# when the tool doesn't check the cmdline.
efi_not_set = KconfigCheck('-', '-', 'EFI', 'is not set')
- cc_is_gcc = KconfigCheck('-', '-', 'CC_IS_GCC', 'y')
- cc_is_clang = KconfigCheck('-', '-', 'CC_IS_CLANG', 'y')
+ cc_is_gcc = KconfigCheck('-', '-', 'CC_IS_GCC', 'y') # exists since v4.18
+ cc_is_clang = KconfigCheck('-', '-', 'CC_IS_CLANG', 'y') # exists since v4.18
modules_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set')
devmem_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'DEVMEM', 'is not set') # refers to LOCKDOWN
CmdlineCheck('self_protection', 'kspp', 'hardened_usercopy', 'is not set')))]
l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', '0'),
AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'),
- CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', 'is not set')))] # ... the end
+ CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', 'is not set')))]
+ if arch in ('X86_64', 'X86_32'):
+ l += [AND(CmdlineCheck('self_protection', 'kspp', 'pti', 'on'),
+ CmdlineCheck('self_protection', 'kspp', 'nopti', 'is not set'))] # ... the end
if arch in ('X86_64', 'ARM64', 'X86_32'):
l += [OR(CmdlineCheck('self_protection', 'kspp', 'randomize_kstack_offset', '1'),
AND(KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y'),
CmdlineCheck('self_protection', 'kspp', 'randomize_kstack_offset', 'is not set')))]
- if arch in ('X86_64', 'X86_32'):
- l += [CmdlineCheck('self_protection', 'kspp', 'pti', 'on')]
# 'self_protection', 'clipos'
l += [CmdlineCheck('self_protection', 'clipos', 'page_alloc.shuffle', '1')]
projects / kconfig-hardened-check.git / blobdiff