summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
7f9ca33)
RANDOM_TRUST_BOOTLOADER and RANDOM_TRUST_CPU should be disabled if
HW_RANDOM_TPM is enabled.
The Clip OS description:
Do not credit entropy included in Linux’s entropy pool when generated
by the CPU manufacturer’s HWRNG, the bootloader or the UEFI firmware.
Fast and robust initialization of Linux’s CSPRNG is instead achieved
thanks to the TPM’s HWRNG.
l += [OR(KconfigCheck('self_protection', 'clipos', 'EFI_DISABLE_PCI_DMA', 'y'),
efi_not_set)]
l += [KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set')]
l += [OR(KconfigCheck('self_protection', 'clipos', 'EFI_DISABLE_PCI_DMA', 'y'),
efi_not_set)]
l += [KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set')]
- l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_BOOTLOADER', 'is not set')]
- l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_CPU', 'is not set')]
- l += [KconfigCheck('self_protection', 'clipos', 'CONFIG_HW_RANDOM_TPM', 'y')]
+ hw_random_tpm_is_set = KconfigCheck('self_protection', 'clipos', 'HW_RANDOM_TPM', 'y')
+ l += [hw_random_tpm_is_set]
+ l += [AND(KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_BOOTLOADER', 'is not set'),
+ hw_random_tpm_is_set)]
+ l += [AND(KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_CPU', 'is not set'),
+ hw_random_tpm_is_set)]
l += [AND(KconfigCheck('self_protection', 'clipos', 'RANDSTRUCT_PERFORMANCE', 'is not set'),
KconfigCheck('self_protection', 'clipos', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'),
randstruct_is_set)]
l += [AND(KconfigCheck('self_protection', 'clipos', 'RANDSTRUCT_PERFORMANCE', 'is not set'),
KconfigCheck('self_protection', 'clipos', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'),
randstruct_is_set)]