From: Alexander Popov Date: Sat, 10 Dec 2022 08:01:16 +0000 (+0300) Subject: Add the kpti check X-Git-Tag: v0.6.1~30 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=ddb3e3948fd8727b27f413a1e130695b9c05c53c;p=kconfig-hardened-check.git Add the kpti check 1. Don't add an exception to normalize_cmdline_options() since strtobool() is used for kpti 2. Use new '0' check of 'is not off' --- diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index f2e2fe0..d10cc62 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -17,8 +17,6 @@ # Аrch-independent: # X86: # l1d_flush=on (a part of the l1tf option) -# ARM64: -# kpti=on # # Hardware tag-based KASAN with arm64 Memory Tagging Extension (MTE): # kasan=on @@ -747,6 +745,8 @@ def add_cmdline_checks(l, arch): CmdlineCheck('self_protection', 'defconfig', 'mmio_stale_data', 'is not set'))] l += [OR(CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not off'), CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not set'))] + l += [OR(CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not off'), + CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not set'))] if arch == 'ARM64': l += [OR(CmdlineCheck('self_protection', 'defconfig', 'ssbd', 'kernel'), CmdlineCheck('self_protection', 'my', 'ssbd', 'force-on'),