- if arch in ('X86_64', 'X86_32'):
- l += [AND(KconfigCheck('self_protection', 'clipos', 'INTEL_IOMMU_DEFAULT_ON', 'y'),
- iommu_support_is_set)]
- if arch == 'X86_64':
- l += [AND(KconfigCheck('self_protection', 'clipos', 'INTEL_IOMMU_SVM', 'y'),
- iommu_support_is_set)]
- if arch == 'X86_32':
- l += [AND(KconfigCheck('self_protection', 'clipos', 'INTEL_IOMMU', 'y'),
- iommu_support_is_set)]
-
- # 'self_protection', 'my'
- l += [OR(KconfigCheck('self_protection', 'my', 'RESET_ATTACK_MITIGATION', 'y'),
- efi_not_set)] # needs userspace support (systemd)
- if arch == 'X86_64':
- l += [KconfigCheck('self_protection', 'my', 'SLS', 'y')] # vs CVE-2021-26341 in Straight-Line-Speculation
- l += [AND(KconfigCheck('self_protection', 'my', 'AMD_IOMMU_V2', 'y'),
- iommu_support_is_set)]
- if arch == 'ARM64':
- l += [KconfigCheck('self_protection', 'my', 'SHADOW_CALL_STACK', 'y')] # maybe it's alternative to STACKPROTECTOR_STRONG
- l += [KconfigCheck('self_protection', 'my', 'KASAN_HW_TAGS', 'y')]
- cfi_clang_is_set = KconfigCheck('self_protection', 'my', 'CFI_CLANG', 'y')
- l += [cfi_clang_is_set]
- l += [AND(KconfigCheck('self_protection', 'my', 'CFI_PERMISSIVE', 'is not set'),
- cfi_clang_is_set)]