From ddb3e3948fd8727b27f413a1e130695b9c05c53c Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sat, 10 Dec 2022 11:01:16 +0300 Subject: [PATCH] Add the kpti check 1. Don't add an exception to normalize_cmdline_options() since strtobool() is used for kpti 2. Use new '0' check of 'is not off' --- kconfig_hardened_check/__init__.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index f2e2fe0..d10cc62 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -17,8 +17,6 @@ # Аrch-independent: # X86: # l1d_flush=on (a part of the l1tf option) -# ARM64: -# kpti=on # # Hardware tag-based KASAN with arm64 Memory Tagging Extension (MTE): # kasan=on @@ -747,6 +745,8 @@ def add_cmdline_checks(l, arch): CmdlineCheck('self_protection', 'defconfig', 'mmio_stale_data', 'is not set'))] l += [OR(CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not off'), CmdlineCheck('self_protection', 'defconfig', 'retbleed', 'is not set'))] + l += [OR(CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not off'), + CmdlineCheck('self_protection', 'defconfig', 'kpti', 'is not set'))] if arch == 'ARM64': l += [OR(CmdlineCheck('self_protection', 'defconfig', 'ssbd', 'kernel'), CmdlineCheck('self_protection', 'my', 'ssbd', 'force-on'), -- 2.31.1