From: Alexander Popov <alex.popov@linux.com>
Date: Sun, 1 Sep 2024 21:33:21 +0000 (+0300)
Subject: Update the DEBUG_WX check for ARM64 and ARM
X-Git-Tag: v0.6.10~12
X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=8022e56a320f31048d638766d1d1af822f7e49f2;p=kconfig-hardened-check.git

Update the DEBUG_WX check for ARM64 and ARM

It was renamed for ARM in the commit a90f0a02f139a13d3c26dd20644b50fc731f17da.
---

diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py
index ef32405..eba75c7 100755
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -249,7 +249,6 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None:
         l += [AND(KconfigCheck('self_protection', 'kspp', 'INTEL_IOMMU_DEFAULT_ON', 'y'),
                   iommu_support_is_set)]
     if arch in ('ARM64', 'ARM'):
-        l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_WX', 'y')]
         l += [KconfigCheck('self_protection', 'kspp', 'WERROR', 'y')]
         l += [KconfigCheck('self_protection', 'kspp', 'DEFAULT_MMAP_MIN_ADDR', '32768')]
         l += [KconfigCheck('self_protection', 'kspp', 'SYN_COOKIES', 'y')] # another reason?
@@ -261,6 +260,7 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None:
         l += [OR(KconfigCheck('self_protection', 'kspp', 'AMD_IOMMU_V2', 'y'),
                  VersionCheck((6, 7, 0)))] # AMD_IOMMU_V2 was dropped in v6.7
     if arch == 'ARM64':
+        l += [KconfigCheck('self_protection', 'kspp', 'DEBUG_WX', 'y')]
         l += [KconfigCheck('self_protection', 'kspp', 'ARM64_SW_TTBR0_PAN', 'y')]
         l += [KconfigCheck('self_protection', 'kspp', 'SHADOW_CALL_STACK', 'y')]
         l += [KconfigCheck('self_protection', 'kspp', 'UNWIND_PATCH_PAC_INTO_SCS', 'y')]
@@ -272,6 +272,10 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None:
                  KconfigCheck('self_protection', 'kspp', 'PAGE_TABLE_ISOLATION', 'y'))]
         l += [AND(KconfigCheck('self_protection', 'kspp', 'INTEL_IOMMU', 'y'),
                   iommu_support_is_set)]
+    if arch == 'ARM':
+        l += [OR(KconfigCheck('self_protection', 'kspp', 'ARM_DEBUG_WX', 'y'),
+                 KconfigCheck('self_protection', 'kspp', 'DEBUG_WX', 'y'))]
+                 # DEBUG_WX has been renamed to ARM_DEBUG_WX on ARM
 
     # 'security_policy'
     if arch in ('X86_64', 'ARM64', 'X86_32'):