From: Alexander Popov <alex.popov@linux.com>
Date: Sat, 22 Apr 2023 14:50:25 +0000 (+0300)
Subject: Check that CoreSight Tracing Support is disabled (to cut attack surface)
X-Git-Tag: v0.6.6~173
X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;ds=sidebyside;h=21170ca63487253f75dbe8c0567d53fe32522a7d;p=kconfig-hardened-check.git

Check that CoreSight Tracing Support is disabled (to cut attack surface)

The CONFIG_CORESIGHT framework provides a kernel interface for the
CoreSight debug and trace drivers for ARM/ARM64. It's better to have it
disabled to cut attack surface.
---

diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py
index 60841e2..ff1ce79 100644
--- a/kconfig_hardened_check/checks.py
+++ b/kconfig_hardened_check/checks.py
@@ -390,6 +390,7 @@ def add_kconfig_checks(l, arch):
     l += [KconfigCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger
     l += [KconfigCheck('cut_attack_surface', 'my', 'KGDB', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'my', 'AIO', 'is not set')]
+    l += [KconfigCheck('cut_attack_surface', 'my', 'CORESIGHT', 'is not set')]
     l += [OR(KconfigCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y'),
              modules_not_set)]