From: Alexander Popov Date: Fri, 22 Apr 2022 07:23:04 +0000 (+0300) Subject: Disabling X86_MSR is recommended by KSPP X-Git-Tag: v0.5.17~8 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=5fcbae9cf370197c80cfe5c5e2ac2acd49d2f1e1;p=kconfig-hardened-check.git Disabling X86_MSR is recommended by KSPP --- diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index a999c97..fb9d37b 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -527,6 +527,7 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'kspp', 'X86_X32', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'MODIFY_LDT_SYSCALL', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'kspp', 'OABI_COMPAT', 'is not set')] + l += [KconfigCheck('cut_attack_surface', 'kspp', 'X86_MSR', 'is not set')] # refers to LOCKDOWN l += [modules_not_set] l += [devmem_not_set] l += [OR(KconfigCheck('cut_attack_surface', 'kspp', 'IO_STRICT_DEVMEM', 'y'), @@ -596,7 +597,6 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('cut_attack_surface', 'clipos', 'MAGIC_SYSRQ', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'clipos', 'KEXEC_FILE', 'is not set')] # refers to LOCKDOWN (permissive) l += [KconfigCheck('cut_attack_surface', 'clipos', 'USER_NS', 'is not set')] # user.max_user_namespaces=0 - l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_MSR', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_CPUID', 'is not set')] l += [KconfigCheck('cut_attack_surface', 'clipos', 'X86_IOPL_IOPERM', 'is not set')] # refers to LOCKDOWN l += [KconfigCheck('cut_attack_surface', 'clipos', 'ACPI_TABLE_UPGRADE', 'is not set')] # refers to LOCKDOWN