X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig-hardened-check.py;h=c5a5491d43b07f8ecb8966f045424a3c6a5ede85;hb=c936e092adbb8de81b00c11699d895e005a5b372;hp=5f12249033264479ed1acfa6f09d3c9d86ceeccb;hpb=e8eba6a44ca222bb274de20a44d9d9042bec68ab;p=kconfig-hardened-check.git diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py index 5f12249..c5a5491 100755 --- a/kconfig-hardened-check.py +++ b/kconfig-hardened-check.py @@ -236,16 +236,16 @@ def construct_checklist(checklist, arch): OptCheck('DEBUG_SET_MODULE_RONX', 'y', 'defconfig', 'self_protection'), \ modules_not_set)) # DEBUG_SET_MODULE_RONX was before v4.11 checklist.append(OptCheck('GCC_PLUGINS', 'y', 'defconfig', 'self_protection')) - checklist.append(OR(OptCheck('REFCOUNT_FULL', 'y', 'defconfig', 'self_protection'), \ + checklist.append(OR(OptCheck('REFCOUNT_FULL', 'y', 'defconfig', 'self_protection'), \ VerCheck((5, 5)))) # REFCOUNT_FULL is enabled by default since v5.5 + iommu_support_is_set = OptCheck('IOMMU_SUPPORT', 'y', 'defconfig', 'self_protection') # is needed for mitigating DMA attacks + checklist.append(iommu_support_is_set) if arch == 'X86_64' or arch == 'X86_32': checklist.append(OptCheck('MICROCODE', 'y', 'defconfig', 'self_protection')) # is needed for mitigating CPU bugs checklist.append(OptCheck('RETPOLINE', 'y', 'defconfig', 'self_protection')) checklist.append(OptCheck('X86_SMAP', 'y', 'defconfig', 'self_protection')) checklist.append(OR(OptCheck('X86_UMIP', 'y', 'defconfig', 'self_protection'), \ OptCheck('X86_INTEL_UMIP', 'y', 'defconfig', 'self_protection'))) - iommu_support_is_set = OptCheck('IOMMU_SUPPORT', 'y', 'defconfig', 'self_protection') # is needed for mitigating DMA attacks - checklist.append(iommu_support_is_set) checklist.append(OptCheck('SYN_COOKIES', 'y', 'defconfig', 'self_protection')) # another reason? if arch == 'X86_64': checklist.append(OptCheck('PAGE_TABLE_ISOLATION', 'y', 'defconfig', 'self_protection'))