# fs.protected_regular=2
# fs.suid_dumpable=0
# kernel.modules_disabled=1
-# kernel.randomize_va_space = 2
+# kernel.randomize_va_space=2
# nosmt sysfs control file
+# dev.tty.legacy_tiocsti=0
#
# Think of these boot params:
# module.sig_enforce=1
# efi=disable_early_pci_dma
# pylint: disable=missing-function-docstring,line-too-long,invalid-name
-# pylint: disable=too-many-branches,too-many-statements,too-many-return-statements
+# pylint: disable=too-many-branches,too-many-statements
from .engine import KconfigCheck, CmdlineCheck, VersionCheck, OR, AND
l += [KconfigCheck('self_protection', 'defconfig', 'CPU_SW_DOMAIN_PAN', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_HISTORY', 'y')]
+ l += [KconfigCheck('self_protection', 'defconfig', 'DEBUG_ALIGN_RODATA', 'y')]
# 'self_protection', 'kspp'
l += [KconfigCheck('self_protection', 'kspp', 'BUG_ON_DATA_CORRUPTION', 'y')]
l += [bpf_syscall_not_set] # refers to LOCKDOWN
# 'cut_attack_surface', 'my'
+ l += [KconfigCheck('cut_attack_surface', 'my', 'LEGACY_TIOCSTI', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'my', 'MMIOTRACE', 'is not set')] # refers to LOCKDOWN (permissive)
l += [KconfigCheck('cut_attack_surface', 'my', 'LIVEPATCH', 'is not set')]
l += [KconfigCheck('cut_attack_surface', 'my', 'IP_DCCP', 'is not set')]
modules_not_set)]
# 'harden_userspace'
- if arch in ('X86_64', 'ARM64', 'X86_32'):
- l += [KconfigCheck('harden_userspace', 'defconfig', 'INTEGRITY', 'y')]
- if arch == 'ARM':
- l += [KconfigCheck('harden_userspace', 'my', 'INTEGRITY', 'y')]
if arch == 'ARM64':
l += [KconfigCheck('harden_userspace', 'defconfig', 'ARM64_PTR_AUTH', 'y')]
l += [KconfigCheck('harden_userspace', 'defconfig', 'ARM64_BTI', 'y')]
l += [CmdlineCheck('cut_attack_surface', 'my', 'sysrq_always_enabled', 'is not set')]
+no_kstrtobool_options = [
+ 'debugfs', # See debugfs_kernel() in fs/debugfs/inode.c
+ 'mitigations', # See mitigations_parse_cmdline() in kernel/cpu.c
+ 'pti', # See pti_check_boottime_disable() in arch/x86/mm/pti.c
+ 'spectre_v2', # See spectre_v2_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
+ 'spectre_v2_user', # See spectre_v2_parse_user_cmdline() in arch/x86/kernel/cpu/bugs.c
+ 'spec_store_bypass_disable', # See ssb_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
+ 'l1tf', # See l1tf_cmdline() in arch/x86/kernel/cpu/bugs.c
+ 'mds', # See mds_cmdline() in arch/x86/kernel/cpu/bugs.c
+ 'tsx_async_abort', # See tsx_async_abort_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
+ 'srbds', # See srbds_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
+ 'mmio_stale_data', # See mmio_stale_data_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
+ 'retbleed', # See retbleed_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
+ 'tsx' # See tsx_init() in arch/x86/kernel/cpu/tsx.c
+]
+
+
def normalize_cmdline_options(option, value):
# Don't normalize the cmdline option values if
# the Linux kernel doesn't use kstrtobool() for them
- if option == 'debugfs':
- # See debugfs_kernel() in fs/debugfs/inode.c
- return value
- if option == 'mitigations':
- # See mitigations_parse_cmdline() in kernel/cpu.c
- return value
- if option == 'pti':
- # See pti_check_boottime_disable() in arch/x86/mm/pti.c
- return value
- if option == 'spectre_v2':
- # See spectre_v2_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
- return value
- if option == 'spectre_v2_user':
- # See spectre_v2_parse_user_cmdline() in arch/x86/kernel/cpu/bugs.c
- return value
- if option == 'spec_store_bypass_disable':
- # See ssb_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
- return value
- if option == 'l1tf':
- # See l1tf_cmdline() in arch/x86/kernel/cpu/bugs.c
- return value
- if option == 'mds':
- # See mds_cmdline() in arch/x86/kernel/cpu/bugs.c
- return value
- if option == 'tsx_async_abort':
- # See tsx_async_abort_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
- return value
- if option == 'srbds':
- # See srbds_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
- return value
- if option == 'mmio_stale_data':
- # See mmio_stale_data_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
- return value
- if option == 'retbleed':
- # See retbleed_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
- return value
- if option == 'tsx':
- # See tsx_init() in arch/x86/kernel/cpu/tsx.c
+ if option in no_kstrtobool_options:
return value
# Implement a limited part of the kstrtobool() logic