Add the 'nopti' check

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index 218e8fd7d8504ca08aa664edf8994a1e4a05e7e3..e795dd9151b641bd28f158879221f061f1d8f655 100644 (file)
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -732,13 +732,14 @@ def add_cmdline_checks(l, arch):
                  CmdlineCheck('self_protection', 'kspp', 'hardened_usercopy', 'is not set')))]
     l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', '0'),
              AND(KconfigCheck('self_protection', 'kspp', 'HARDENED_USERCOPY_FALLBACK', 'is not set'),
-                 CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', 'is not set')))] # ... the end
+                 CmdlineCheck('self_protection', 'kspp', 'slab_common.usercopy_fallback', 'is not set')))]
+    if arch in ('X86_64', 'X86_32'):
+        l += [AND(CmdlineCheck('self_protection', 'kspp', 'pti', 'on'),
+                  CmdlineCheck('self_protection', 'kspp', 'nopti', 'is not set'))] # ... the end
     if arch in ('X86_64', 'ARM64', 'X86_32'):
         l += [OR(CmdlineCheck('self_protection', 'kspp', 'randomize_kstack_offset', '1'),
                  AND(KconfigCheck('self_protection', 'kspp', 'RANDOMIZE_KSTACK_OFFSET_DEFAULT', 'y'),
                      CmdlineCheck('self_protection', 'kspp', 'randomize_kstack_offset', 'is not set')))]
-    if arch in ('X86_64', 'X86_32'):
-        l += [CmdlineCheck('self_protection', 'kspp', 'pti', 'on')]
 
     # 'self_protection', 'clipos'
     l += [CmdlineCheck('self_protection', 'clipos', 'page_alloc.shuffle', '1')]