Add the comment that l1d_flush is a part of the l1tf option

[kconfig-hardened-check.git] / kconfig_hardened_check / __init__.py

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index ef7f2769bf1f00d561dbc260d862efba279369f9..2b5fe1e68d7bd5b2fa6d58b95e7c26be90a6ac1d 100644 (file)
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -29,9 +29,9 @@
 #           pti=on
 #           spec_store_bypass_disable=on
 #           l1tf=full,force
+#           l1d_flush=on (a part of the l1tf option)
 #           mds=full,nosmt
 #           tsx=off
-#           l1d_flush=on
 #       ARM64:
 #           kpti=on
 #           ssbd=force-on
@@ -607,6 +607,7 @@ def add_kconfig_checks(l, arch):
     # 'cut_attack_surface', 'my'
     l += [OR(KconfigCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y'),
              modules_not_set)]
+    l += [KconfigCheck('cut_attack_surface', 'my', 'BPF_UNPRIV_DEFAULT_OFF', 'y')] # see kernel.unprivileged_bpf_disabled
     l += [KconfigCheck('cut_attack_surface', 'my', 'MMIOTRACE', 'is not set')] # refers to LOCKDOWN (permissive)
     l += [KconfigCheck('cut_attack_surface', 'my', 'LIVEPATCH', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'my', 'IP_DCCP', 'is not set')]