From bde110605e5a640a8491391935c4c3b4fefe561c Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sat, 7 Mar 2020 01:15:42 +0300 Subject: [PATCH] Add SECURITY_LOADPIN_ENFORCE check --- kconfig-hardened-check.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py index d2caafd..e2d8483 100755 --- a/kconfig-hardened-check.py +++ b/kconfig-hardened-check.py @@ -20,6 +20,7 @@ # page_poison=1 (if enabled) # init_on_alloc=1 # init_on_free=1 +# loadpin.enforce=1 # # Mitigations of CPU vulnerabilities: # Аrch-independent: @@ -347,7 +348,10 @@ def construct_checklist(checklist, arch): if debug_mode or arch == 'ARM': checklist.append(OptCheck('SECURITY', 'y', 'kspp', 'security_policy')) # and choose your favourite LSM checklist.append(OptCheck('SECURITY_YAMA', 'y', 'kspp', 'security_policy')) - checklist.append(OptCheck('SECURITY_LOADPIN', 'y', 'my', 'security_policy')) # needs userspace support + loadpin_is_set = OptCheck('SECURITY_LOADPIN', 'y', 'my', 'security_policy') # needs userspace support + checklist.append(loadpin_is_set) + checklist.append(AND(OptCheck('SECURITY_LOADPIN_ENFORCE', 'y', 'my', 'security_policy'), \ + loadpin_is_set)) checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM', 'y', 'my', 'security_policy')) checklist.append(OptCheck('SECURITY_LOCKDOWN_LSM_EARLY', 'y', 'my', 'security_policy')) checklist.append(OptCheck('LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY', 'y', 'my', 'security_policy')) -- 2.31.1