X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2Fchecks.py;h=1bb1de205498bf11d25935a870fa623586ef3582;hb=e84011fddceecda2d3d678ec3db08d3732d96ac2;hp=65d8acfe59afc5b6cab198811df3f221f446e757;hpb=4de5662ebaf4f72aeffbe40fc78433ca5d81635e;p=kconfig-hardened-check.git

diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py
index 65d8acf..1bb1de2 100644
--- a/kconfig_hardened_check/checks.py
+++ b/kconfig_hardened_check/checks.py
@@ -439,31 +439,40 @@ def add_cmdline_checks(l, arch):
     l += [CmdlineCheck('self_protection', 'defconfig', 'arm64.nopauth', 'is not set')]
     l += [CmdlineCheck('self_protection', 'defconfig', 'arm64.nomte', 'is not set')]
     l += [OR(CmdlineCheck('self_protection', 'defconfig', 'spectre_v2', 'is not off'),
-             CmdlineCheck('self_protection', 'defconfig', 'spectre_v2', 'is not set'))]
+             AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'),
+                 CmdlineCheck('self_protection', 'defconfig', 'spectre_v2', 'is not set')))]
     l += [OR(CmdlineCheck('self_protection', 'defconfig', 'spectre_v2_user', 'is not off'),
-             CmdlineCheck('self_protection', 'defconfig', 'spectre_v2_user', 'is not set'))]
+             AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'),
+                 CmdlineCheck('self_protection', 'defconfig', 'spectre_v2_user', 'is not set')))]
     l += [OR(CmdlineCheck('self_protection', 'defconfig', 'spec_store_bypass_disable', 'is not off'),
-             CmdlineCheck('self_protection', 'defconfig', 'spec_store_bypass_disable', 'is not set'))]
+             AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'),
+                 CmdlineCheck('self_protection', 'defconfig', 'spec_store_bypass_disable', 'is not set')))]
     l += [OR(CmdlineCheck('self_protection', 'defconfig', 'l1tf', 'is not off'),
-             CmdlineCheck('self_protection', 'defconfig', 'l1tf', 'is not set'))]
+             AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'),
+                 CmdlineCheck('self_protection', 'defconfig', 'l1tf', 'is not set')))]
     l += [OR(CmdlineCheck('self_protection', 'defconfig', 'mds', 'is not off'),
-             CmdlineCheck('self_protection', 'defconfig', 'mds', 'is not set'))]
+             AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'),
+                 CmdlineCheck('self_protection', 'defconfig', 'mds', 'is not set')))]
     l += [OR(CmdlineCheck('self_protection', 'defconfig', 'tsx_async_abort', 'is not off'),
-             CmdlineCheck('self_protection', 'defconfig', 'tsx_async_abort', 'is not set'))]
+             AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'),
+                 CmdlineCheck('self_protection', 'defconfig', 'tsx_async_abort', 'is not set')))]
     l += [OR(CmdlineCheck('self_protection', 'defconfig', 'srbds', 'is not off'),
-             CmdlineCheck('self_protection', 'defconfig', 'srbds', 'is not set'))]
+             AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'),
+                 CmdlineCheck('self_protection', 'defconfig', 'srbds', 'is not set')))]
     l += [OR(CmdlineCheck('self_protection', 'defconfig', 'mmio_stale_data', 'is not off'),
-             CmdlineCheck('self_protection', 'defconfig', 'mmio_stale_data', 'is not set'))]
+             AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'),
+                 CmdlineCheck('self_protection', 'defconfig', 'mmio_stale_data', 'is not set')))]
     l += [OR(CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not off'),
-             CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not set'))]
+             AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'),
+                 CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not set')))]
     l += [OR(CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not off'),
-             CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not set'))]
-    l += [OR(CmdlineCheck('self_protection', 'defconfig', 'kvm.nx_huge_pages', 'is not off'),
-             CmdlineCheck('self_protection', 'defconfig', 'kvm.nx_huge_pages', 'is not set'))]
+             AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'),
+                 CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not set')))]
     if arch == 'ARM64':
         l += [OR(CmdlineCheck('self_protection', 'defconfig', 'ssbd', 'kernel'),
                  CmdlineCheck('self_protection', 'my', 'ssbd', 'force-on'),
-                 CmdlineCheck('self_protection', 'defconfig', 'ssbd', 'is not set'))]
+                 AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'),
+                     CmdlineCheck('self_protection', 'defconfig', 'ssbd', 'is not set')))]
         l += [OR(CmdlineCheck('self_protection', 'defconfig', 'rodata', 'full'),
                  AND(KconfigCheck('self_protection', 'defconfig', 'RODATA_FULL_DEFAULT_ENABLED', 'y'),
                      CmdlineCheck('self_protection', 'defconfig', 'rodata', 'is not set')))]
@@ -474,6 +483,12 @@ def add_cmdline_checks(l, arch):
     # 'self_protection', 'kspp'
     l += [CmdlineCheck('self_protection', 'kspp', 'nosmt', 'is present')]
     l += [CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt')] # 'nosmt' by kspp + 'auto' by defconfig
+    l += [CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set')] # consequence of 'slab_nomerge' by kspp
+    l += [CmdlineCheck('self_protection', 'kspp', 'slub_merge', 'is not set')] # consequence of 'slab_nomerge' by kspp
+    l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_nomerge', 'is present'),
+             AND(KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set'),
+                 CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set'),
+                 CmdlineCheck('self_protection', 'kspp', 'slub_merge', 'is not set')))]
     l += [OR(CmdlineCheck('self_protection', 'kspp', 'init_on_alloc', '1'),
              AND(KconfigCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y'),
                  CmdlineCheck('self_protection', 'kspp', 'init_on_alloc', 'is not set')))]
@@ -483,10 +498,6 @@ def add_cmdline_checks(l, arch):
              AND(CmdlineCheck('self_protection', 'kspp', 'page_poison', '1'),
                  KconfigCheck('self_protection', 'kspp', 'PAGE_POISONING_ZERO', 'y'),
                  CmdlineCheck('self_protection', 'kspp', 'slub_debug', 'P')))]
-    l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_nomerge', 'is present'),
-             AND(KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set'),
-                 CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set'),
-                 CmdlineCheck('self_protection', 'clipos', 'slub_merge', 'is not set')))]
     l += [OR(CmdlineCheck('self_protection', 'kspp', 'iommu.strict', '1'),
              AND(KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y'),
                  CmdlineCheck('self_protection', 'kspp', 'iommu.strict', 'is not set')))]