OptCheck('DEBUG_SET_MODULE_RONX', 'y', 'defconfig', 'self_protection'), \
modules_not_set)) # DEBUG_SET_MODULE_RONX was before v4.11
checklist.append(OptCheck('GCC_PLUGINS', 'y', 'defconfig', 'self_protection'))
- checklist.append(OR(OptCheck('REFCOUNT_FULL', 'y', 'defconfig', 'self_protection'), \
+ checklist.append(OR(OptCheck('REFCOUNT_FULL', 'y', 'defconfig', 'self_protection'), \
VerCheck((5, 5)))) # REFCOUNT_FULL is enabled by default since v5.5
iommu_support_is_set = OptCheck('IOMMU_SUPPORT', 'y', 'defconfig', 'self_protection') # is needed for mitigating DMA attacks
checklist.append(iommu_support_is_set)
checklist.append(OptCheck('RANDOMIZE_BASE', 'y', 'defconfig', 'self_protection'))
checklist.append(OptCheck('THREAD_INFO_IN_TASK', 'y', 'defconfig', 'self_protection'))
if arch == 'ARM':
- checklist.append(OptCheck('VMSPLIT_3G', 'y', 'defconfig', 'self_protection'))
checklist.append(OptCheck('CPU_SW_DOMAIN_PAN', 'y', 'defconfig', 'self_protection'))
checklist.append(OptCheck('STACKPROTECTOR_PER_TASK', 'y', 'defconfig', 'self_protection'))
if arch == 'ARM64' or arch == 'ARM':
checklist.append(OptCheck('INTEGRITY', 'y', 'defconfig', 'userspace_hardening'))
if arch == 'ARM64':
checklist.append(OptCheck('ARM64_PTR_AUTH', 'y', 'defconfig', 'userspace_hardening'))
+ if arch == 'ARM' or arch == 'X86_32':
+ checklist.append(OptCheck('VMSPLIT_3G', 'y', 'defconfig', 'userspace_hardening'))
if arch == 'X86_64' or arch == 'ARM64':
checklist.append(OptCheck('ARCH_MMAP_RND_BITS', '32', 'clipos', 'userspace_hardening'))
if arch == 'X86_32' or arch == 'ARM':
projects / kconfig-hardened-check.git / blobdiff