X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig-hardened-check.py;h=c7eab1b0a40020200a5cdaa3a46867c5353077ec;hb=2dd3074016dc9e370faeae6fdaab529eb3373226;hp=dd7b30e486a5ee7f6447e0a42100495c99c73d5c;hpb=071e301cbbf7895c379f86aef790506c399ada3b;p=kconfig-hardened-check.git diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py index dd7b30e..c7eab1b 100755 --- a/kconfig-hardened-check.py +++ b/kconfig-hardened-check.py @@ -14,7 +14,6 @@ # slub_debug=FZP # slab_nomerge # kernel.kptr_restrict=1 -# lockdown=1 (is it changed?) # page_alloc.shuffle=1 # iommu=force (does it help against DMA attacks?) # page_poison=1 (if enabled) @@ -347,13 +346,13 @@ def construct_checklist(checklist, arch): if arch == 'ARM': checklist.append(OptCheck('SECURITY', 'y', 'kspp', 'security_policy')) # and choose your favourite LSM checklist.append(OptCheck('SECURITY_YAMA', 'y', 'kspp', 'security_policy')) + checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM', 'y', 'clipos', 'security_policy')) + checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM_EARLY', 'y', 'clipos', 'security_policy')) + checklist.append(OptCheck('LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y', 'clipos', 'security_policy')) loadpin_is_set = OptCheck('SECURITY_LOADPIN', 'y', 'my', 'security_policy') # needs userspace support checklist.append(loadpin_is_set) checklist.append(AND(OptCheck('SECURITY_LOADPIN_ENFORCE', 'y', 'my', 'security_policy'), \ loadpin_is_set)) - checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM', 'y', 'my', 'security_policy')) - checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM_EARLY', 'y', 'my', 'security_policy')) - checklist.append(OptCheck('LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y', 'my', 'security_policy')) checklist.append(OptCheck('SECURITY_SAFESETID', 'y', 'my', 'security_policy')) checklist.append(OptCheck('SECURITY_WRITABLE_HOOKS', 'is not set', 'my', 'security_policy'))