X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=9dc59ae633d060dd2b009805659af49540ea6df2;hb=860834d93c56279d0362432032883b6c81ae3ef5;hp=d65e2df1301821a14c31d2943ba20af1cf575cb8;hpb=03839d42c027fb17a5067ffb2f5aa975ab279fb8;p=kconfig-hardened-check.git

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index d65e2df..9dc59ae 100644
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -29,9 +29,9 @@
 #           pti=on
 #           spec_store_bypass_disable=on
 #           l1tf=full,force
+#           l1d_flush=on (a part of the l1tf option)
 #           mds=full,nosmt
 #           tsx=off
-#           l1d_flush=on
 #       ARM64:
 #           kpti=on
 #           ssbd=force-on
@@ -470,6 +470,7 @@ def add_kconfig_checks(l, arch):
     # 'self_protection', 'my'
     l += [KconfigCheck('self_protection', 'my', 'RESET_ATTACK_MITIGATION', 'y')] # needs userspace support (systemd)
     if arch == 'X86_64':
+        l += [KconfigCheck('self_protection', 'my', 'SLS', 'y')] # vs CVE-2021-26341 in Straight-Line-Speculation
         l += [AND(KconfigCheck('self_protection', 'my', 'AMD_IOMMU_V2', 'y'),
                   iommu_support_is_set)]
     if arch == 'ARM64':
@@ -498,6 +499,7 @@ def add_kconfig_checks(l, arch):
               loadpin_is_set)]
 
     # 'cut_attack_surface', 'defconfig'
+    l += [KconfigCheck('cut_attack_surface', 'defconfig', 'BPF_UNPRIV_DEFAULT_OFF', 'y')] # see unprivileged_bpf_disabled
     l += [KconfigCheck('cut_attack_surface', 'defconfig', 'SECCOMP', 'y')]
     l += [KconfigCheck('cut_attack_surface', 'defconfig', 'SECCOMP_FILTER', 'y')]
     if arch in ('X86_64', 'ARM64', 'X86_32'):
@@ -636,16 +638,16 @@ def print_unknown_options(checklist, parsed_options):
     known_options = []
 
     for o1 in checklist:
-        if not hasattr(o1, 'opts'):
+        if o1.type != 'complex':
             known_options.append(o1.name)
             continue
         for o2 in o1.opts:
-            if not hasattr(o2, 'opts'):
+            if o2.type != 'complex':
                 if hasattr(o2, 'name'):
                     known_options.append(o2.name)
                 continue
             for o3 in o2.opts:
-                if hasattr(o3, 'opts'):
+                if o3.type == 'complex':
                     sys.exit('[!] ERROR: unexpected ComplexOptCheck inside {}'.format(o2.name))
                 if hasattr(o3, 'name'):
                     known_options.append(o3.name)
@@ -704,12 +706,14 @@ def print_checklist(mode, checklist, with_results):
 
 
 def populate_simple_opt_with_data(opt, data, data_type):
-    if hasattr(opt, 'opts'):
+    if opt.type == 'complex':
         sys.exit('[!] ERROR: unexpected ComplexOptCheck {}: {}'.format(opt.name, vars(opt)))
     if data_type not in TYPES_OF_CHECKS:
         sys.exit('[!] ERROR: invalid data type "{}"'.format(data_type))
+
     if data_type != opt.type:
         return
+
     if data_type == 'kconfig':
         opt.state = data.get(opt.name, None)
     elif data_type == 'version':
@@ -717,17 +721,16 @@ def populate_simple_opt_with_data(opt, data, data_type):
 
 
 def populate_opt_with_data(opt, data, data_type):
-    if hasattr(opt, 'opts'):
+    if opt.type == 'complex':
         for o in opt.opts:
-            if hasattr(o, 'opts'):
+            if o.type == 'complex':
                 # Recursion for nested ComplexOptCheck objects
                 populate_opt_with_data(o, data, data_type)
             else:
                 populate_simple_opt_with_data(o, data, data_type)
     else:
-        # The 'state' is mandatory for simple checks
-        if not hasattr(opt, 'state'):
-            sys.exit('[!] ERROR: bad simple check {}'.format(vars(opt)))
+        if opt.type != 'kconfig':
+            sys.exit('[!] ERROR: bad type "{}" for a simple check {}'.format(opt.type, opt.name))
         populate_simple_opt_with_data(opt, data, data_type)