projects / kconfig-hardened-check.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Add missing OR use case
[kconfig-hardened-check.git] / kconfig-hardened-check.py
diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py
index 3ed0f9e9c1cf26a8e4dff19f19ab09a407c9abf8..83d1c0d85191d957282e780cb073a18c6727213c 100755 (executable)
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -74,7 +74,9 @@ class OR:
         self.result = None
 
     # self.opts[0] is the option which this OR-check is about.
-    # Use case: OR(<X_is_hardened>, <X_is_disabled>)
+    # Use case:
+    #     OR(<X_is_hardened>, <X_is_disabled>)
+    #     OR(<X_is_hardened>, <X_is_hardened_old>)
 
     @property
     def name(self):
@@ -103,7 +105,7 @@ class OR:
                 if i == 0:
                     self.result = opt.result
                 else:
-                    self.result = 'CONFIG_{}: {} ("{}")'.format(opt.name, opt.result, opt.expected)
+                    self.result = 'OK: CONFIG_{} "{}"'.format(opt.name, opt.expected)
                 return True, self.result
         self.result = self.opts[0].result
         return False, self.result
@@ -187,7 +189,8 @@ def construct_checklist(arch):
                         modules_not_set))
     checklist.append(OR(OptCheck('MODULE_SIG_SHA512',             'y', 'kspp', 'self_protection'), \
                         modules_not_set))
-    checklist.append(OptCheck('MODULE_SIG_FORCE',                 'y', 'kspp', 'self_protection')) # refers to LOCK_DOWN_KERNEL
+    checklist.append(OR(OptCheck('MODULE_SIG_FORCE',              'y', 'kspp', 'self_protection'), \
+                        modules_not_set)) # refers to LOCK_DOWN_KERNEL
     if debug_mode or arch == 'X86_64' or arch == 'X86_32':
         checklist.append(OptCheck('DEFAULT_MMAP_MIN_ADDR',        '65536', 'kspp', 'self_protection'))
         checklist.append(OptCheck('REFCOUNT_FULL',                'y', 'kspp', 'self_protection'))
@@ -206,8 +209,9 @@ def construct_checklist(arch):
     checklist.append(OptCheck('LOCK_DOWN_KERNEL',                 'y', 'my', 'self_protection')) # remember about LOCK_DOWN_MANDATORY
     checklist.append(OptCheck('SLUB_DEBUG_ON',                    'y', 'my', 'self_protection'))
     checklist.append(OptCheck('SECURITY_DMESG_RESTRICT',          'y', 'my', 'self_protection'))
-    checklist.append(OptCheck('STATIC_USERMODEHELPER',            'y', 'my', 'self_protection')) # breaks systemd?
-    checklist.append(OptCheck('SECURITY_LOADPIN',                 'y', 'my', 'self_protection'))
+    checklist.append(OptCheck('STATIC_USERMODEHELPER',            'y', 'my', 'self_protection')) # needs userspace support (systemd)
+    checklist.append(OptCheck('SECURITY_LOADPIN',                 'y', 'my', 'self_protection')) # needs userspace support
+    checklist.append(OptCheck('RESET_ATTACK_MITIGATION',          'y', 'my', 'self_protection')) # needs userspace support (systemd)
     checklist.append(OptCheck('PAGE_POISONING_NO_SANITY',         'is not set', 'my', 'self_protection'))
     checklist.append(OptCheck('PAGE_POISONING_ZERO',              'is not set', 'my', 'self_protection'))
     checklist.append(OptCheck('SLAB_MERGE_DEFAULT',               'is not set', 'my', 'self_protection')) # slab_nomerge
kconfig-hardened-check