# when the tool doesn't check the cmdline.
efi_not_set = KconfigCheck('-', '-', 'EFI', 'is not set')
- cc_is_gcc = KconfigCheck('-', '-', 'CC_IS_GCC', 'y')
- cc_is_clang = KconfigCheck('-', '-', 'CC_IS_CLANG', 'y')
+ cc_is_gcc = KconfigCheck('-', '-', 'CC_IS_GCC', 'y') # exists since v4.18
+ cc_is_clang = KconfigCheck('-', '-', 'CC_IS_CLANG', 'y') # exists since v4.18
modules_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set')
devmem_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'DEVMEM', 'is not set') # refers to LOCKDOWN
# 'self_protection', 'my'
l += [OR(KconfigCheck('self_protection', 'my', 'RESET_ATTACK_MITIGATION', 'y'),
efi_not_set)] # needs userspace support (systemd)
+ l += [OR(KconfigCheck('self_protection', 'my', 'UBSAN_LOCAL_BOUNDS', 'y'),
+ AND(ubsan_bounds_is_set,
+ cc_is_gcc))]
if arch == 'X86_64':
l += [KconfigCheck('self_protection', 'my', 'SLS', 'y')] # vs CVE-2021-26341 in Straight-Line-Speculation
l += [AND(KconfigCheck('self_protection', 'my', 'AMD_IOMMU_V2', 'y'),