X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=9dc59ae633d060dd2b009805659af49540ea6df2;hb=860834d93c56279d0362432032883b6c81ae3ef5;hp=ef7f2769bf1f00d561dbc260d862efba279369f9;hpb=02497357366e6ef8a859271373a97f9761581924;p=kconfig-hardened-check.git

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index ef7f276..9dc59ae 100644
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -29,9 +29,9 @@
 #           pti=on
 #           spec_store_bypass_disable=on
 #           l1tf=full,force
+#           l1d_flush=on (a part of the l1tf option)
 #           mds=full,nosmt
 #           tsx=off
-#           l1d_flush=on
 #       ARM64:
 #           kpti=on
 #           ssbd=force-on
@@ -470,6 +470,7 @@ def add_kconfig_checks(l, arch):
     # 'self_protection', 'my'
     l += [KconfigCheck('self_protection', 'my', 'RESET_ATTACK_MITIGATION', 'y')] # needs userspace support (systemd)
     if arch == 'X86_64':
+        l += [KconfigCheck('self_protection', 'my', 'SLS', 'y')] # vs CVE-2021-26341 in Straight-Line-Speculation
         l += [AND(KconfigCheck('self_protection', 'my', 'AMD_IOMMU_V2', 'y'),
                   iommu_support_is_set)]
     if arch == 'ARM64':
@@ -498,6 +499,7 @@ def add_kconfig_checks(l, arch):
               loadpin_is_set)]
 
     # 'cut_attack_surface', 'defconfig'
+    l += [KconfigCheck('cut_attack_surface', 'defconfig', 'BPF_UNPRIV_DEFAULT_OFF', 'y')] # see unprivileged_bpf_disabled
     l += [KconfigCheck('cut_attack_surface', 'defconfig', 'SECCOMP', 'y')]
     l += [KconfigCheck('cut_attack_surface', 'defconfig', 'SECCOMP_FILTER', 'y')]
     if arch in ('X86_64', 'ARM64', 'X86_32'):