projects / kconfig-hardened-check.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (from parent 1: f630654)
Require GCC for the GCC plugins (part II)
authorAlexander Popov <alex.popov@linux.com>
Sat, 20 Aug 2022 10:07:31 +0000 (13:07 +0300)
committerAlexander Popov <alex.popov@linux.com>
Sat, 20 Aug 2022 10:12:13 +0000 (13:12 +0300)
The current result on arm64_full_hardened_5.17_clang.config (clang 12):

[+] Special report mode: show_fail
[+] Kconfig file to check: my/arm64_full_hardened_5.17_clang.config
[+] Detected architecture: ARM64
[+] Detected kernel version: 5.17
=========================================================================================================================
              option name               | type  |desired val | decision |      reason      | check result
=========================================================================================================================
CONFIG_GCC_PLUGINS                      |kconfig|     y      |defconfig | self_protection  | FAIL: CONFIG_CC_IS_GCC not "y"
CONFIG_STACKPROTECTOR_PER_TASK          |kconfig|     y      |defconfig | self_protection  | FAIL: not found
CONFIG_FORTIFY_SOURCE                   |kconfig|     y      |   kspp   | self_protection  | FAIL: not found
CONFIG_GCC_PLUGIN_LATENT_ENTROPY        |kconfig|     y      |   kspp   | self_protection  | FAIL: CONFIG_CC_IS_GCC not "y"
CONFIG_ZERO_CALL_USED_REGS              |kconfig|     y      |   kspp   | self_protection  | FAIL: not found
CONFIG_GCC_PLUGIN_RANDSTRUCT            |kconfig|     y      |   kspp   | self_protection  | FAIL: CONFIG_CC_IS_GCC not "y"
CONFIG_GCC_PLUGIN_STACKLEAK             |kconfig|     y      |   kspp   | self_protection  | FAIL: CONFIG_CC_IS_GCC not "y"
CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE|kconfig| is not set |  clipos  | self_protection  | FAIL: CONFIG_CC_IS_GCC not "y"
CONFIG_STACKLEAK_METRICS                |kconfig| is not set |  clipos  | self_protection  | FAIL: CONFIG_CC_IS_GCC not "y"
CONFIG_STACKLEAK_RUNTIME_DISABLE        |kconfig| is not set |  clipos  | self_protection  | FAIL: CONFIG_CC_IS_GCC not "y"

CONFIG_STACKPROTECTOR_PER_TASK, CONFIG_FORTIFY_SOURCE and CONFIG_ZERO_CALL_USED_REGS
will be supported for clang in future (WIP).

kconfig_hardened_check/__init__.py patch | blob | history

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index 8922fdbe5f2d23e0d3199792fe6285ff71fa8790..88d373c236bc32aa92da5d2600f0adb34db42e3e 100644 (file)
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -462,12 +462,15 @@ def add_kconfig_checks(l, arch):
     l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_BOOTLOADER', 'is not set')]
     l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_CPU', 'is not set')]
     l += [AND(KconfigCheck('self_protection', 'clipos', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'),
-              randstruct_is_set)]
+              randstruct_is_set,
+              cc_is_gcc)]
     if arch in ('X86_64', 'ARM64', 'X86_32'):
         l += [AND(KconfigCheck('self_protection', 'clipos', 'STACKLEAK_METRICS', 'is not set'),
-                  stackleak_is_set)]
+                  stackleak_is_set,
+                  cc_is_gcc)]
         l += [AND(KconfigCheck('self_protection', 'clipos', 'STACKLEAK_RUNTIME_DISABLE', 'is not set'),
-                  stackleak_is_set)]
+                  stackleak_is_set,
+                  cc_is_gcc)]
     if arch in ('X86_64', 'X86_32'):
         l += [AND(KconfigCheck('self_protection', 'clipos', 'INTEL_IOMMU_DEFAULT_ON', 'y'),
                   iommu_support_is_set)]
kconfig-hardened-check