# Mitigations of CPU vulnerabilities:
# Аrch-independent:
# X86:
-# l1tf=full,force
# l1d_flush=on (a part of the l1tf option)
# mds=full,nosmt
# tsx=off
CmdlineCheck('self_protection', 'defconfig', 'spectre_v2_user', 'is not set'))]
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'spec_store_bypass_disable', 'is not off'),
CmdlineCheck('self_protection', 'defconfig', 'spec_store_bypass_disable', 'is not set'))]
+ l += [OR(CmdlineCheck('self_protection', 'defconfig', 'l1tf', 'is not off'),
+ CmdlineCheck('self_protection', 'defconfig', 'l1tf', 'is not set'))]
if arch == 'ARM64':
l += [OR(CmdlineCheck('self_protection', 'defconfig', 'rodata', 'full'),
AND(KconfigCheck('self_protection', 'defconfig', 'RODATA_FULL_DEFAULT_ENABLED', 'y'),
if option == 'spec_store_bypass_disable':
# See ssb_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
return value
+ if option == 'l1tf':
+ # See l1tf_cmdline() in arch/x86/kernel/cpu/bugs.c
+ return value
# Implement a limited part of the kstrtobool() logic
if value in ('1', 'on', 'On', 'ON', 'y', 'Y', 'yes', 'Yes', 'YES'):