# slub_debug=FZP
# slab_nomerge
# kernel.kptr_restrict=1
-# lockdown=1 (is it changed?)
# page_alloc.shuffle=1
# iommu=force (does it help against DMA attacks?)
# page_poison=1 (if enabled)
class OR(ComplexOptCheck):
- # self.opts[0] is the option which this OR-check is about.
+ # self.opts[0] is the option that this OR-check is about.
# Use case:
# OR(<X_is_hardened>, <X_is_disabled>)
# OR(<X_is_hardened>, <X_is_hardened_old>)
class AND(ComplexOptCheck):
- # self.opts[0] is the option which this AND-check is about.
+ # self.opts[0] is the option that this AND-check is about.
# Use case: AND(<suboption>, <main_option>)
# Suboption is not checked if checking of the main_option is failed.
if arch == 'ARM':
checklist.append(OptCheck('SECURITY', 'y', 'kspp', 'security_policy')) # and choose your favourite LSM
checklist.append(OptCheck('SECURITY_YAMA', 'y', 'kspp', 'security_policy'))
+ checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM', 'y', 'clipos', 'security_policy'))
+ checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM_EARLY', 'y', 'clipos', 'security_policy'))
+ checklist.append(OptCheck('LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y', 'clipos', 'security_policy'))
loadpin_is_set = OptCheck('SECURITY_LOADPIN', 'y', 'my', 'security_policy') # needs userspace support
checklist.append(loadpin_is_set)
checklist.append(AND(OptCheck('SECURITY_LOADPIN_ENFORCE', 'y', 'my', 'security_policy'), \
loadpin_is_set))
- checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM', 'y', 'my', 'security_policy'))
- checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM_EARLY', 'y', 'my', 'security_policy'))
- checklist.append(OptCheck('LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y', 'my', 'security_policy'))
checklist.append(OptCheck('SECURITY_SAFESETID', 'y', 'my', 'security_policy'))
checklist.append(OptCheck('SECURITY_WRITABLE_HOOKS', 'is not set', 'my', 'security_policy'))
if arch == 'X86_32':
checklist.append(OptCheck('MODIFY_LDT_SYSCALL', 'is not set', 'my', 'cut_attack_surface'))
+ checklist.append(OptCheck('INTEGRITY', 'y', 'defconfig', 'userspace_hardening'))
if arch == 'ARM64':
checklist.append(OptCheck('ARM64_PTR_AUTH', 'y', 'defconfig', 'userspace_hardening'))
if arch == 'X86_64' or arch == 'ARM64':