Add SECURITY_LOADPIN_ENFORCE check
authorAlexander Popov <alex.popov@linux.com>
Fri, 6 Mar 2020 22:15:42 +0000 (01:15 +0300)
committerAlexander Popov <alex.popov@linux.com>
Fri, 6 Mar 2020 22:16:28 +0000 (01:16 +0300)
kconfig-hardened-check.py

index d2caafd70f3ad80f239db0f3b048c3b03bff46e8..e2d84838ddd66ec876aa84cd9ce2ccf6d0c08cf7 100755 (executable)
@@ -20,6 +20,7 @@
 #    page_poison=1 (if enabled)
 #    init_on_alloc=1
 #    init_on_free=1
+#    loadpin.enforce=1
 #
 #    Mitigations of CPU vulnerabilities:
 #       Аrch-independent:
@@ -347,7 +348,10 @@ def construct_checklist(checklist, arch):
     if debug_mode or arch == 'ARM':
         checklist.append(OptCheck('SECURITY',                               'y', 'kspp', 'security_policy')) # and choose your favourite LSM
     checklist.append(OptCheck('SECURITY_YAMA',                          'y', 'kspp', 'security_policy'))
-    checklist.append(OptCheck('SECURITY_LOADPIN',                       'y', 'my', 'security_policy')) # needs userspace support
+    loadpin_is_set = OptCheck('SECURITY_LOADPIN',                       'y', 'my', 'security_policy') # needs userspace support
+    checklist.append(loadpin_is_set)
+    checklist.append(AND(OptCheck('SECURITY_LOADPIN_ENFORCE',           'y', 'my', 'security_policy'), \
+                         loadpin_is_set))
     checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM',                  'y', 'my', 'security_policy'))
     checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM_EARLY',            'y', 'my', 'security_policy'))
     checklist.append(OptCheck('LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y', 'my', 'security_policy'))