projects
/
kconfig-hardened-check.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (from parent 1:
1780bea
)
Check the nokaslr cmdline parameter
author
Alexander Popov
<alex.popov@linux.com>
Tue, 23 Aug 2022 18:05:45 +0000
(21:05 +0300)
committer
Alexander Popov
<alex.popov@linux.com>
Tue, 23 Aug 2022 18:05:45 +0000
(21:05 +0300)
kconfig_hardened_check/__init__.py
patch
|
blob
|
history
diff --git
a/kconfig_hardened_check/__init__.py
b/kconfig_hardened_check/__init__.py
index 88d373c236bc32aa92da5d2600f0adb34db42e3e..8ecdbf1a5fcbd08ce7f7477094d4cdb153528077 100644
(file)
--- a/
kconfig_hardened_check/__init__.py
+++ b/
kconfig_hardened_check/__init__.py
@@
-29,7
+29,6
@@
# ssbd=force-on
#
# Should NOT be set:
# ssbd=force-on
#
# Should NOT be set:
-# nokaslr
# sysrq_always_enabled
# arm64.nobti
# arm64.nopauth
# sysrq_always_enabled
# arm64.nobti
# arm64.nopauth
@@
-701,6
+700,7
@@
def add_cmdline_checks(l, arch):
AND(KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_PASSTHROUGH', 'is not set'),
CmdlineCheck('self_protection', 'kspp', 'iommu.passthrough', 'is not set')))]
# The cmdline checks compatible with the kconfig recommendations of the KSPP project...
AND(KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_PASSTHROUGH', 'is not set'),
CmdlineCheck('self_protection', 'kspp', 'iommu.passthrough', 'is not set')))]
# The cmdline checks compatible with the kconfig recommendations of the KSPP project...
+ l += [CmdlineCheck('self_protection', 'kspp', 'nokaslr', 'is not set')]
l += [OR(CmdlineCheck('self_protection', 'kspp', 'hardened_usercopy', '1'),
AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y'),
CmdlineCheck('self_protection', 'kspp', 'hardened_usercopy', 'is not set')))]
l += [OR(CmdlineCheck('self_protection', 'kspp', 'hardened_usercopy', '1'),
AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY', 'y'),
CmdlineCheck('self_protection', 'kspp', 'hardened_usercopy', 'is not set')))]