checklist.append(OptCheck('SLAB_MERGE_DEFAULT', 'is not set', 'clipos', 'self_protection')) # slab_nomerge
checklist.append(AND(OptCheck('GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set', 'clipos', 'self_protection'), \
randstruct_is_set))
+ checklist.append(OptCheck('CONFIG_RANDOM_TRUST_BOOTLOADER', 'is not set', 'clipos', 'self_protection'))
if debug_mode or arch == 'X86_64' or arch == 'X86_32':
checklist.append(OptCheck('RANDOM_TRUST_CPU', 'is not set', 'clipos', 'self_protection'))
checklist.append(AND(OptCheck('INTEL_IOMMU_SVM', 'y', 'clipos', 'self_protection'), \
checklist.append(OptCheck('BPF_SYSCALL', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
checklist.append(OptCheck('MMIOTRACE_TEST', 'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
+ checklist.append(OptCheck('STAGING', 'is not set', 'clipos', 'cut_attack_surface'))
checklist.append(OptCheck('KSM', 'is not set', 'clipos', 'cut_attack_surface')) # to prevent FLUSH+RELOAD attack
# checklist.append(OptCheck('IKCONFIG', 'is not set', 'clipos', 'cut_attack_surface')) # no, this info is needed for this check :)
checklist.append(OptCheck('KALLSYMS', 'is not set', 'clipos', 'cut_attack_surface'))