From 0a9d3d0f700260d38a39cc1735ee5bd63d3e8f36 Mon Sep 17 00:00:00 2001
From: Alexander Popov <alex.popov@linux.com>
Date: Wed, 9 Nov 2022 18:24:52 +0300
Subject: [PATCH 1/1] Add a special 'desired val' -- 'is not off'

This check gives FAIL if the option value is 'off' or
the option is not found. In other cases this check gives OK.

This feature is needed for checking that the CPU vulnerability mitigations
are not disabled. Let's see how it works and maybe improve it in future.
---
 kconfig_hardened_check/__init__.py | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index a344e17..3e3997d 100644
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -94,7 +94,7 @@ class OptCheck:
                    'invalid expected value "{}" for "{}" check (1)'.format(expected, name)
             val_len = len(expected.split())
             if val_len == 3:
-                assert(expected == 'is not set'), \
+                assert(expected == 'is not set' or expected == 'is not off'), \
                    'invalid expected value "{}" for "{}" check (2)'.format(expected, name)
             else:
                 assert(val_len == 1), \
@@ -117,6 +117,16 @@ class OptCheck:
                 self.result = 'OK: is present'
             return
 
+        # handle the 'is not off' option check
+        if self.expected == 'is not off':
+            if self.state == 'off':
+                self.result = 'FAIL: is off'
+            elif self.state is None:
+                self.result = 'FAIL: is off, not found'
+            else:
+                self.result = 'OK: is not off, "' + self.state + '"'
+            return
+
         # handle the option value check
         if self.expected == self.state:
             self.result = 'OK'
@@ -253,6 +263,8 @@ class OR(ComplexOptCheck):
                         self.result = 'OK: {} is not found'.format(opt.name)
                     elif opt.result == 'OK: is present':
                         self.result = 'OK: {} is present'.format(opt.name)
+                    elif opt.result.startswith('OK: is not off'):
+                        self.result = 'OK: {} is not off'.format(opt.name)
                     else:
                         # VersionCheck provides enough info
                         assert(opt.result.startswith('OK: version')), \
@@ -281,6 +293,10 @@ class AND(ComplexOptCheck):
                     self.result = 'FAIL: {} is not "{}"'.format(opt.name, opt.expected)
                 elif opt.result == 'FAIL: is not present':
                     self.result = 'FAIL: {} is not present'.format(opt.name)
+                elif opt.result == 'FAIL: is off':
+                    self.result = 'FAIL: {} is off'.format(opt.name)
+                elif opt.result == 'FAIL: is off, not found':
+                    self.result = 'FAIL: {} is off, not found'.format(opt.name)
                 else:
                     # VersionCheck provides enough info
                     self.result = opt.result
-- 
2.31.1