Add X86-specific CLIP OS recommendations for kernel self-protection

[kconfig-hardened-check.git] / kconfig-hardened-check.py

diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py
index bee295394088cf892d9371694a2b031d05958903..962e1202b71b028344a9ce07c8589e0c11f80c07 100755 (executable)
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -243,6 +243,18 @@ def construct_checklist(arch):
     checklist.append(OptCheck('DEBUG_VIRTUAL',                    'y', 'clipos', 'self_protection'))
     checklist.append(AND(OptCheck('GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set', 'clipos', 'self_protection'), \
                          randstruct_is_set))
+    if debug_mode or arch == 'X86_64' or arch == 'X86_32':
+        checklist.append(OptCheck('RANDOM_TRUST_CPU',             'is not set', 'clipos', 'self_protection'))
+        checklist.append(OptCheck('MICROCODE',                    'y', 'clipos', 'self_protection')) # is needed for mitigating CPU bugs
+        checklist.append(OptCheck('X86_MSR',                      'y', 'clipos', 'self_protection')) # is needed for mitigating CPU bugs
+        iommu_support_is_set = OptCheck('IOMMU_SUPPORT',          'y', 'clipos', 'self_protection') # is needed for mitigating DMA attacks
+        checklist.append(iommu_support_is_set)
+        checklist.append(AND(OptCheck('INTEL_IOMMU',              'y', 'clipos', 'self_protection'), \
+                             iommu_support_is_set))
+        checklist.append(AND(OptCheck('INTEL_IOMMU_SVM',          'y', 'clipos', 'self_protection'), \
+                             iommu_support_is_set))
+        checklist.append(AND(OptCheck('INTEL_IOMMU_DEFAULT_ON',   'y', 'clipos', 'self_protection'), \
+                             iommu_support_is_set))
 
     if debug_mode or arch == 'X86_64' or arch == 'ARM64' or arch == 'X86_32':
         stackleak_is_set = OptCheck('GCC_PLUGIN_STACKLEAK',       'y', 'my', 'self_protection')