From 21170ca63487253f75dbe8c0567d53fe32522a7d Mon Sep 17 00:00:00 2001
From: Alexander Popov <alex.popov@linux.com>
Date: Sat, 22 Apr 2023 17:50:25 +0300
Subject: [PATCH] Check that CoreSight Tracing Support is disabled (to cut
 attack surface)

The CONFIG_CORESIGHT framework provides a kernel interface for the
CoreSight debug and trace drivers for ARM/ARM64. It's better to have it
disabled to cut attack surface.
---
 kconfig_hardened_check/checks.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py
index 60841e2..ff1ce79 100644
--- a/kconfig_hardened_check/checks.py
+++ b/kconfig_hardened_check/checks.py
@@ -390,6 +390,7 @@ def add_kconfig_checks(l, arch):
     l += [KconfigCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger
     l += [KconfigCheck('cut_attack_surface', 'my', 'KGDB', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'my', 'AIO', 'is not set')]
+    l += [KconfigCheck('cut_attack_surface', 'my', 'CORESIGHT', 'is not set')]
     l += [OR(KconfigCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y'),
              modules_not_set)]
 
-- 
2.31.1