X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig-hardened-check.py;h=e2d84838ddd66ec876aa84cd9ce2ccf6d0c08cf7;hb=bde110605e5a640a8491391935c4c3b4fefe561c;hp=d2caafd70f3ad80f239db0f3b048c3b03bff46e8;hpb=3a2b67f97ac532696139aa5c1808ba349cbfa7be;p=kconfig-hardened-check.git diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py index d2caafd..e2d8483 100755 --- a/kconfig-hardened-check.py +++ b/kconfig-hardened-check.py @@ -20,6 +20,7 @@ # page_poison=1 (if enabled) # init_on_alloc=1 # init_on_free=1 +# loadpin.enforce=1 # # Mitigations of CPU vulnerabilities: # Аrch-independent: @@ -347,7 +348,10 @@ def construct_checklist(checklist, arch): if debug_mode or arch == 'ARM': checklist.append(OptCheck('SECURITY', 'y', 'kspp', 'security_policy')) # and choose your favourite LSM checklist.append(OptCheck('SECURITY_YAMA', 'y', 'kspp', 'security_policy')) - checklist.append(OptCheck('SECURITY_LOADPIN', 'y', 'my', 'security_policy')) # needs userspace support + loadpin_is_set = OptCheck('SECURITY_LOADPIN', 'y', 'my', 'security_policy') # needs userspace support + checklist.append(loadpin_is_set) + checklist.append(AND(OptCheck('SECURITY_LOADPIN_ENFORCE', 'y', 'my', 'security_policy'), \ + loadpin_is_set)) checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM', 'y', 'my', 'security_policy')) checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM_EARLY', 'y', 'my', 'security_policy')) checklist.append(OptCheck('LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y', 'my', 'security_policy'))