OR(OptCheck('self_protection', 'kspp', 'INIT_STACK_ALL', 'y'), \
- OptCheck('self_protection', 'kspp', 'GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y')))
- checklist.append(OR(OptCheck('self_protection', 'kspp', 'INIT_ON_FREE_DEFAULT_ON', 'y'), \
- OptCheck('self_protection', 'kspp', 'PAGE_POISONING', 'y'))) # before v5.3
+ l += [KconfigCheck('self_protection', 'kspp', 'BUG_ON_DATA_CORRUPTION', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_WX', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'SCHED_STACK_END_CHECK', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'SLAB_FREELIST_HARDENED', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'SLAB_FREELIST_RANDOM', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'SHUFFLE_PAGE_ALLOCATOR', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'FORTIFY_SOURCE', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_LIST', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_VIRTUAL', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_SG', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_CREDENTIALS', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_NOTIFIERS', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y')]
+ l += [AND(KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_LATENT_ENTROPY', 'y'),
+ gcc_plugins_support_is_set)]
+ l += [KconfigCheck('self_protection', 'kspp', 'KFENCE', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'WERROR', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_PASSTHROUGH', 'is not set')] # true if IOMMU_DEFAULT_DMA_STRICT is set
+ l += [KconfigCheck('self_protection', 'kspp', 'ZERO_CALL_USED_REGS', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'HW_RANDOM_TPM', 'y')]
+ l += [KconfigCheck('self_protection', 'kspp', 'STATIC_USERMODEHELPER', 'y')] # needs userspace support
+ l += [KconfigCheck('self_protection', 'kspp', 'SCHED_CORE', 'y')]
+ randstruct_is_set = OR(KconfigCheck('self_protection', 'kspp', 'RANDSTRUCT_FULL', 'y'),
+ KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT', 'y'))
+ l += [randstruct_is_set]
+ l += [AND(KconfigCheck('self_protection', 'kspp', 'RANDSTRUCT_PERFORMANCE', 'is not set'),
+ KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'),
+ randstruct_is_set)]
+ hardened_usercopy_is_set = KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y')
+ l += [hardened_usercopy_is_set]
+ l += [AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'),
+ hardened_usercopy_is_set)]
+ l += [AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_PAGESPAN', 'is not set'),
+ hardened_usercopy_is_set)]
+ l += [OR(KconfigCheck('self_protection', 'kspp', 'MODULE_SIG', 'y'),
+ modules_not_set)]
+ l += [OR(KconfigCheck('self_protection', 'kspp', 'MODULE_SIG_ALL', 'y'),
+ modules_not_set)]
+ l += [OR(KconfigCheck('self_protection', 'kspp', 'MODULE_SIG_SHA512', 'y'),
+ modules_not_set)]
+ l += [OR(KconfigCheck('self_protection', 'kspp', 'MODULE_SIG_FORCE', 'y'),
+ modules_not_set)] # refers to LOCKDOWN
+ l += [OR(KconfigCheck('self_protection', 'kspp', 'INIT_STACK_ALL_ZERO', 'y'),
+ KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y'))]
+ l += [OR(KconfigCheck('self_protection', 'kspp', 'INIT_ON_FREE_DEFAULT_ON', 'y'),
+ KconfigCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'))]
+ # CONFIG_INIT_ON_FREE_DEFAULT_ON was added in v5.3.
+ # CONFIG_PAGE_POISONING_ZERO was removed in v5.11.
+ # Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks
+ # the 0xAA poison pattern on allocation.
+ # That brings higher performance penalty.
+ l += [OR(KconfigCheck('self_protection', 'kspp', 'EFI_DISABLE_PCI_DMA', 'y'),
+ efi_not_set)]
+ l += [OR(KconfigCheck('self_protection', 'kspp', 'RESET_ATTACK_MITIGATION', 'y'),
+ efi_not_set)] # needs userspace support (systemd)
+ ubsan_bounds_is_set = KconfigCheck('self_protection', 'kspp', 'UBSAN_BOUNDS', 'y')
+ l += [ubsan_bounds_is_set]
+ l += [OR(KconfigCheck('self_protection', 'kspp', 'UBSAN_LOCAL_BOUNDS', 'y'),
+ AND(ubsan_bounds_is_set,
+ cc_is_gcc))]
+ l += [AND(KconfigCheck('self_protection', 'kspp', 'UBSAN_TRAP', 'y'),
+ ubsan_bounds_is_set,
+ KconfigCheck('self_protection', 'kspp', 'UBSAN_SHIFT', 'is not set'),
+ KconfigCheck('self_protection', 'kspp', 'UBSAN_DIV_ZERO', 'is not set'),
+ KconfigCheck('self_protection', 'kspp', 'UBSAN_UNREACHABLE', 'is not set'),
+ KconfigCheck('self_protection', 'kspp', 'UBSAN_BOOL', 'is not set'),
+ KconfigCheck('self_protection', 'kspp', 'UBSAN_ENUM', 'is not set'),
+ KconfigCheck('self_protection', 'kspp', 'UBSAN_ALIGNMENT', 'is not set'))] # only array index bounds checking with traps