Add the MICROCODE_INTEL and MICROCODE_AMD checks

Thanks to @izh1979 for the idea

diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py
index d02eb4b8e0b94d5564051f893396e569b7c8743d..9fc92e5632b2dcb04e0bd8666a11c4093714f899 100644 (file)
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -63,9 +63,16 @@ def add_kconfig_checks(l, arch):
         l += [KconfigCheck('self_protection', 'defconfig', 'X86_MCE', 'y')]
         l += [KconfigCheck('self_protection', 'defconfig', 'X86_MCE_INTEL', 'y')]
         l += [KconfigCheck('self_protection', 'defconfig', 'X86_MCE_AMD', 'y')]
-        l += [KconfigCheck('self_protection', 'defconfig', 'MICROCODE', 'y')] # is needed for mitigating CPU bugs
         l += [KconfigCheck('self_protection', 'defconfig', 'RETPOLINE', 'y')]
         l += [KconfigCheck('self_protection', 'defconfig', 'SYN_COOKIES', 'y')] # another reason?
+        microcode_is_set = KconfigCheck('self_protection', 'defconfig', 'MICROCODE', 'y')
+        l += [microcode_is_set] # is needed for mitigating CPU bugs
+        l += [OR(KconfigCheck('self_protection', 'defconfig', 'MICROCODE_INTEL', 'y'),
+                 AND(microcode_is_set,
+                     VersionCheck((6, 6))))] # MICROCODE_INTEL was included in MICROCODE since v6.6
+        l += [OR(KconfigCheck('self_protection', 'defconfig', 'MICROCODE_AMD', 'y'),
+                 AND(microcode_is_set,
+                     VersionCheck((6, 6))))] # MICROCODE_AMD was included in MICROCODE since v6.6
         l += [OR(KconfigCheck('self_protection', 'defconfig', 'X86_SMAP', 'y'),
                  VersionCheck((5, 19)))] # X86_SMAP is enabled by default since v5.19
         l += [OR(KconfigCheck('self_protection', 'defconfig', 'X86_UMIP', 'y'),