class OptCheck:
# Constructor without the 'expected' parameter is for option presence checks (any value is OK)
def __init__(self, reason, decision, name, expected=None):
- assert(reason and decision and name), \
- 'invalid {} check for "{}"'.format(self.__class__.__name__, name)
+ assert(name and name == name.strip() and len(name.split()) == 1), \
+ 'invalid name "{}" for {}'.format(name, self.__class__.__name__)
self.name = name
- self.expected = expected
+
+ assert(decision and decision == decision.strip() and len(decision.split()) == 1), \
+ 'invalid decision "{}" for "{}" check'.format(decision, name)
self.decision = decision
+
+ assert(reason and reason == reason.strip() and len(reason.split()) == 1), \
+ 'invalid reason "{}" for "{}" check'.format(reason, name)
self.reason = reason
+
+ if expected:
+ assert(expected == expected.strip()), \
+ 'invalid expected value "{}" for "{}" check (1)'.format(expected, name)
+ val_len = len(expected.split())
+ if val_len == 3:
+ assert(expected == 'is not set'), \
+ 'invalid expected value "{}" for "{}" check (2)'.format(expected, name)
+ else:
+ assert(val_len == 1), \
+ 'invalid expected value "{}" for "{}" check (3)'.format(expected, name)
+ self.expected = expected
+
self.state = None
self.result = None
# handle the option presence check
if self.expected is None:
if self.state is None:
- self.result = 'FAIL: not present'
+ self.result = 'FAIL: is not present'
else:
self.result = 'OK: is present'
return
self.result = 'OK'
elif self.state is None:
if self.expected == 'is not set':
- self.result = 'OK: not found'
+ self.result = 'OK: is not found'
else:
- self.result = 'FAIL: not found'
+ self.result = 'FAIL: is not found'
else:
self.result = 'FAIL: "' + self.state + '"'
class VersionCheck:
def __init__(self, ver_expected):
+ assert(ver_expected and isinstance(ver_expected, tuple) and len(ver_expected) == 2), \
+ 'invalid version "{}" for VersionCheck'.format(ver_expected)
self.ver_expected = ver_expected
self.ver = ()
self.result = None
# Add more info for additional checks:
if i != 0:
if opt.result == 'OK':
- self.result = 'OK: {} "{}"'.format(opt.name, opt.expected)
- elif opt.result == 'OK: not found':
- self.result = 'OK: {} not found'.format(opt.name)
+ self.result = 'OK: {} is "{}"'.format(opt.name, opt.expected)
+ elif opt.result == 'OK: is not found':
+ self.result = 'OK: {} is not found'.format(opt.name)
elif opt.result == 'OK: is present':
self.result = 'OK: {} is present'.format(opt.name)
else:
# This FAIL is caused by additional checks,
# and not by the main option that this AND-check is about.
# Describe the reason of the FAIL.
- if opt.result.startswith('FAIL: \"') or opt.result == 'FAIL: not found':
- self.result = 'FAIL: {} not "{}"'.format(opt.name, opt.expected)
- elif opt.result == 'FAIL: not present':
- self.result = 'FAIL: {} not present'.format(opt.name)
+ if opt.result.startswith('FAIL: \"') or opt.result == 'FAIL: is not found':
+ self.result = 'FAIL: {} is not "{}"'.format(opt.name, opt.expected)
+ elif opt.result == 'FAIL: is not present':
+ self.result = 'FAIL: {} is not present'.format(opt.name)
else:
# VersionCheck provides enough info
self.result = opt.result
l += [KconfigCheck('self_protection', 'defconfig', 'ARM64_PAN', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'ARM64_EPAN', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'UNMAP_KERNEL_AT_EL0', 'y')]
+ l += [KconfigCheck('self_protection', 'defconfig', 'ARM64_E0PD', 'y')]
l += [OR(KconfigCheck('self_protection', 'defconfig', 'HARDEN_EL2_VECTORS', 'y'),
AND(KconfigCheck('self_protection', 'defconfig', 'RANDOMIZE_BASE', 'y'),
VersionCheck((5, 9))))] # HARDEN_EL2_VECTORS was included in RANDOMIZE_BASE in v5.9
l += [KconfigCheck('self_protection', 'kspp', 'ZERO_CALL_USED_REGS', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'HW_RANDOM_TPM', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'STATIC_USERMODEHELPER', 'y')] # needs userspace support
+ l += [KconfigCheck('self_protection', 'kspp', 'SCHED_CORE', 'y')]
randstruct_is_set = OR(KconfigCheck('self_protection', 'kspp', 'RANDSTRUCT_FULL', 'y'),
KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT', 'y'))
l += [randstruct_is_set]
l += [AND(KconfigCheck('self_protection', 'kspp', 'CFI_PERMISSIVE', 'is not set'),
cfi_clang_is_set)]
if arch in ('X86_64', 'X86_32'):
- l += [KconfigCheck('self_protection', 'kspp', 'SCHED_CORE', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '65536')]
l += [AND(KconfigCheck('self_protection', 'kspp', 'INTEL_IOMMU_DEFAULT_ON', 'y'),
iommu_support_is_set)]
projects / kconfig-hardened-check.git / blobdiff