X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=28a955bc84e4b287f74fc0122bbbdad02fab4a78;hb=7da270d01301ee9c34c6d4b9bb5f719ad5a891a6;hp=d10cc623f360a5d24a8bf16c15075acf2e9a095a;hpb=ddb3e3948fd8727b27f413a1e130695b9c05c53c;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index d10cc62..28a955b 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -10,14 +10,9 @@ # Please don't cry if my Python code looks like C. # # -# N.B Hardening command line parameters: +# N.B Missing hardening command line parameters: # iommu=force (does it help against DMA attacks?) # -# Mitigations of CPU vulnerabilities: -# Аrch-independent: -# X86: -# l1d_flush=on (a part of the l1tf option) -# # Hardware tag-based KASAN with arm64 Memory Tagging Extension (MTE): # kasan=on # kasan.stacktrace=off @@ -45,6 +40,7 @@ # fs.suid_dumpable=0 # kernel.modules_disabled=1 # kernel.randomize_va_space = 2 +# nosmt sysfs control file # pylint: disable=missing-module-docstring,missing-class-docstring,missing-function-docstring @@ -721,6 +717,7 @@ def add_cmdline_checks(l, arch): l += [CmdlineCheck('self_protection', 'defconfig', 'nopti', 'is not set')] l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_v1', 'is not set')] l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_v2', 'is not set')] + l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_bhb', 'is not set')] l += [CmdlineCheck('self_protection', 'defconfig', 'nospec_store_bypass_disable', 'is not set')] l += [CmdlineCheck('self_protection', 'defconfig', 'arm64.nobti', 'is not set')] l += [CmdlineCheck('self_protection', 'defconfig', 'arm64.nopauth', 'is not set')]