From ba437af6d7a2664d169ffe9b999c812ac77a126d Mon Sep 17 00:00:00 2001
From: flipthewho <ya411508@gmail.com>
Date: Mon, 9 Sep 2024 15:58:15 +1000
Subject: [PATCH] implementation of `CONFIG_CFI_AUTO_DEFAULT`

---
 kernel_hardening_checker/checks.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py
index 03d1db2..8ee35c9 100755
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -277,6 +277,9 @@ def add_kconfig_checks(l: List[ChecklistObjType], arch: str) -> None:
                  # DEBUG_WX has been renamed to ARM_DEBUG_WX on ARM
 
     # 'self_protection', 'a13xp0p0v'
+    if arch == 'X86_64':
+        l += [AND(KconfigCheck('self_protection', 'a13xp0p0v', 'CFI_AUTO_DEFAULT', 'is not set'), # same as 'cfi=kcfi'
+                KconfigCheck('self_protection', 'a13xp0p0v', 'CFI_AUTO_DEFAULT', 'is present'))]
     if arch == 'ARM':
         l += [KconfigCheck('self_protection', 'a13xp0p0v', 'ARM_SMMU', 'y')]
         l += [KconfigCheck('self_protection', 'a13xp0p0v', 'ARM_SMMU_DISABLE_BYPASS_BY_DEFAULT', 'y')]
@@ -568,7 +571,6 @@ def add_cmdline_checks(l: List[ChecklistObjType], arch: str) -> None:
     l += [CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set')] # consequence of 'slab_nomerge' by kspp
     l += [CmdlineCheck('self_protection', 'kspp', 'slub_merge', 'is not set')] # consequence of 'slab_nomerge' by kspp
     l += [CmdlineCheck('self_protection', 'kspp', 'page_alloc.shuffle', '1')]
-    l += [CmdlineCheck('self_protection', 'kspp', 'cfi', 'kcfi')]
     l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_nomerge', 'is present'),
              AND(KconfigCheck('self_protection', 'kspp', 'SLAB_MERGE_DEFAULT', 'is not set'),
                  CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set'),
@@ -610,6 +612,11 @@ def add_cmdline_checks(l: List[ChecklistObjType], arch: str) -> None:
     if arch == 'ARM64':
         l += [OR(CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto'),
                  CmdlineCheck('self_protection', 'kspp', 'mitigations', 'is not set'))] # same as 'auto'
+    if arch == 'X86_64':
+        l += [OR(CmdlineCheck('self_protection', 'kspp', 'cfi', 'kcfi'),
+                 AND(KconfigCheck('self_protection', 'a13xp0p0v', 'CFI_AUTO_DEFAULT', 'is not set'), # same as 'cfi=kcfi'
+                     KconfigCheck('self_protection', 'a13xp0p0v', 'CFI_AUTO_DEFAULT', 'is present'),
+                     CmdlineCheck('self_protection', 'kspp', 'cfi', 'is not set')))]
 
     # 'self_protection', 'clipos'
     if arch in ('X86_64', 'X86_32'):
-- 
2.31.1