X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig-hardened-check.py;h=cb176bca672581f1cf95636b3412038a8fe593c0;hb=2b70c5e5ae2f229e4a91199c4461dfc64a65ebd7;hp=5fcabf9f7428386892633861abae8620e97acf62;hpb=53b9cee7b987e80aba71d6f96fe0989ca47afb0a;p=kconfig-hardened-check.git

diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py
index 5fcabf9..cb176bc 100755
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -28,7 +28,6 @@
 #           l1tf=full,force
 #           mds=full,nosmt
 #       ARM64:
-#           ? CONFIG_HARDEN_BRANCH_PREDICTOR
 #           kpti=on
 #           ssbd=force-on
 #
@@ -192,6 +191,8 @@ def construct_checklist(checklist, arch):
         checklist.append(OptCheck('SYN_COOKIES',                 'y', 'defconfig', 'self_protection')) # another reason?
     if debug_mode or arch == 'ARM64':
         checklist.append(OptCheck('UNMAP_KERNEL_AT_EL0',         'y', 'defconfig', 'self_protection'))
+        checklist.append(OptCheck('HARDEN_EL2_VECTORS',          'y', 'defconfig', 'self_protection'))
+        checklist.append(OptCheck('RODATA_FULL_DEFAULT_ENABLED', 'y', 'defconfig', 'self_protection'))
     if debug_mode or arch == 'X86_64' or arch == 'ARM64':
         checklist.append(OptCheck('VMAP_STACK',                  'y', 'defconfig', 'self_protection'))
     if debug_mode or arch == 'X86_64' or arch == 'ARM64' or arch == 'X86_32':
@@ -201,6 +202,7 @@ def construct_checklist(checklist, arch):
         checklist.append(OptCheck('CPU_SW_DOMAIN_PAN',           'y', 'defconfig', 'self_protection'))
     if debug_mode or arch == 'ARM64' or arch == 'ARM':
         checklist.append(OptCheck('REFCOUNT_FULL',               'y', 'defconfig', 'self_protection'))
+        checklist.append(OptCheck('HARDEN_BRANCH_PREDICTOR',     'y', 'defconfig', 'self_protection'))
 
     checklist.append(OptCheck('BUG_ON_DATA_CORRUPTION',           'y', 'kspp', 'self_protection'))
     checklist.append(OptCheck('DEBUG_WX',                         'y', 'kspp', 'self_protection'))