X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=64cb479c5b00d15ed6ef7e0478d6ea1452a2e772;hb=984760211e8d187184dd7b65a00ca4266109c56f;hp=21d3bfbd11975ae26c705dd75110793edb8b60c9;hpb=3da1225a62650f5d71fc07239eeaa05455c21b28;p=kconfig-hardened-check.git

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index 21d3bfb..64cb479 100644
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -397,6 +397,14 @@ def construct_checklist(l, arch):
         l += [OptCheck('self_protection', 'kspp', 'HIGHMEM64G', 'y')]
         l += [OptCheck('self_protection', 'kspp', 'X86_PAE', 'y')]
 
+    # 'self_protection', 'maintainer'
+    ubsan_bounds_is_set = OptCheck('self_protection', 'maintainer', 'UBSAN_BOUNDS', 'y') # only array index bounds checking
+    l += [ubsan_bounds_is_set] # recommended by Kees Cook in /issues/53
+    l += [AND(OptCheck('self_protection', 'maintainer', 'UBSAN_SANITIZE_ALL', 'y'),
+              ubsan_bounds_is_set)] # recommended by Kees Cook in /issues/53
+    l += [AND(OptCheck('self_protection', 'maintainer', 'UBSAN_TRAP', 'y'),
+              ubsan_bounds_is_set)] # recommended by Kees Cook in /issues/53
+
     # 'self_protection', 'clipos'
     l += [OptCheck('self_protection', 'clipos', 'DEBUG_VIRTUAL', 'y')]
     l += [OptCheck('self_protection', 'clipos', 'STATIC_USERMODEHELPER', 'y')] # needs userspace support
@@ -421,14 +429,6 @@ def construct_checklist(l, arch):
         l += [AND(OptCheck('self_protection', 'clipos', 'INTEL_IOMMU', 'y'),
                   iommu_support_is_set)]
 
-    # 'self_protection', 'maintainer'
-    ubsan_bounds_is_set = OptCheck('self_protection', 'maintainer', 'UBSAN_BOUNDS', 'y') # only array index bounds checking
-    l += [ubsan_bounds_is_set] # recommended by Kees Cook in /issues/53
-    l += [AND(OptCheck('self_protection', 'maintainer', 'UBSAN_SANITIZE_ALL', 'y'),
-              ubsan_bounds_is_set)] # recommended by Kees Cook in /issues/53
-    l += [AND(OptCheck('self_protection', 'maintainer', 'UBSAN_TRAP', 'y'),
-              ubsan_bounds_is_set)] # recommended by Kees Cook in /issues/53
-
     # 'self_protection', 'my'
     l += [OptCheck('self_protection', 'my', 'RESET_ATTACK_MITIGATION', 'y')] # needs userspace support (systemd)
     if arch == 'X86_64':