From: Alexander Popov Date: Sat, 2 Dec 2023 17:33:56 +0000 (+0300) Subject: Add the MICROCODE_INTEL and MICROCODE_AMD checks X-Git-Tag: v0.6.6~43 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=6a456d6a2e0901059e809008a6e334bc4b7b1e69;p=kconfig-hardened-check.git Add the MICROCODE_INTEL and MICROCODE_AMD checks Thanks to @izh1979 for the idea --- diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index d02eb4b..9fc92e5 100644 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -63,9 +63,16 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('self_protection', 'defconfig', 'X86_MCE', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'X86_MCE_INTEL', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'X86_MCE_AMD', 'y')] - l += [KconfigCheck('self_protection', 'defconfig', 'MICROCODE', 'y')] # is needed for mitigating CPU bugs l += [KconfigCheck('self_protection', 'defconfig', 'RETPOLINE', 'y')] l += [KconfigCheck('self_protection', 'defconfig', 'SYN_COOKIES', 'y')] # another reason? + microcode_is_set = KconfigCheck('self_protection', 'defconfig', 'MICROCODE', 'y') + l += [microcode_is_set] # is needed for mitigating CPU bugs + l += [OR(KconfigCheck('self_protection', 'defconfig', 'MICROCODE_INTEL', 'y'), + AND(microcode_is_set, + VersionCheck((6, 6))))] # MICROCODE_INTEL was included in MICROCODE since v6.6 + l += [OR(KconfigCheck('self_protection', 'defconfig', 'MICROCODE_AMD', 'y'), + AND(microcode_is_set, + VersionCheck((6, 6))))] # MICROCODE_AMD was included in MICROCODE since v6.6 l += [OR(KconfigCheck('self_protection', 'defconfig', 'X86_SMAP', 'y'), VersionCheck((5, 19)))] # X86_SMAP is enabled by default since v5.19 l += [OR(KconfigCheck('self_protection', 'defconfig', 'X86_UMIP', 'y'),