X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig-hardened-check.py;h=5df4997224b55737424f0da9536e77964cce63bd;hb=refs%2Ftags%2Fv0.5.5;hp=b24918a0b067eae7ae4bc3b1082b6944858e9f4d;hpb=c513c49e4fd866cc85ce5aa42a59f30d103f6388;p=kconfig-hardened-check.git

diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py
index b24918a..5df4997 100755
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -29,6 +29,7 @@
 #           spec_store_bypass_disable=on
 #           l1tf=full,force
 #           mds=full,nosmt
+#           tsx=off
 #       ARM64:
 #           kpti=on
 #           ssbd=force-on
@@ -419,6 +420,8 @@ def construct_checklist(checklist, arch):
     checklist.append(OptCheck('BPF_SYSCALL',          'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN
     checklist.append(OptCheck('MMIOTRACE_TEST',       'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN
 
+    if arch == 'X86_64' or arch == 'X86_32':
+        checklist.append(OptCheck('X86_INTEL_TSX_MODE_OFF',   'y', 'clipos', 'cut_attack_surface')) # tsx=off
     checklist.append(OptCheck('STAGING',                  'is not set', 'clipos', 'cut_attack_surface'))
     checklist.append(OptCheck('KSM',                      'is not set', 'clipos', 'cut_attack_surface')) # to prevent FLUSH+RELOAD attack
 #   checklist.append(OptCheck('IKCONFIG',                 'is not set', 'clipos', 'cut_attack_surface')) # no, this info is needed for this check :)