Add defconfigs for Linux v6.1

[kconfig-hardened-check.git] / kconfig_hardened_check / __init__.py

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index 8130dd4027a89fb27bddd463ac374f329a3bfb3d..797e3e08cf824b309d7da9890b7808c36d9fa482 100644 (file)
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -10,14 +10,9 @@
 # Please don't cry if my Python code looks like C.
 #
 #
-# N.B Hardening command line parameters:
+# N.B Missing hardening command line parameters:
 #    iommu=force (does it help against DMA attacks?)
 #
-#    Mitigations of CPU vulnerabilities:
-#       Аrch-independent:
-#       X86:
-#           l1d_flush=on (a part of the l1tf option)
-#
 #    Hardware tag-based KASAN with arm64 Memory Tagging Extension (MTE):
 #           kasan=on
 #           kasan.stacktrace=off
@@ -45,6 +40,7 @@
 #    fs.suid_dumpable=0
 #    kernel.modules_disabled=1
 #    kernel.randomize_va_space = 2
+#    nosmt sysfs control file
 
 
 # pylint: disable=missing-module-docstring,missing-class-docstring,missing-function-docstring
@@ -642,9 +638,6 @@ def add_kconfig_checks(l, arch):
     l += [KconfigCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD', 'is not set')] # recommended by Denis Efremov in /pull/54
     l += [KconfigCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD_RAWCMD', 'is not set')] # recommended by Denis Efremov in /pull/62
 
-    # 'cut_attack_surface', 'grapheneos'
-    l += [KconfigCheck('cut_attack_surface', 'grapheneos', 'AIO', 'is not set')]
-
     # 'cut_attack_surface', 'clipos'
     l += [KconfigCheck('cut_attack_surface', 'clipos', 'STAGING', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'clipos', 'KSM', 'is not set')] # to prevent FLUSH+RELOAD attack