# iommu.passthrough=0
# iommu.strict=1
# slub_debug=FZ (slow)
-# init_on_free=1 (since v5.3, otherwise slub_debug=P and page_poison=1)
+# slub_debug=P
# loadpin.enforce=1
# debugfs=no-mount (or off if possible)
#
l += [OR(KconfigCheck('self_protection', 'kspp', 'INIT_STACK_ALL_ZERO', 'y'),
KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STRUCTLEAK_BYREF_ALL', 'y'))]
l += [OR(KconfigCheck('self_protection', 'kspp', 'INIT_ON_FREE_DEFAULT_ON', 'y'),
- KconfigCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'))]
+ AND(KconfigCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'),
+ CmdlineCheck('self_protection', 'kspp', 'page_poison', '1')))]
# CONFIG_INIT_ON_FREE_DEFAULT_ON was added in v5.3.
# CONFIG_PAGE_POISONING_ZERO was removed in v5.11.
# Starting from v5.11 CONFIG_PAGE_POISONING unconditionally checks
l += [OR(CmdlineCheck('self_protection', 'kspp', 'init_on_alloc', '1'),
AND(KconfigCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y'),
CmdlineCheck('self_protection', 'kspp', 'init_on_alloc', 'is not set')))]
+ l += [OR(CmdlineCheck('self_protection', 'kspp', 'init_on_free', '1'),
+ AND(KconfigCheck('self_protection', 'kspp', 'INIT_ON_FREE_DEFAULT_ON', 'y'),
+ CmdlineCheck('self_protection', 'kspp', 'init_on_free', 'is not set')))]
l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_nomerge'),
AND(KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set'),
CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set')))] # option presence check
projects / kconfig-hardened-check.git / blobdiff