summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
f630654)
The current result on arm64_full_hardened_5.17_clang.config (clang 12):
[+] Special report mode: show_fail
[+] Kconfig file to check: my/arm64_full_hardened_5.17_clang.config
[+] Detected architecture: ARM64
[+] Detected kernel version: 5.17
=========================================================================================================================
option name | type |desired val | decision | reason | check result
=========================================================================================================================
CONFIG_GCC_PLUGINS |kconfig| y |defconfig | self_protection | FAIL: CONFIG_CC_IS_GCC not "y"
CONFIG_STACKPROTECTOR_PER_TASK |kconfig| y |defconfig | self_protection | FAIL: not found
CONFIG_FORTIFY_SOURCE |kconfig| y | kspp | self_protection | FAIL: not found
CONFIG_GCC_PLUGIN_LATENT_ENTROPY |kconfig| y | kspp | self_protection | FAIL: CONFIG_CC_IS_GCC not "y"
CONFIG_ZERO_CALL_USED_REGS |kconfig| y | kspp | self_protection | FAIL: not found
CONFIG_GCC_PLUGIN_RANDSTRUCT |kconfig| y | kspp | self_protection | FAIL: CONFIG_CC_IS_GCC not "y"
CONFIG_GCC_PLUGIN_STACKLEAK |kconfig| y | kspp | self_protection | FAIL: CONFIG_CC_IS_GCC not "y"
CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE|kconfig| is not set | clipos | self_protection | FAIL: CONFIG_CC_IS_GCC not "y"
CONFIG_STACKLEAK_METRICS |kconfig| is not set | clipos | self_protection | FAIL: CONFIG_CC_IS_GCC not "y"
CONFIG_STACKLEAK_RUNTIME_DISABLE |kconfig| is not set | clipos | self_protection | FAIL: CONFIG_CC_IS_GCC not "y"
CONFIG_STACKPROTECTOR_PER_TASK, CONFIG_FORTIFY_SOURCE and CONFIG_ZERO_CALL_USED_REGS
will be supported for clang in future (WIP).
l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_BOOTLOADER', 'is not set')]
l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_CPU', 'is not set')]
l += [AND(KconfigCheck('self_protection', 'clipos', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'),
l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_BOOTLOADER', 'is not set')]
l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_CPU', 'is not set')]
l += [AND(KconfigCheck('self_protection', 'clipos', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'),
+ randstruct_is_set,
+ cc_is_gcc)]
if arch in ('X86_64', 'ARM64', 'X86_32'):
l += [AND(KconfigCheck('self_protection', 'clipos', 'STACKLEAK_METRICS', 'is not set'),
if arch in ('X86_64', 'ARM64', 'X86_32'):
l += [AND(KconfigCheck('self_protection', 'clipos', 'STACKLEAK_METRICS', 'is not set'),
+ stackleak_is_set,
+ cc_is_gcc)]
l += [AND(KconfigCheck('self_protection', 'clipos', 'STACKLEAK_RUNTIME_DISABLE', 'is not set'),
l += [AND(KconfigCheck('self_protection', 'clipos', 'STACKLEAK_RUNTIME_DISABLE', 'is not set'),
+ stackleak_is_set,
+ cc_is_gcc)]
if arch in ('X86_64', 'X86_32'):
l += [AND(KconfigCheck('self_protection', 'clipos', 'INTEL_IOMMU_DEFAULT_ON', 'y'),
iommu_support_is_set)]
if arch in ('X86_64', 'X86_32'):
l += [AND(KconfigCheck('self_protection', 'clipos', 'INTEL_IOMMU_DEFAULT_ON', 'y'),
iommu_support_is_set)]