Add CLIP OS recommendation about X86_CPUID

author Alexander Popov <alex.popov@linux.com>

Wed, 18 Mar 2020 09:18:31 +0000 (12:18 +0300)

committer Alexander Popov <alex.popov@linux.com>

Wed, 18 Mar 2020 11:19:15 +0000 (14:19 +0300)
author Alexander Popov <alex.popov@linux.com>
Wed, 18 Mar 2020 09:18:31 +0000 (12:18 +0300)
committer Alexander Popov <alex.popov@linux.com>
Wed, 18 Mar 2020 11:19:15 +0000 (14:19 +0300)
diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py

index 6e0d8f6be61e42d6043becc327c49e5f13a386b4..14ff37aa3ca3ff4acf15db4cc2b16d7d7e2c83ee 100755 (executable)
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -420,6 +420,7 @@ def construct_checklist(checklist, arch):
      checklist.append(OptCheck('KEXEC_FILE',               'is not set', 'clipos', 'cut_attack_surface')) # refers to LOCKDOWN (permissive)
      checklist.append(OptCheck('USER_NS',                  'is not set', 'clipos', 'cut_attack_surface')) # user.max_user_namespaces=0
      checklist.append(OptCheck('X86_MSR',                  'is not set', 'clipos', 'cut_attack_surface')) # refers to LOCKDOWN
+    checklist.append(OptCheck('X86_CPUID',                'is not set', 'clipos', 'cut_attack_surface'))
      checklist.append(AND(OptCheck('LDISC_AUTOLOAD',           'is not set', 'clipos', 'cut_attack_surface'), \
                           VerCheck((5, 1)))) # LDISC_AUTOLOAD can be disabled since v5.1
author	Alexander Popov <alex.popov@linux.com>
	Wed, 18 Mar 2020 09:18:31 +0000 (12:18 +0300)
committer	Alexander Popov <alex.popov@linux.com>
	Wed, 18 Mar 2020 11:19:15 +0000 (14:19 +0300)