projects
/
kconfig-hardened-check.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Add the check for the iommu cmdline option
[kconfig-hardened-check.git]
/
kconfig_hardened_check
/
__init__.py
diff --git
a/kconfig_hardened_check/__init__.py
b/kconfig_hardened_check/__init__.py
index fae452415afbe96eb8feb2e53a2f8dcb0fcfe027..d3fc58dcfa725f055b90a3ea633925cba2a8497e 100644
(file)
--- a/
kconfig_hardened_check/__init__.py
+++ b/
kconfig_hardened_check/__init__.py
@@
-10,9
+10,6
@@
# Please don't cry if my Python code looks like C.
#
#
# Please don't cry if my Python code looks like C.
#
#
-# N.B Missing hardening command line parameters:
-# iommu=force (does it help against DMA attacks?)
-#
# Hardware tag-based KASAN with arm64 Memory Tagging Extension (MTE):
# kasan=on
# kasan.stacktrace=off
# Hardware tag-based KASAN with arm64 Memory Tagging Extension (MTE):
# kasan=on
# kasan.stacktrace=off
@@
-796,6
+793,8
@@
def add_cmdline_checks(l, arch):
# 'self_protection', 'clipos'
l += [CmdlineCheck('self_protection', 'clipos', 'page_alloc.shuffle', '1')]
# 'self_protection', 'clipos'
l += [CmdlineCheck('self_protection', 'clipos', 'page_alloc.shuffle', '1')]
+ if arch in ('X86_64', 'X86_32'):
+ l += [CmdlineCheck('self_protection', 'clipos', 'iommu', 'force')]
# 'cut_attack_surface', 'defconfig'
if arch in ('X86_64', 'X86_32'):
# 'cut_attack_surface', 'defconfig'
if arch in ('X86_64', 'X86_32'):