From: Alexander Popov Date: Fri, 6 Mar 2020 22:15:42 +0000 (+0300) Subject: Add SECURITY_LOADPIN_ENFORCE check X-Git-Tag: v0.5.5~23 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=bde110605e5a640a8491391935c4c3b4fefe561c;p=kconfig-hardened-check.git Add SECURITY_LOADPIN_ENFORCE check --- diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py index d2caafd..e2d8483 100755 --- a/kconfig-hardened-check.py +++ b/kconfig-hardened-check.py @@ -20,6 +20,7 @@ # page_poison=1 (if enabled) # init_on_alloc=1 # init_on_free=1 +# loadpin.enforce=1 # # Mitigations of CPU vulnerabilities: # Аrch-independent: @@ -347,7 +348,10 @@ def construct_checklist(checklist, arch): if debug_mode or arch == 'ARM': checklist.append(OptCheck('SECURITY', 'y', 'kspp', 'security_policy')) # and choose your favourite LSM checklist.append(OptCheck('SECURITY_YAMA', 'y', 'kspp', 'security_policy')) - checklist.append(OptCheck('SECURITY_LOADPIN', 'y', 'my', 'security_policy')) # needs userspace support + loadpin_is_set = OptCheck('SECURITY_LOADPIN', 'y', 'my', 'security_policy') # needs userspace support + checklist.append(loadpin_is_set) + checklist.append(AND(OptCheck('SECURITY_LOADPIN_ENFORCE', 'y', 'my', 'security_policy'), \ + loadpin_is_set)) checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM', 'y', 'my', 'security_policy')) checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM_EARLY', 'y', 'my', 'security_policy')) checklist.append(OptCheck('LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y', 'my', 'security_policy'))