X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;ds=sidebyside;f=kconfig_hardened_check%2F__init__.py;h=fbbc3aa8e4bffa69adbfeb15c85cf14f5e2c5c25;hb=9178899d93602e9fe32a504170c11804acdf2148;hp=f2e2fe020c906b48abdd32536f6906471cb5b31b;hpb=cb779a71bf57d95b4548fd88494e6f3c803a394d;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index f2e2fe0..fbbc3aa 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -10,16 +10,9 @@ # Please don't cry if my Python code looks like C. # # -# N.B Hardening command line parameters: +# N.B Missing hardening command line parameters: # iommu=force (does it help against DMA attacks?) # -# Mitigations of CPU vulnerabilities: -# Аrch-independent: -# X86: -# l1d_flush=on (a part of the l1tf option) -# ARM64: -# kpti=on -# # Hardware tag-based KASAN with arm64 Memory Tagging Extension (MTE): # kasan=on # kasan.stacktrace=off @@ -723,6 +716,7 @@ def add_cmdline_checks(l, arch): l += [CmdlineCheck('self_protection', 'defconfig', 'nopti', 'is not set')] l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_v1', 'is not set')] l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_v2', 'is not set')] + l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_bhb', 'is not set')] l += [CmdlineCheck('self_protection', 'defconfig', 'nospec_store_bypass_disable', 'is not set')] l += [CmdlineCheck('self_protection', 'defconfig', 'arm64.nobti', 'is not set')] l += [CmdlineCheck('self_protection', 'defconfig', 'arm64.nopauth', 'is not set')] @@ -747,6 +741,8 @@ def add_cmdline_checks(l, arch): CmdlineCheck('self_protection', 'defconfig', 'mmio_stale_data', 'is not set'))] l += [OR(CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not off'), CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not set'))] + l += [OR(CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not off'), + CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not set'))] if arch == 'ARM64': l += [OR(CmdlineCheck('self_protection', 'defconfig', 'ssbd', 'kernel'), CmdlineCheck('self_protection', 'my', 'ssbd', 'force-on'),