Clean up the comments

[kconfig-hardened-check.git] / kconfig_hardened_check / __init__.py

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index fae452415afbe96eb8feb2e53a2f8dcb0fcfe027..65d51fb3b27d4a4f698baca84a9d0b69dd0dd453 100644 (file)
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -10,14 +10,6 @@
 # Please don't cry if my Python code looks like C.
 #
 #
-# N.B Missing hardening command line parameters:
-#    iommu=force (does it help against DMA attacks?)
-#
-#    Hardware tag-based KASAN with arm64 Memory Tagging Extension (MTE):
-#           kasan=on
-#           kasan.stacktrace=off
-#           kasan.fault=panic
-#
 # N.B. Hardening sysctls:
 #    kernel.kptr_restrict=2 (or 1?)
 #    kernel.dmesg_restrict=1 (also see the kconfig option)
@@ -528,7 +520,7 @@ def add_kconfig_checks(l, arch):
     if arch == 'ARM64':
         l += [KconfigCheck('self_protection', 'kspp', 'ARM64_SW_TTBR0_PAN', 'y')]
         l += [KconfigCheck('self_protection', 'kspp', 'SHADOW_CALL_STACK', 'y')]
-        l += [KconfigCheck('self_protection', 'kspp', 'KASAN_HW_TAGS', 'y')]
+        l += [KconfigCheck('self_protection', 'kspp', 'KASAN_HW_TAGS', 'y')] # see also: kasan=on, kasan.stacktrace=off, kasan.fault=panic
     if arch == 'X86_32':
         l += [KconfigCheck('self_protection', 'kspp', 'PAGE_TABLE_ISOLATION', 'y')]
         l += [KconfigCheck('self_protection', 'kspp', 'HIGHMEM64G', 'y')]
@@ -796,6 +788,8 @@ def add_cmdline_checks(l, arch):
 
     # 'self_protection', 'clipos'
     l += [CmdlineCheck('self_protection', 'clipos', 'page_alloc.shuffle', '1')]
+    if arch in ('X86_64', 'X86_32'):
+        l += [CmdlineCheck('self_protection', 'clipos', 'iommu', 'force')]
 
     # 'cut_attack_surface', 'defconfig'
     if arch in ('X86_64', 'X86_32'):