From 118a5a3cbc05372f75ca85de1b1cde5edc204d8e Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sun, 7 Jul 2024 15:19:03 +0300 Subject: [PATCH] Update the `kfence.sample_interval` check --- kernel_hardening_checker/checks.py | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py index 0bc183b..f338bbd 100755 --- a/kernel_hardening_checker/checks.py +++ b/kernel_hardening_checker/checks.py @@ -556,6 +556,9 @@ def add_cmdline_checks(l: List[ChecklistObjType], arch: str) -> None: # Consequence of the HARDENED_USERCOPY_FALLBACK check by kspp. # Don't require slab_common.usercopy_fallback=0, # since HARDENED_USERCOPY_FALLBACK was removed in Linux v5.16. + l += [OR(CmdlineCheck('self_protection', 'kspp', 'kfence.sample_interval', '100'), + AND(KconfigCheck('self_protection', 'kspp', 'KFENCE_SAMPLE_INTERVAL', '100'), + CmdlineCheck('self_protection', 'kspp', 'kfence.sample_interval', 'is not set')))] if arch in ('X86_64', 'ARM64', 'X86_32'): l += [OR(CmdlineCheck('self_protection', 'kspp', 'iommu.strict', '1'), AND(KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y'), @@ -574,11 +577,6 @@ def add_cmdline_checks(l: List[ChecklistObjType], arch: str) -> None: if arch in ('X86_64', 'X86_32'): l += [CmdlineCheck('self_protection', 'clipos', 'iommu', 'force')] - # 'self_protection', 'a13xp0p0v' - l += [OR(CmdlineCheck('self_protection', 'a13xp0p0v', 'kfence.sample_interval', 'is not off'), - AND(KconfigCheck('self_protection', 'kspp', 'KFENCE_SAMPLE_INTERVAL', '100'), - CmdlineCheck('self_protection', 'a13xp0p0v', 'kfence.sample_interval', 'is not set')))] - # 'cut_attack_surface', 'defconfig' if arch in ('X86_64', 'X86_32'): tsx_not_set = CmdlineCheck('cut_attack_surface', 'defconfig', 'tsx', 'is not set') -- 2.31.1