X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=797e3e08cf824b309d7da9890b7808c36d9fa482;hb=4c4937a3a4d58d47e90f5ba694197f4fbab78790;hp=673cb5224c9f8e02845859ce542f57dd0a835ac2;hpb=145f48a093338f00273e4a21477dddc34284ddd6;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 673cb52..797e3e0 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -10,31 +10,9 @@ # Please don't cry if my Python code looks like C. # # -# N.B Hardening command line parameters: +# N.B Missing hardening command line parameters: # iommu=force (does it help against DMA attacks?) # -# The list of disabled mitigations of CPU vulnerabilities: -# mitigations=off -# pti=off -# spectre_v2=off -# spectre_v2_user=off -# spec_store_bypass_disable=off -# l1tf=off -# mds=off -# tsx_async_abort=off -# srbds=off -# mmio_stale_data=off -# retbleed=off -# nopti -# nokaslr -# nospectre_v1 -# nospectre_v2 -# nospectre_bhb -# nospec_store_bypass_disable -# kpti=0 -# ssbd=force-off -# nosmt (enabled) -# # Hardware tag-based KASAN with arm64 Memory Tagging Extension (MTE): # kasan=on # kasan.stacktrace=off @@ -62,6 +40,7 @@ # fs.suid_dumpable=0 # kernel.modules_disabled=1 # kernel.randomize_va_space = 2 +# nosmt sysfs control file # pylint: disable=missing-module-docstring,missing-class-docstring,missing-function-docstring @@ -659,9 +638,6 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD', 'is not set')] # recommended by Denis Efremov in /pull/54 l += [KconfigCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD_RAWCMD', 'is not set')] # recommended by Denis Efremov in /pull/62 - # 'cut_attack_surface', 'grapheneos' - l += [KconfigCheck('cut_attack_surface', 'grapheneos', 'AIO', 'is not set')] - # 'cut_attack_surface', 'clipos' l += [KconfigCheck('cut_attack_surface', 'clipos', 'STAGING', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'clipos', 'KSM', 'is not set')] # to prevent FLUSH+RELOAD attack