X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=3daddcbdaba5a860789ffacf1366c7dc49efbae6;hb=5d007e67c6db0af09c6cf5a303cfea23e4234403;hp=0d6a470e9b4487837d8e15d6c98b74bc6361de3e;hpb=b6930eaede680a77a8ff4c2a8c2b4ae33c9aa12e;p=kconfig-hardened-check.git

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index 0d6a470..3daddcb 100644
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -33,7 +33,6 @@
 #
 #    Should NOT be set:
 #           nokaslr
-#           rodata=off
 #           sysrq_always_enabled
 #           arm64.nobti
 #           arm64.nopauth
@@ -630,6 +629,9 @@ def add_kconfig_checks(l, arch):
         l += [KconfigCheck('harden_userspace', 'defconfig', 'INTEGRITY', 'y')]
     if arch == 'ARM':
         l += [KconfigCheck('harden_userspace', 'my', 'INTEGRITY', 'y')]
+    if arch == 'ARM64':
+        l += [KconfigCheck('harden_userspace', 'defconfig', 'ARM64_PTR_AUTH', 'y')]
+        l += [KconfigCheck('harden_userspace', 'defconfig', 'ARM64_BTI', 'y')]
     if arch in ('ARM', 'X86_32'):
         l += [KconfigCheck('harden_userspace', 'defconfig', 'VMSPLIT_3G', 'y')]
     if arch in ('X86_64', 'ARM64'):
@@ -637,8 +639,6 @@ def add_kconfig_checks(l, arch):
     if arch in ('X86_32', 'ARM'):
         l += [KconfigCheck('harden_userspace', 'my', 'ARCH_MMAP_RND_BITS', '16')]
 
-#   l += [KconfigCheck('feature_test', 'my', 'LKDTM', 'm')] # only for debugging!
-
 
 def add_cmdline_checks(l, arch):
     # Calling the CmdlineCheck class constructor:
@@ -646,6 +646,11 @@ def add_cmdline_checks(l, arch):
     # Don't add CmdlineChecks in add_kconfig_checks() to avoid wrong results
     # when the tool doesn't check the cmdline.
 
+    if arch == 'ARM64':
+        l += [OR(CmdlineCheck('self_protection', 'defconfig', 'rodata', 'full'),
+                 AND(KconfigCheck('self_protection', 'defconfig', 'RODATA_FULL_DEFAULT_ENABLED', 'y'),
+                     CmdlineCheck('self_protection', 'defconfig', 'rodata', 'is not set')))]
+
     l += [OR(CmdlineCheck('self_protection', 'kspp', 'init_on_alloc', '1'),
              AND(KconfigCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y'),
                  CmdlineCheck('self_protection', 'kspp', 'init_on_alloc', 'is not set')))]