X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=0d1e10cfd9a2f22bad8cdf00dc5c704254c32ad4;hb=4425d8b2b3bc4d3c6bf5d636c641395f3b7a8fa8;hp=937b3a0c6a72107e2f06d694369c68ff813dd696;hpb=103bbe9258fdb6ec0b064bdc53aaf3ba31367de7;p=kconfig-hardened-check.git

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index 937b3a0..0d1e10c 100644
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -293,7 +293,8 @@ def construct_checklist(l, arch):
     if arch == 'ARM64':
         l += [OptCheck('self_protection', 'defconfig', 'ARM64_PAN', 'y')]
         l += [OptCheck('self_protection', 'defconfig', 'UNMAP_KERNEL_AT_EL0', 'y')]
-        l += [OptCheck('self_protection', 'defconfig', 'HARDEN_EL2_VECTORS', 'y')]
+        l += [OR(OptCheck('self_protection', 'defconfig', 'HARDEN_EL2_VECTORS', 'y'),
+                 VerCheck((5,9)))] # HARDEN_EL2_VECTORS was removed in v5.9
         l += [OptCheck('self_protection', 'defconfig', 'RODATA_FULL_DEFAULT_ENABLED', 'y')]
         l += [OptCheck('self_protection', 'defconfig', 'ARM64_PTR_AUTH', 'y')]
     if arch in ('X86_64', 'ARM64'):
@@ -379,7 +380,7 @@ def construct_checklist(l, arch):
                   iommu_support_is_set)]
 
     # 'self_protection', 'my'
-    l += [OptCheck('self_protection', 'my', 'SLUB_DEBUG_ON', 'y')]
+    l += [OptCheck('self_protection', 'my', 'SLUB_DEBUG_ON', 'y')] # TODO: is it better to set that via kernel cmd?
     l += [OptCheck('self_protection', 'my', 'RESET_ATTACK_MITIGATION', 'y')] # needs userspace support (systemd)
     if arch == 'X86_64':
         l += [AND(OptCheck('self_protection', 'my', 'AMD_IOMMU_V2', 'y'),