X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=797e3e08cf824b309d7da9890b7808c36d9fa482;hb=4c4937a3a4d58d47e90f5ba694197f4fbab78790;hp=8130dd4027a89fb27bddd463ac374f329a3bfb3d;hpb=732eac6e7e7672693a5ee23c04c83a379a52917b;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 8130dd4..797e3e0 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -10,14 +10,9 @@ # Please don't cry if my Python code looks like C. # # -# N.B Hardening command line parameters: +# N.B Missing hardening command line parameters: # iommu=force (does it help against DMA attacks?) # -# Mitigations of CPU vulnerabilities: -# Аrch-independent: -# X86: -# l1d_flush=on (a part of the l1tf option) -# # Hardware tag-based KASAN with arm64 Memory Tagging Extension (MTE): # kasan=on # kasan.stacktrace=off @@ -45,6 +40,7 @@ # fs.suid_dumpable=0 # kernel.modules_disabled=1 # kernel.randomize_va_space = 2 +# nosmt sysfs control file # pylint: disable=missing-module-docstring,missing-class-docstring,missing-function-docstring @@ -642,9 +638,6 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD', 'is not set')] # recommended by Denis Efremov in /pull/54 l += [KconfigCheck('cut_attack_surface', 'maintainer', 'BLK_DEV_FD_RAWCMD', 'is not set')] # recommended by Denis Efremov in /pull/62 - # 'cut_attack_surface', 'grapheneos' - l += [KconfigCheck('cut_attack_surface', 'grapheneos', 'AIO', 'is not set')] - # 'cut_attack_surface', 'clipos' l += [KconfigCheck('cut_attack_surface', 'clipos', 'STAGING', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'clipos', 'KSM', 'is not set')] # to prevent FLUSH+RELOAD attack