X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2F__init__.py;h=e795dd9151b641bd28f158879221f061f1d8f655;hb=40a359fa7fd58361e3702a41f97df4d6f1ce3471;hp=de7408417e020e4e630ccfd3eac69d5497e9c54c;hpb=f958a9d7254b01ceb31e97e0c02ab098312214dc;p=kconfig-hardened-check.git

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index de74084..e795dd9 100644
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -332,8 +332,8 @@ def add_kconfig_checks(l, arch):
     #     when the tool doesn't check the cmdline.
 
     efi_not_set = KconfigCheck('-', '-', 'EFI', 'is not set')
-    cc_is_gcc = KconfigCheck('-', '-', 'CC_IS_GCC', 'y')
-    cc_is_clang = KconfigCheck('-', '-', 'CC_IS_CLANG', 'y')
+    cc_is_gcc = KconfigCheck('-', '-', 'CC_IS_GCC', 'y') # exists since v4.18
+    cc_is_clang = KconfigCheck('-', '-', 'CC_IS_CLANG', 'y') # exists since v4.18
 
     modules_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set')
     devmem_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'DEVMEM', 'is not set') # refers to LOCKDOWN
@@ -732,13 +732,14 @@ def add_cmdline_checks(l, arch):
                  CmdlineCheck('self_protection', 'kspp', 'hardened_usercopy', 'is not set')))]
     l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', '0'),
              AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'),
-                 CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', 'is not set')))] # ... the end
+                 CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', 'is not set')))]
+    if arch in ('X86_64', 'X86_32'):
+        l += [AND(CmdlineCheck('self_protection', 'kspp', 'pti', 'on'),
+                  CmdlineCheck('self_protection', 'kspp', 'nopti', 'is not set'))] # ... the end
     if arch in ('X86_64', 'ARM64', 'X86_32'):
         l += [OR(CmdlineCheck('self_protection', 'kspp', 'randomize_kstack_offset', '1'),
                  AND(KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y'),
                      CmdlineCheck('self_protection', 'kspp', 'randomize_kstack_offset', 'is not set')))]
-    if arch in ('X86_64', 'X86_32'):
-        l += [CmdlineCheck('self_protection', 'kspp', 'pti', 'on')]
 
     # 'self_protection', 'clipos'
     l += [CmdlineCheck('self_protection', 'clipos', 'page_alloc.shuffle', '1')]