X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=a3a3293797e2c4ba0bba5906e5c7dd2dcf613a41;hb=23fe9e6b3032c0205177d4edbba89a609141107b;hp=e5fd0ff3250b210e90823677718021bc3e67ffcb;hpb=c3775a1507ee81387dbbd4051c45e01dfd9a9a1c;p=kconfig-hardened-check.git

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index e5fd0ff..a3a3293 100644
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -66,7 +66,7 @@ class OptCheck:
                'invalid expected value "{}" for "{}" check (1)'.format(expected, name)
         val_len = len(expected.split())
         if val_len == 3:
-            assert(expected == 'is not set' or expected == 'is not off'), \
+            assert(expected in ('is not set', 'is not off')), \
                    'invalid expected value "{}" for "{}" check (2)'.format(expected, name)
         elif val_len == 2:
             assert(expected == 'is present'), \
@@ -266,7 +266,7 @@ class AND(ComplexOptCheck):
                     self.result = 'FAIL: {} is not "{}"'.format(opt.name, opt.expected)
                 elif opt.result == 'FAIL: is not present':
                     self.result = 'FAIL: {} is not present'.format(opt.name)
-                elif opt.result == 'FAIL: is off' or opt.result == 'FAIL: is off, "0"':
+                elif opt.result in ('FAIL: is off', 'FAIL: is off, "0"'):
                     self.result = 'FAIL: {} is off'.format(opt.name)
                 elif opt.result == 'FAIL: is off, not found':
                     self.result = 'FAIL: {} is off, not found'.format(opt.name)
@@ -739,6 +739,8 @@ def add_cmdline_checks(l, arch):
              CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not set'))]
     l += [OR(CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not off'),
              CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not set'))]
+    l += [OR(CmdlineCheck('self_protection', 'defconfig', 'kvm.nx_huge_pages', 'is not off'),
+             CmdlineCheck('self_protection', 'defconfig', 'kvm.nx_huge_pages', 'is not set'))]
     if arch == 'ARM64':
         l += [OR(CmdlineCheck('self_protection', 'defconfig', 'ssbd', 'kernel'),
                  CmdlineCheck('self_protection', 'my', 'ssbd', 'force-on'),
@@ -764,7 +766,7 @@ def add_cmdline_checks(l, arch):
     l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_nomerge', 'is present'),
              AND(KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set'),
                  CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set'),
-                 CmdlineCheck('self_protection', 'kspp', 'slub_merge', 'is not set')))]
+                 CmdlineCheck('self_protection', 'clipos', 'slub_merge', 'is not set')))]
     l += [OR(CmdlineCheck('self_protection', 'kspp', 'iommu.strict', '1'),
              AND(KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y'),
                  CmdlineCheck('self_protection', 'kspp', 'iommu.strict', 'is not set')))]