X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=e47c5d402d46b64fb7735e6545a8f2895b3198ac;hb=25cb2389d0d47892e472f7b66c39597ddf41a278;hp=b2893d104f4946ff110d7e28f0a0480ba82c5065;hpb=d1a8bb6a7388899f0e593fdafb0bd2dcca11187a;p=kconfig-hardened-check.git

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index b2893d1..e47c5d4 100644
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -290,6 +290,11 @@ def construct_checklist(l, arch):
              VerCheck((5, 5)))] # REFCOUNT_FULL is enabled by default since v5.5
     iommu_support_is_set = OptCheck('self_protection', 'defconfig', 'IOMMU_SUPPORT', 'y')
     l += [iommu_support_is_set] # is needed for mitigating DMA attacks
+    if arch in ('X86_64', 'ARM64', 'X86_32'):
+        l += [OptCheck('self_protection', 'defconfig', 'RANDOMIZE_BASE', 'y')]
+        l += [OptCheck('self_protection', 'defconfig', 'THREAD_INFO_IN_TASK', 'y')]
+    if arch in ('X86_64', 'ARM64'):
+        l += [OptCheck('self_protection', 'defconfig', 'VMAP_STACK', 'y')]
     if arch in ('X86_64', 'X86_32'):
         l += [OptCheck('self_protection', 'defconfig', 'MICROCODE', 'y')] # is needed for mitigating CPU bugs
         l += [OptCheck('self_protection', 'defconfig', 'RETPOLINE', 'y')]
@@ -297,6 +302,8 @@ def construct_checklist(l, arch):
         l += [OptCheck('self_protection', 'defconfig', 'SYN_COOKIES', 'y')] # another reason?
         l += [OR(OptCheck('self_protection', 'defconfig', 'X86_UMIP', 'y'),
                  OptCheck('self_protection', 'defconfig', 'X86_INTEL_UMIP', 'y'))]
+    if arch in ('ARM64', 'ARM'):
+        l += [OptCheck('self_protection', 'defconfig', 'STACKPROTECTOR_PER_TASK', 'y')]
     if arch == 'X86_64':
         l += [OptCheck('self_protection', 'defconfig', 'PAGE_TABLE_ISOLATION', 'y')]
         l += [OptCheck('self_protection', 'defconfig', 'RANDOMIZE_MEMORY', 'y')]
@@ -313,18 +320,10 @@ def construct_checklist(l, arch):
         l += [OptCheck('self_protection', 'defconfig', 'RODATA_FULL_DEFAULT_ENABLED', 'y')]
         l += [OptCheck('self_protection', 'defconfig', 'ARM64_PTR_AUTH', 'y')]
         l += [OptCheck('self_protection', 'defconfig', 'ARM64_BTI_KERNEL', 'y')]
-    if arch in ('X86_64', 'ARM64'):
-        l += [OptCheck('self_protection', 'defconfig', 'VMAP_STACK', 'y')]
-    if arch in ('X86_64', 'ARM64', 'X86_32'):
-        l += [OptCheck('self_protection', 'defconfig', 'RANDOMIZE_BASE', 'y')]
-        l += [OptCheck('self_protection', 'defconfig', 'THREAD_INFO_IN_TASK', 'y')]
-    if arch == 'ARM':
-        l += [OptCheck('self_protection', 'defconfig', 'CPU_SW_DOMAIN_PAN', 'y')]
-        l += [OptCheck('self_protection', 'defconfig', 'STACKPROTECTOR_PER_TASK', 'y')]
-    if arch == 'ARM64':
         l += [OR(OptCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y'),
              VerCheck((5, 10)))] # HARDEN_BRANCH_PREDICTOR is enabled by default since v5.10
     if arch == 'ARM':
+        l += [OptCheck('self_protection', 'defconfig', 'CPU_SW_DOMAIN_PAN', 'y')]
         l += [OptCheck('self_protection', 'defconfig', 'HARDEN_BRANCH_PREDICTOR', 'y')]
 
     # 'self_protection', 'kspp'
@@ -365,15 +364,15 @@ def construct_checklist(l, arch):
         l += [stackleak_is_set]
     if arch in ('X86_64', 'X86_32'):
         l += [OptCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '65536')]
+    if arch in ('ARM64', 'ARM'):
+        l += [OptCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '32768')]
+        l += [OptCheck('self_protection', 'kspp', 'SYN_COOKIES', 'y')] # another reason?
+    if arch == 'ARM64':
+        l += [OptCheck('self_protection', 'kspp', 'ARM64_SW_TTBR0_PAN', 'y')]
     if arch == 'X86_32':
         l += [OptCheck('self_protection', 'kspp', 'PAGE_TABLE_ISOLATION', 'y')]
         l += [OptCheck('self_protection', 'kspp', 'HIGHMEM64G', 'y')]
         l += [OptCheck('self_protection', 'kspp', 'X86_PAE', 'y')]
-    if arch == 'ARM64':
-        l += [OptCheck('self_protection', 'kspp', 'ARM64_SW_TTBR0_PAN', 'y')]
-    if arch in ('ARM64', 'ARM'):
-        l += [OptCheck('self_protection', 'kspp', 'SYN_COOKIES', 'y')] # another reason?
-        l += [OptCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '32768')]
 
     # 'self_protection', 'clipos'
     l += [OptCheck('self_protection', 'clipos', 'DEBUG_VIRTUAL', 'y')]
@@ -390,10 +389,11 @@ def construct_checklist(l, arch):
         l += [AND(OptCheck('self_protection', 'clipos', 'STACKLEAK_RUNTIME_DISABLE', 'is not set'),
                   stackleak_is_set)]
     if arch in ('X86_64', 'X86_32'):
-        l += [AND(OptCheck('self_protection', 'clipos', 'INTEL_IOMMU_SVM', 'y'),
-                  iommu_support_is_set)]
         l += [AND(OptCheck('self_protection', 'clipos', 'INTEL_IOMMU_DEFAULT_ON', 'y'),
                   iommu_support_is_set)]
+    if arch == 'X86_64':
+        l += [AND(OptCheck('self_protection', 'clipos', 'INTEL_IOMMU_SVM', 'y'),
+                  iommu_support_is_set)]
     if arch == 'X86_32':
         l += [AND(OptCheck('self_protection', 'clipos', 'INTEL_IOMMU', 'y'),
                   iommu_support_is_set)]
@@ -407,7 +407,7 @@ def construct_checklist(l, arch):
         l += [AND(OptCheck('self_protection', 'my', 'AMD_IOMMU_V2', 'y'),
                   iommu_support_is_set)]
     if arch == 'ARM64':
-        l += [OptCheck('self_protection', 'my', 'SHADOW_CALL_STACK', 'y')] # maybe it should be alternative to STACKPROTECTOR_STRONG
+        l += [OptCheck('self_protection', 'my', 'SHADOW_CALL_STACK', 'y')] # depends on clang, maybe it's alternative to STACKPROTECTOR_STRONG
 
     # 'security_policy'
     if arch in ('X86_64', 'ARM64', 'X86_32'):