X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kconfig_hardened_check%2Fchecks.py;h=b83be112f2143e50ae2edfbd24c18614f7022559;hb=8c565d5f86789588dee14c01339dbead2d234502;hp=8e52fd8fc27e98cbaa0af8c4c92ecd35b0408a9f;hpb=4d5de9965b33f1eff1e15cb794fe0cfa734325fb;p=kconfig-hardened-check.git diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py index 8e52fd8..b83be11 100644 --- a/kconfig_hardened_check/checks.py +++ b/kconfig_hardened_check/checks.py @@ -37,6 +37,8 @@ This module contains knowledge for checks. # vm.mmap_rnd_bits=max (?) # kernel.sysrq=0 # abi.vsyscall32 (any value except 2) +# kernel.oops_limit (think about a proper value) +# kernel.warn_limit (think about a proper value) # # Think of these boot params: # module.sig_enforce=1 @@ -46,6 +48,7 @@ This module contains knowledge for checks. # intel_iommu=on # amd_iommu=on # efi=disable_early_pci_dma +# cfi= # pylint: disable=missing-function-docstring,line-too-long,invalid-name # pylint: disable=too-many-branches,too-many-statements @@ -114,6 +117,7 @@ def add_kconfig_checks(l, arch): if arch == 'X86_64': l += [KconfigCheck('self_protection', 'defconfig', 'PAGE_TABLE_ISOLATION', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'RANDOMIZE_MEMORY', 'y')] + l += [KconfigCheck('self_protection', 'defconfig', 'X86_KERNEL_IBT', 'y')] l += [AND(KconfigCheck('self_protection', 'defconfig', 'INTEL_IOMMU', 'y'), iommu_support_is_set)] l += [AND(KconfigCheck('self_protection', 'defconfig', 'AMD_IOMMU', 'y'), @@ -584,6 +588,7 @@ no_kstrtobool_options = [ 'srbds', # See srbds_parse_cmdline() in arch/x86/kernel/cpu/bugs.c 'mmio_stale_data', # See mmio_stale_data_parse_cmdline() in arch/x86/kernel/cpu/bugs.c 'retbleed', # See retbleed_parse_cmdline() in arch/x86/kernel/cpu/bugs.c + 'ssbd', # See parse_spectre_v4_param() in arch/arm64/kernel/proton-pack.c 'tsx' # See tsx_init() in arch/x86/kernel/cpu/tsx.c ]