#
# Mitigations of CPU vulnerabilities:
# Аrch-independent:
-# mitigations=auto,nosmt (nosmt is slow)
# X86:
# spec_store_bypass_disable=on
# l1tf=full,force
'invalid expected value "{}" for "{}" check (1)'.format(expected, name)
val_len = len(expected.split())
if val_len == 3:
- assert(expected == 'is not set'), \
+ assert(expected == 'is not set' or expected == 'is not off'), \
'invalid expected value "{}" for "{}" check (2)'.format(expected, name)
else:
assert(val_len == 1), \
self.result = 'OK: is present'
return
+ # handle the 'is not off' option check
+ if self.expected == 'is not off':
+ if self.state == 'off':
+ self.result = 'FAIL: is off'
+ elif self.state is None:
+ self.result = 'FAIL: is off, not found'
+ else:
+ self.result = 'OK: is not off, "' + self.state + '"'
+ return
+
# handle the option value check
if self.expected == self.state:
self.result = 'OK'
self.result = 'OK: {} is not found'.format(opt.name)
elif opt.result == 'OK: is present':
self.result = 'OK: {} is present'.format(opt.name)
+ elif opt.result.startswith('OK: is not off'):
+ self.result = 'OK: {} is not off'.format(opt.name)
else:
# VersionCheck provides enough info
assert(opt.result.startswith('OK: version')), \
self.result = 'FAIL: {} is not "{}"'.format(opt.name, opt.expected)
elif opt.result == 'FAIL: is not present':
self.result = 'FAIL: {} is not present'.format(opt.name)
+ elif opt.result == 'FAIL: is off':
+ self.result = 'FAIL: {} is off'.format(opt.name)
+ elif opt.result == 'FAIL: is off, not found':
+ self.result = 'FAIL: {} is off, not found'.format(opt.name)
else:
# VersionCheck provides enough info
self.result = opt.result
l += [CmdlineCheck('self_protection', 'defconfig', 'nopti', 'is not set')]
l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_v1', 'is not set')]
l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_v2', 'is not set')]
+ l += [OR(CmdlineCheck('self_protection', 'defconfig', 'mitigations', 'is not off'),
+ CmdlineCheck('self_protection', 'defconfig', 'mitigations', 'is not set'))]
if arch == 'ARM64':
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'rodata', 'full'),
AND(KconfigCheck('self_protection', 'defconfig', 'RODATA_FULL_DEFAULT_ENABLED', 'y'),
CmdlineCheck('self_protection', 'defconfig', 'rodata', 'is not set'))]
# 'self_protection', 'kspp'
+ l += [CmdlineCheck('self_protection', 'kspp', 'nosmt')] # option presence check
l += [OR(CmdlineCheck('self_protection', 'kspp', 'init_on_alloc', '1'),
AND(KconfigCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y'),
CmdlineCheck('self_protection', 'kspp', 'init_on_alloc', 'is not set')))]
if option == 'debugfs':
# See debugfs_kernel() in fs/debugfs/inode.c
return value
+ if option == 'mitigations':
+ # See mitigations_parse_cmdline() in linux/kernel/cpu.c
+ return value
# Implement a limited part of the kstrtobool() logic
if value in ('1', 'on', 'On', 'ON', 'y', 'Y', 'yes', 'Yes', 'YES'):
projects / kconfig-hardened-check.git / blobdiff