From: Alexander Popov <alex.popov@linux.com>
Date: Fri, 6 Mar 2020 22:15:42 +0000 (+0300)
Subject: Add SECURITY_LOADPIN_ENFORCE check
X-Git-Tag: v0.5.5~23
X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=bde110605e5a640a8491391935c4c3b4fefe561c;p=kconfig-hardened-check.git

Add SECURITY_LOADPIN_ENFORCE check
---

diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py
index d2caafd..e2d8483 100755
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -20,6 +20,7 @@
 #    page_poison=1 (if enabled)
 #    init_on_alloc=1
 #    init_on_free=1
+#    loadpin.enforce=1
 #
 #    Mitigations of CPU vulnerabilities:
 #       Аrch-independent:
@@ -347,7 +348,10 @@ def construct_checklist(checklist, arch):
     if debug_mode or arch == 'ARM':
         checklist.append(OptCheck('SECURITY',                               'y', 'kspp', 'security_policy')) # and choose your favourite LSM
     checklist.append(OptCheck('SECURITY_YAMA',                          'y', 'kspp', 'security_policy'))
-    checklist.append(OptCheck('SECURITY_LOADPIN',                       'y', 'my', 'security_policy')) # needs userspace support
+    loadpin_is_set = OptCheck('SECURITY_LOADPIN',                       'y', 'my', 'security_policy') # needs userspace support
+    checklist.append(loadpin_is_set)
+    checklist.append(AND(OptCheck('SECURITY_LOADPIN_ENFORCE',           'y', 'my', 'security_policy'), \
+                         loadpin_is_set))
     checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM',                  'y', 'my', 'security_policy'))
     checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM_EARLY',            'y', 'my', 'security_policy'))
     checklist.append(OptCheck('LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y', 'my', 'security_policy'))