projects
/
kconfig-hardened-check.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (from parent 1:
bb9f286
)
Don't use CONFIG_CC_IS_GCC in the checks (it was introduced only in v4.18)
author
Alexander Popov
<alex.popov@linux.com>
Fri, 2 Sep 2022 14:22:15 +0000
(17:22 +0300)
committer
Alexander Popov
<alex.popov@linux.com>
Fri, 2 Sep 2022 14:22:15 +0000
(17:22 +0300)
kconfig_hardened_check/__init__.py
patch
|
blob
|
history
diff --git
a/kconfig_hardened_check/__init__.py
b/kconfig_hardened_check/__init__.py
index 2f9257a9464a70cec685198e28c83b293518a7bc..a7beeb707c8944b6dbb57f2a01ef88c52f47148b 100644
(file)
--- a/
kconfig_hardened_check/__init__.py
+++ b/
kconfig_hardened_check/__init__.py
@@
-322,8
+322,8
@@
def add_kconfig_checks(l, arch):
# 'self_protection', 'defconfig'
l += [KconfigCheck('self_protection', 'defconfig', 'BUG', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'SLUB_DEBUG', 'y')]
# 'self_protection', 'defconfig'
l += [KconfigCheck('self_protection', 'defconfig', 'BUG', 'y')]
l += [KconfigCheck('self_protection', 'defconfig', 'SLUB_DEBUG', 'y')]
- l += [AND(KconfigCheck('self_protection', 'defconfig', 'GCC_PLUGINS', 'y'),
-
cc_is_gcc)
]
+ gcc_plugins_support_is_set = KconfigCheck('self_protection', 'defconfig', 'GCC_PLUGINS', 'y')
+
l += [gcc_plugins_support_is_set
]
l += [OR(KconfigCheck('self_protection', 'defconfig', 'STACKPROTECTOR', 'y'),
KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR', 'y'),
KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR_REGULAR', 'y'),
l += [OR(KconfigCheck('self_protection', 'defconfig', 'STACKPROTECTOR', 'y'),
KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR', 'y'),
KconfigCheck('self_protection', 'defconfig', 'CC_STACKPROTECTOR_REGULAR', 'y'),
@@
-396,7
+396,7
@@
def add_kconfig_checks(l, arch):
l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_NOTIFIERS', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y')]
l += [AND(KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_LATENT_ENTROPY', 'y'),
l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_NOTIFIERS', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'INIT_ON_ALLOC_DEFAULT_ON', 'y')]
l += [AND(KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_LATENT_ENTROPY', 'y'),
-
cc_is_gcc
)]
+
gcc_plugins_support_is_set
)]
l += [KconfigCheck('self_protection', 'kspp', 'KFENCE', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'WERROR', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'KFENCE', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'WERROR', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y')]
@@
-430,7
+430,7
@@
def add_kconfig_checks(l, arch):
# That brings higher performance penalty.
if arch in ('X86_64', 'ARM64', 'X86_32'):
stackleak_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y')
# That brings higher performance penalty.
if arch in ('X86_64', 'ARM64', 'X86_32'):
stackleak_is_set = KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_STACKLEAK', 'y')
- l += [AND(stackleak_is_set,
cc_is_gcc
)]
+ l += [AND(stackleak_is_set,
gcc_plugins_support_is_set
)]
l += [KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y')]
if arch in ('X86_64', 'X86_32'):
l += [KconfigCheck('self_protection', 'kspp', 'SCHED_CORE', 'y')]
l += [KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y')]
if arch in ('X86_64', 'X86_32'):
l += [KconfigCheck('self_protection', 'kspp', 'SCHED_CORE', 'y')]
@@
-468,10
+468,10
@@
def add_kconfig_checks(l, arch):
if arch in ('X86_64', 'ARM64', 'X86_32'):
l += [AND(KconfigCheck('self_protection', 'clipos', 'STACKLEAK_METRICS', 'is not set'),
stackleak_is_set,
if arch in ('X86_64', 'ARM64', 'X86_32'):
l += [AND(KconfigCheck('self_protection', 'clipos', 'STACKLEAK_METRICS', 'is not set'),
stackleak_is_set,
-
cc_is_gcc
)]
+
gcc_plugins_support_is_set
)]
l += [AND(KconfigCheck('self_protection', 'clipos', 'STACKLEAK_RUNTIME_DISABLE', 'is not set'),
stackleak_is_set,
l += [AND(KconfigCheck('self_protection', 'clipos', 'STACKLEAK_RUNTIME_DISABLE', 'is not set'),
stackleak_is_set,
-
cc_is_gcc
)]
+
gcc_plugins_support_is_set
)]
if arch in ('X86_64', 'X86_32'):
l += [AND(KconfigCheck('self_protection', 'clipos', 'INTEL_IOMMU_DEFAULT_ON', 'y'),
iommu_support_is_set)]
if arch in ('X86_64', 'X86_32'):
l += [AND(KconfigCheck('self_protection', 'clipos', 'INTEL_IOMMU_DEFAULT_ON', 'y'),
iommu_support_is_set)]