Improve AND check reports

[kconfig-hardened-check.git] / kconfig_hardened_check / __init__.py

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index f03efcb12eeb7072f3ea310dbecdb2d254991623..f82c07c45f3aa5f72e0d45dbdc7cfacfdbaf132e 100644 (file)
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -225,9 +225,11 @@ class AND(ComplexOptCheck):
             if not ret:
                 # This FAIL is caused by additional checks,
                 # and not by the main option that this AND-check is about.
-                if opt.result.startswith('FAIL: \"'):
-                    # Describe the reason of the FAIL.
+                # Describe the reason of the FAIL.
+                if opt.result.startswith('FAIL: \"') or opt.result == 'FAIL: not found':
                     self.result = 'FAIL: CONFIG_{} not "{}"'.format(opt.name, opt.expected)
+                elif opt.result == 'FAIL: not present':
+                    self.result = 'FAIL: CONFIG_{} not present'.format(opt.name)
                 else:
                     # This FAIL message is self-explaining.
                     self.result = opt.result
@@ -305,7 +307,9 @@ def construct_checklist(l, arch):
     if arch == 'ARM64':
         l += [OptCheck('self_protection', 'defconfig', 'ARM64_PAN', 'y')]
         l += [OptCheck('self_protection', 'defconfig', 'UNMAP_KERNEL_AT_EL0', 'y')]
-        l += [OptCheck('self_protection', 'defconfig', 'HARDEN_EL2_VECTORS', 'y')]
+        l += [OR(OptCheck('self_protection', 'defconfig', 'HARDEN_EL2_VECTORS', 'y'),
+                 AND(OptCheck('self_protection', 'defconfig', 'RANDOMIZE_BASE', 'y'),
+                     VerCheck((5, 9))))] # HARDEN_EL2_VECTORS was included in RANDOMIZE_BASE in v5.9
         l += [OptCheck('self_protection', 'defconfig', 'RODATA_FULL_DEFAULT_ENABLED', 'y')]
         l += [OptCheck('self_protection', 'defconfig', 'ARM64_PTR_AUTH', 'y')]
     if arch in ('X86_64', 'ARM64'):