Update KSPP recommendations

[kconfig-hardened-check.git] / kconfig_hardened_check / __init__.py

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index b35f10d67f7cf4601df93b262dba5423460408d9..b8bfa1568b8f625d7a94e90e765556e996a0cb02 100644 (file)
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -322,7 +322,10 @@ def construct_checklist(l, arch):
     if arch == 'ARM':
         l += [OptCheck('self_protection', 'defconfig', 'CPU_SW_DOMAIN_PAN', 'y')]
         l += [OptCheck('self_protection', 'defconfig', 'STACKPROTECTOR_PER_TASK', 'y')]
-    if arch in ('ARM64', 'ARM'):
+    if arch == 'ARM64':
+        l += [OR(OptCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y'),
+             VerCheck((5, 10)))] # HARDEN_BRANCH_PREDICTOR is enabled by default since v5.10
+    if arch == 'ARM':
         l += [OptCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y')]
 
     # 'self_protection', 'kspp'
@@ -526,6 +529,8 @@ def construct_checklist(l, arch):
         l += [OptCheck('userspace_hardening', 'defconfig', 'INTEGRITY', 'y')]
     if arch == 'ARM':
         l += [OptCheck('userspace_hardening', 'my', 'INTEGRITY', 'y')]
+    if arch == 'ARM64':
+        l += [OptCheck('userspace_hardening', 'defconfig', 'ARM64_MTE', 'y')]
     if arch in ('ARM', 'X86_32'):
         l += [OptCheck('userspace_hardening', 'defconfig', 'VMSPLIT_3G', 'y')]
     if arch in ('X86_64', 'ARM64'):