# pti=on
# spec_store_bypass_disable=on
# l1tf=full,force
+# l1d_flush=on (a part of the l1tf option)
# mds=full,nosmt
# tsx=off
-# l1d_flush=on
# ARM64:
# kpti=on
# ssbd=force-on
# 'self_protection', 'my'
l += [KconfigCheck('self_protection', 'my', 'RESET_ATTACK_MITIGATION', 'y')] # needs userspace support (systemd)
if arch == 'X86_64':
+ l += [KconfigCheck('self_protection', 'my', 'SLS', 'y')] # vs CVE-2021-26341 in Straight-Line-Speculation
l += [AND(KconfigCheck('self_protection', 'my', 'AMD_IOMMU_V2', 'y'),
iommu_support_is_set)]
if arch == 'ARM64':
loadpin_is_set)]
# 'cut_attack_surface', 'defconfig'
+ l += [KconfigCheck('cut_attack_surface', 'defconfig', 'BPF_UNPRIV_DEFAULT_OFF', 'y')] # see unprivileged_bpf_disabled
l += [KconfigCheck('cut_attack_surface', 'defconfig', 'SECCOMP', 'y')]
l += [KconfigCheck('cut_attack_surface', 'defconfig', 'SECCOMP_FILTER', 'y')]
if arch in ('X86_64', 'ARM64', 'X86_32'):
known_options = []
for o1 in checklist:
- if not hasattr(o1, 'opts'):
+ if o1.type != 'complex':
known_options.append(o1.name)
continue
for o2 in o1.opts:
- if not hasattr(o2, 'opts'):
+ if o2.type != 'complex':
if hasattr(o2, 'name'):
known_options.append(o2.name)
continue
for o3 in o2.opts:
- if hasattr(o3, 'opts'):
+ if o3.type == 'complex':
sys.exit('[!] ERROR: unexpected ComplexOptCheck inside {}'.format(o2.name))
if hasattr(o3, 'name'):
known_options.append(o3.name)
def populate_simple_opt_with_data(opt, data, data_type):
- if hasattr(opt, 'opts'):
+ if opt.type == 'complex':
sys.exit('[!] ERROR: unexpected ComplexOptCheck {}: {}'.format(opt.name, vars(opt)))
if data_type not in TYPES_OF_CHECKS:
sys.exit('[!] ERROR: invalid data type "{}"'.format(data_type))
+
if data_type != opt.type:
return
+
if data_type == 'kconfig':
opt.state = data.get(opt.name, None)
elif data_type == 'version':
def populate_opt_with_data(opt, data, data_type):
- if hasattr(opt, 'opts'):
+ if opt.type == 'complex':
for o in opt.opts:
- if hasattr(o, 'opts'):
+ if o.type == 'complex':
# Recursion for nested ComplexOptCheck objects
populate_opt_with_data(o, data, data_type)
else:
populate_simple_opt_with_data(o, data, data_type)
else:
- # The 'state' is mandatory for simple checks
- if not hasattr(opt, 'state'):
- sys.exit('[!] ERROR: bad simple check {}'.format(vars(opt)))
+ if opt.type != 'kconfig':
+ sys.exit('[!] ERROR: bad type "{}" for a simple check {}'.format(opt.type, opt.name))
populate_simple_opt_with_data(opt, data, data_type)