From: Martin Rowe Date: Tue, 15 Mar 2022 12:38:05 +0000 (+0000) Subject: EFI mitigations can't be enabled if EFI is not set X-Git-Tag: v0.5.17~24^2 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=5d1fb1f843bbdf5f643ddb4cdaa604cad1dc9aab;p=kconfig-hardened-check.git EFI mitigations can't be enabled if EFI is not set Both EFI_DISABLE_PCI_DMA and RESET_ATTACK_MITIGATION depend on EFI, but if EFI is not set, neither config is required. Useful on embedded devices that use u-boot or similar instead of EFI. --- diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 9dc59ae..290768e 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -325,6 +325,7 @@ def add_kconfig_checks(l, arch): modules_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'MODULES', 'is not set') devmem_not_set = KconfigCheck('cut_attack_surface', 'kspp', 'DEVMEM', 'is not set') # refers to LOCKDOWN + efi_not_set = KconfigCheck('cut_attack_surface', 'my', 'EFI', 'is not set') # 'self_protection', 'defconfig' l += [KconfigCheck('self_protection', 'defconfig', 'BUG', 'y')] @@ -446,7 +447,8 @@ def add_kconfig_checks(l, arch): # 'self_protection', 'clipos' l += [KconfigCheck('self_protection', 'clipos', 'DEBUG_VIRTUAL', 'y')] l += [KconfigCheck('self_protection', 'clipos', 'STATIC_USERMODEHELPER', 'y')] # needs userspace support - l += [KconfigCheck('self_protection', 'clipos', 'EFI_DISABLE_PCI_DMA', 'y')] + l += [OR(KconfigCheck('self_protection', 'clipos', 'EFI_DISABLE_PCI_DMA', 'y'), + efi_not_set)] l += [KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set')] # slab_nomerge l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_BOOTLOADER', 'is not set')] l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_CPU', 'is not set')] @@ -468,7 +470,8 @@ def add_kconfig_checks(l, arch): iommu_support_is_set)] # 'self_protection', 'my' - l += [KconfigCheck('self_protection', 'my', 'RESET_ATTACK_MITIGATION', 'y')] # needs userspace support (systemd) + l += [OR(KconfigCheck('self_protection', 'my', 'RESET_ATTACK_MITIGATION', 'y'), + efi_not_set)] # needs userspace support (systemd) if arch == 'X86_64': l += [KconfigCheck('self_protection', 'my', 'SLS', 'y')] # vs CVE-2021-26341 in Straight-Line-Speculation l += [AND(KconfigCheck('self_protection', 'my', 'AMD_IOMMU_V2', 'y'),