Add the tsx check

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index 8e08fd2da4df97b95b3cd3a4ae668e77d88e2616..d99a6bc53cffa968a177d4826102044c558fa847 100644 (file)
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -17,7 +17,6 @@
 #       Аrch-independent:
 #       X86:
 #           l1d_flush=on (a part of the l1tf option)
-#           tsx=off
 #       ARM64:
 #           kpti=on
 #
@@ -796,6 +795,12 @@ def add_cmdline_checks(l, arch):
     # 'self_protection', 'clipos'
     l += [CmdlineCheck('self_protection', 'clipos', 'page_alloc.shuffle', '1')]
 
+    # 'cut_attack_surface', 'defconfig'
+    if arch in ('X86_64', 'X86_32'):
+        l += [OR(CmdlineCheck('cut_attack_surface', 'defconfig', 'tsx', 'off'),
+                 AND(KconfigCheck('cut_attack_surface', 'defconfig', 'X86_INTEL_TSX_MODE_OFF', 'y'),
+                     CmdlineCheck('cut_attack_surface', 'defconfig', 'tsx', 'is not set')))]
+
     # 'cut_attack_surface', 'kspp'
     if arch == 'X86_64':
         l += [OR(CmdlineCheck('cut_attack_surface', 'kspp', 'vsyscall', 'none'),
@@ -989,6 +994,9 @@ def normalize_cmdline_options(option, value):
     if option == 'retbleed':
         # See retbleed_parse_cmdline() in arch/x86/kernel/cpu/bugs.c
         return value
+    if option == 'tsx':
+        # See tsx_init() in arch/x86/kernel/cpu/tsx.c
+        return value
 
     # Implement a limited part of the kstrtobool() logic
     if value in ('1', 'on', 'On', 'ON', 'y', 'Y', 'yes', 'Yes', 'YES'):