X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kernel_hardening_checker%2Fchecks.py;h=748ba2274821f1ec69f89f6e75c271910c074ba1;hb=6ab3c1c8399ce96a0a18152fe895cc6be4fb859e;hp=9dacb51be97c614a8ecec22128b59033702043d8;hpb=e5f804ede6ea7f66f674c2825396c15c216c718d;p=kconfig-hardened-check.git

diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py
index 9dacb51..748ba22 100644
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -58,6 +58,7 @@ def add_kconfig_checks(l, arch):
     if arch in ('X86_64', 'ARM64', 'ARM'):
         l += [KconfigCheck('self_protection', 'defconfig', 'VMAP_STACK', 'y')]
     if arch in ('X86_64', 'X86_32'):
+        l += [KconfigCheck('self_protection', 'defconfig', 'SPECULATION_MITIGATIONS', 'y')]
         l += [KconfigCheck('self_protection', 'defconfig', 'DEBUG_WX', 'y')]
         l += [KconfigCheck('self_protection', 'defconfig', 'WERROR', 'y')]
         l += [KconfigCheck('self_protection', 'defconfig', 'X86_MCE', 'y')]
@@ -453,6 +454,9 @@ def add_cmdline_checks(l, arch):
         l += [OR(CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not off'),
                  AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'),
                      CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not set')))]
+        l += [OR(CmdlineCheck('self_protection', 'defconfig', 'spec_rstack_overflow', 'is not off'),
+                 AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'),
+                     CmdlineCheck('self_protection', 'defconfig', 'spec_rstack_overflow', 'is not set')))]
     if arch == 'ARM64':
         l += [OR(CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not off'),
                  AND(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt'),
@@ -569,6 +573,7 @@ no_kstrtobool_options = [
     'retbleed', # See retbleed_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
     'rodata', # See set_debug_rodata() in init/main.c
     'ssbd', # See parse_spectre_v4_param() in arch/arm64/kernel/proton-pack.c
+    'spec_rstack_overflow', # See srso_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
     'slub_debug', # See setup_slub_debug() in mm/slub.c
     'iommu', # See iommu_setup() in arch/x86/kernel/pci-dma.c
     'vsyscall', # See vsyscall_setup() in arch/x86/entry/vsyscall/vsyscall_64.c