X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=0d1e10cfd9a2f22bad8cdf00dc5c704254c32ad4;hb=4425d8b2b3bc4d3c6bf5d636c641395f3b7a8fa8;hp=90f06b69527797c474c6982ac78c8cdcc6a98a82;hpb=44de4353978332826e1e8078434a69a74b1b4a0d;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 90f06b6..0d1e10c 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -293,7 +293,8 @@ def construct_checklist(l, arch): if arch == 'ARM64': l += [OptCheck('self_protection', 'defconfig', 'ARM64_PAN', 'y')] l += [OptCheck('self_protection', 'defconfig', 'UNMAP_KERNEL_AT_EL0', 'y')] - l += [OptCheck('self_protection', 'defconfig', 'HARDEN_EL2_VECTORS', 'y')] + l += [OR(OptCheck('self_protection', 'defconfig', 'HARDEN_EL2_VECTORS', 'y'), + VerCheck((5,9)))] # HARDEN_EL2_VECTORS was removed in v5.9 l += [OptCheck('self_protection', 'defconfig', 'RODATA_FULL_DEFAULT_ENABLED', 'y')] l += [OptCheck('self_protection', 'defconfig', 'ARM64_PTR_AUTH', 'y')] if arch in ('X86_64', 'ARM64'): @@ -379,7 +380,7 @@ def construct_checklist(l, arch): iommu_support_is_set)] # 'self_protection', 'my' - l += [OptCheck('self_protection', 'my', 'SLUB_DEBUG_ON', 'y')] + l += [OptCheck('self_protection', 'my', 'SLUB_DEBUG_ON', 'y')] # TODO: is it better to set that via kernel cmd? l += [OptCheck('self_protection', 'my', 'RESET_ATTACK_MITIGATION', 'y')] # needs userspace support (systemd) if arch == 'X86_64': l += [AND(OptCheck('self_protection', 'my', 'AMD_IOMMU_V2', 'y'), @@ -477,6 +478,7 @@ def construct_checklist(l, arch): l += [OptCheck('cut_attack_surface', 'clipos', 'IO_URING', 'is not set')] l += [OptCheck('cut_attack_surface', 'clipos', 'X86_IOPL_IOPERM', 'is not set')] # refers to LOCKDOWN l += [OptCheck('cut_attack_surface', 'clipos', 'ACPI_TABLE_UPGRADE', 'is not set')] # refers to LOCKDOWN + l += [OptCheck('cut_attack_surface', 'clipos', 'EFI_CUSTOM_SSDT_OVERLAYS', 'is not set')] l += [AND(OptCheck('cut_attack_surface', 'clipos', 'LDISC_AUTOLOAD', 'is not set'), PresenceCheck('LDISC_AUTOLOAD'))] if arch in ('X86_64', 'X86_32'):