Update pentoo config link

[kconfig-hardened-check.git] / kconfig-hardened-check.py

diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py
index b149567fb1317d64eaada195e01e49bfe264c49d..b1dd5eb1e824d9059bde8cb3f2cceea09531e10b 100755 (executable)
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -18,14 +18,23 @@
 #    kernel.kptr_restrict=1
 #    lockdown=1
 #
-#    spectre_v2=on
-#    pti=on
-#    spec_store_bypass_disable=on
-#    l1tf=full,force
-#
+#    Mitigations of CPU vulnerabilities:
+#       Аrch-independent:
+#           mitigations=auto,nosmt
+#       X86:
+#           spectre_v2=on
+#           pti=on
+#           spec_store_bypass_disable=on
+#           l1tf=full,force
+#           mds=full,nosmt
+#       ARM64:
+#           ? CONFIG_HARDEN_BRANCH_PREDICTOR
+#           kpti=on
+#           ssbd=force-on
 #
 # N.B. Hardening sysctl's:
 #    net.core.bpf_jit_harden
+#    kptr_restrict=2
 
 import sys
 from argparse import ArgumentParser
@@ -322,6 +331,8 @@ def construct_checklist(arch):
     if debug_mode or arch == 'X86_32':
         checklist.append(OptCheck('MODIFY_LDT_SYSCALL', 'is not set', 'my', 'cut_attack_surface'))
 
+    if debug_mode or arch == 'ARM64':
+        checklist.append(OptCheck('ARM64_PTR_AUTH',       'y', 'defconfig', 'userspace_protection'))
     if debug_mode or arch == 'X86_64' or arch == 'ARM64':
         checklist.append(OptCheck('ARCH_MMAP_RND_BITS',   '32', 'my', 'userspace_protection'))
     if debug_mode or arch == 'X86_32' or arch == 'ARM':