# N.B Hardening command line parameters:
# iommu=force (does it help against DMA attacks?)
#
-# Mitigations of CPU vulnerabilities:
-# Аrch-independent:
-# X86:
-# l1d_flush=on (a part of the l1tf option)
-# tsx=off
-# ARM64:
-# kpti=on
+# The list of disabled mitigations of CPU vulnerabilities:
+# mitigations=off
+# pti=off
+# spectre_v2=off
+# spectre_v2_user=off
+# spec_store_bypass_disable=off
+# l1tf=off
+# mds=off
+# tsx_async_abort=off
+# srbds=off
+# mmio_stale_data=off
+# retbleed=off
+# nopti
+# nokaslr
+# nospectre_v1
+# nospectre_v2
+# nospectre_bhb
+# nospec_store_bypass_disable
+# kpti=0
+# ssbd=force-off
+# nosmt (enabled)
#
# Hardware tag-based KASAN with arm64 Memory Tagging Extension (MTE):
# kasan=on
if self.expected == 'is not off':
if self.state == 'off':
self.result = 'FAIL: is off'
+ if self.state == '0':
+ self.result = 'FAIL: is off, "0"'
elif self.state is None:
self.result = 'FAIL: is off, not found'
else:
self.result = 'FAIL: {} is not "{}"'.format(opt.name, opt.expected)
elif opt.result == 'FAIL: is not present':
self.result = 'FAIL: {} is not present'.format(opt.name)
- elif opt.result == 'FAIL: is off':
+ elif opt.result == 'FAIL: is off' or opt.result == 'FAIL: is off, "0"':
self.result = 'FAIL: {} is off'.format(opt.name)
elif opt.result == 'FAIL: is off, not found':
self.result = 'FAIL: {} is off, not found'.format(opt.name)
l += [CmdlineCheck('self_protection', 'defconfig', 'nopti', 'is not set')]
l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_v1', 'is not set')]
l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_v2', 'is not set')]
+ l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_bhb', 'is not set')]
l += [CmdlineCheck('self_protection', 'defconfig', 'nospec_store_bypass_disable', 'is not set')]
l += [CmdlineCheck('self_protection', 'defconfig', 'arm64.nobti', 'is not set')]
l += [CmdlineCheck('self_protection', 'defconfig', 'arm64.nopauth', 'is not set')]
CmdlineCheck('self_protection', 'defconfig', 'mmio_stale_data', 'is not set'))]
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not off'),
CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not set'))]
+ l += [OR(CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not off'),
+ CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not set'))]
if arch == 'ARM64':
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'ssbd', 'kernel'),
CmdlineCheck('self_protection', 'my', 'ssbd', 'force-on'),
# 'self_protection', 'clipos'
l += [CmdlineCheck('self_protection', 'clipos', 'page_alloc.shuffle', '1')]
+ # 'cut_attack_surface', 'defconfig'
+ if arch in ('X86_64', 'X86_32'):
+ l += [OR(CmdlineCheck('cut_attack_surface', 'defconfig', 'tsx', 'off'),
+ AND(KconfigCheck('cut_attack_surface', 'defconfig', 'X86_INTEL_TSX_MODE_OFF', 'y'),
+ CmdlineCheck('cut_attack_surface', 'defconfig', 'tsx', 'is not set')))]
+
# 'cut_attack_surface', 'kspp'
if arch == 'X86_64':
l += [OR(CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'none'),
if option == 'retbleed':
# See retbleed_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
return value
+ if option == 'tsx':
+ # See tsx_init() in arch/x86/kernel/cpu/tsx.c
+ return value
# Implement a limited part of the kstrtobool() logic
if value in ('1', 'on', 'On', 'ON', 'y', 'Y', 'yes', 'Yes', 'YES'):
projects / kconfig-hardened-check.git / blobdiff