# N.B Hardening command line parameters:
# iommu=force (does it help against DMA attacks?)
#
-# Mitigations of CPU vulnerabilities:
-# Аrch-independent:
-# X86:
-# l1d_flush=on (a part of the l1tf option)
-# ARM64:
-# kpti=on
+# The list of disabled mitigations of CPU vulnerabilities:
+# mitigations=off
+# pti=off
+# spectre_v2=off
+# spectre_v2_user=off
+# spec_store_bypass_disable=off
+# l1tf=off
+# mds=off
+# tsx_async_abort=off
+# srbds=off
+# mmio_stale_data=off
+# retbleed=off
+# nopti
+# nokaslr
+# nospectre_v1
+# nospectre_v2
+# nospectre_bhb
+# nospec_store_bypass_disable
+# kpti=0
+# ssbd=force-off
+# nosmt (enabled)
#
# Hardware tag-based KASAN with arm64 Memory Tagging Extension (MTE):
# kasan=on
if self.expected == 'is not off':
if self.state == 'off':
self.result = 'FAIL: is off'
+ if self.state == '0':
+ self.result = 'FAIL: is off, "0"'
elif self.state is None:
self.result = 'FAIL: is off, not found'
else:
self.result = 'FAIL: {} is not "{}"'.format(opt.name, opt.expected)
elif opt.result == 'FAIL: is not present':
self.result = 'FAIL: {} is not present'.format(opt.name)
- elif opt.result == 'FAIL: is off':
+ elif opt.result == 'FAIL: is off' or opt.result == 'FAIL: is off, "0"':
self.result = 'FAIL: {} is off'.format(opt.name)
elif opt.result == 'FAIL: is off, not found':
self.result = 'FAIL: {} is off, not found'.format(opt.name)
l += [CmdlineCheck('self_protection', 'defconfig', 'nopti', 'is not set')]
l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_v1', 'is not set')]
l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_v2', 'is not set')]
+ l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_bhb', 'is not set')]
l += [CmdlineCheck('self_protection', 'defconfig', 'nospec_store_bypass_disable', 'is not set')]
l += [CmdlineCheck('self_protection', 'defconfig', 'arm64.nobti', 'is not set')]
l += [CmdlineCheck('self_protection', 'defconfig', 'arm64.nopauth', 'is not set')]
CmdlineCheck('self_protection', 'defconfig', 'mmio_stale_data', 'is not set'))]
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not off'),
CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not set'))]
+ l += [OR(CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not off'),
+ CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not set'))]
if arch == 'ARM64':
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'ssbd', 'kernel'),
CmdlineCheck('self_protection', 'my', 'ssbd', 'force-on'),