From 80ade8342566cf6f93c2f0d50440e9815cb8e53d Mon Sep 17 00:00:00 2001
From: Alexander Popov <alex.popov@linux.com>
Date: Tue, 31 Mar 2020 15:24:13 +0300
Subject: [PATCH 01/16] Revisit special behavior in checking and printing that
 depends on the class

---
 kconfig_hardened_check/__init__.py | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index 8e224c9..48e5454 100755
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -158,7 +158,7 @@ class OR(ComplexOptCheck):
         for i, opt in enumerate(self.opts):
             ret, msg = opt.check()
             if ret:
-                if i == 0 or not hasattr(opt, 'name'):
+                if i == 0 or not hasattr(opt, 'expected'):
                     self.result = opt.result
                 else:
                     self.result = 'OK: CONFIG_{} "{}"'.format(opt.name, opt.expected)
@@ -179,7 +179,7 @@ class AND(ComplexOptCheck):
                 self.result = opt.result
                 return ret, self.result
             elif not ret:
-                if hasattr(opt, 'name'):
+                if hasattr(opt, 'expected'):
                     self.result = 'FAIL: CONFIG_{} is needed'.format(opt.name)
                 else:
                     self.result = opt.result
@@ -515,12 +515,12 @@ def perform_checks(checklist, parsed_options):
         if hasattr(opt, 'opts'):
             # prepare ComplexOptCheck
             for o in opt.opts:
-                if hasattr(o, 'name'):
+                if hasattr(o, 'state'):
                     o.state = parsed_options.get(o.name, None)
         else:
-            # prepare simple OptCheck
-            if not hasattr(opt, 'name'):
-                sys.exit('[!] ERROR: bad OptCheck {}'.format(vars(opt)))
+            # prepare simple check
+            if not hasattr(opt, 'state'):
+                sys.exit('[!] ERROR: bad simple check {}'.format(vars(opt)))
             opt.state = parsed_options.get(opt.name, None)
         opt.check()
 
-- 
2.31.1


From bb2cacde34665bab16e7d2ea09972758a2372934 Mon Sep 17 00:00:00 2001
From: Alexander Popov <alex.popov@linux.com>
Date: Tue, 31 Mar 2020 16:18:05 +0300
Subject: [PATCH 02/16] Create polymorphism for printing, add table_print()
 method for each class

That makes print_checklist() much better.
---
 kconfig_hardened_check/__init__.py | 49 ++++++++++++++++--------------
 1 file changed, 26 insertions(+), 23 deletions(-)

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index 48e5454..f56ee37 100755
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -98,6 +98,12 @@ class OptCheck:
         else:
             return False, self.result
 
+    def table_print(self, with_results):
+        print('CONFIG_{:<38}|{:^13}|{:^10}|{:^20}'.format(self.name, self.expected, self.decision, self.reason), end='')
+        if with_results:
+            print('|   {}'.format(self.result), end='')
+        print()
+
 
 class VerCheck:
     def __init__(self, ver_expected):
@@ -118,6 +124,13 @@ class VerCheck:
             self.result = 'FAIL: version < ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
             return False, self.result
 
+    def table_print(self, with_results):
+        ver_req = 'kernel version >= ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
+        print('{:<91}'.format(ver_req), end='')
+        if with_results:
+            print('|   {}'.format(self.result), end='')
+        print()
+
 
 class ComplexOptCheck:
     def __init__(self, *opts):
@@ -144,6 +157,18 @@ class ComplexOptCheck:
     def reason(self):
         return self.opts[0].reason
 
+    def table_print(self, with_results):
+        if debug_mode:
+            print('    {:87}'.format('<<< ' + self.__class__.__name__ + ' >>>'), end='')
+            if with_results:
+                print('|   {}'.format(self.result), end='')
+            print()
+            for o in self.opts:
+                o.table_print(with_results)
+        else:
+            o = self.opts[0]
+            o.table_print(with_results)
+
 
 class OR(ComplexOptCheck):
     # self.opts[0] is the option that this OR-check is about.
@@ -458,13 +483,6 @@ def construct_checklist(checklist, arch):
 #   checklist.append(OptCheck('LKDTM',    'm', 'my', 'feature_test'))
 
 
-def print_opt(opt, with_results):
-    print('CONFIG_{:<38}|{:^13}|{:^10}|{:^20}'.format(opt.name, opt.expected, opt.decision, opt.reason), end='')
-    if with_results:
-        print('|   {}'.format(opt.result), end='')
-    print()
-
-
 def print_checklist(checklist, with_results):
     if json_mode:
         opts = []
@@ -489,22 +507,7 @@ def print_checklist(checklist, with_results):
 
     # table contents
     for opt in checklist:
-        if debug_mode and hasattr(opt, 'opts'):
-            print('    {:87}'.format('<<< ' + opt.__class__.__name__ + ' >>>'), end='')
-            if with_results:
-                print('|   {}'.format(opt.result), end='')
-            print()
-            for o in opt.opts:
-                if hasattr(o, 'ver_expected'):
-                    ver_req = 'kernel version >= ' + str(o.ver_expected[0]) + '.' + str(o.ver_expected[1])
-                    print('{:<91}'.format(ver_req), end='')
-                    if with_results:
-                        print('|   {}'.format(o.result), end='')
-                    print()
-                else:
-                    print_opt(o, with_results)
-        else:
-            print_opt(opt, with_results)
+        opt.table_print(with_results)
         if debug_mode:
             print('-' * sep_line_len)
     print()
-- 
2.31.1


From 52caf95cdfdd25f1e49554068b26a2c0c0332026 Mon Sep 17 00:00:00 2001
From: Alexander Popov <alex.popov@linux.com>
Date: Tue, 31 Mar 2020 16:18:44 +0300
Subject: [PATCH 03/16] Add more tests to increase coverage - IV

---
 .github/workflows/main.yml | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 11bb72c..86cac64 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -54,11 +54,20 @@ jobs:
         coverage run -a --branch bin/kconfig-hardened-check
 
         coverage run -a --branch bin/kconfig-hardened-check -p X86_64
+        coverage run -a --branch bin/kconfig-hardened-check -p X86_64 --debug
+        coverage run -a --branch bin/kconfig-hardened-check -p X86_64 --json
+
         coverage run -a --branch bin/kconfig-hardened-check -p X86_32
+        coverage run -a --branch bin/kconfig-hardened-check -p X86_32 --debug
+        coverage run -a --branch bin/kconfig-hardened-check -p X86_32 --json
+
         coverage run -a --branch bin/kconfig-hardened-check -p ARM64
+        coverage run -a --branch bin/kconfig-hardened-check -p ARM64 --debug
+        coverage run -a --branch bin/kconfig-hardened-check -p ARM64 --json
+
         coverage run -a --branch bin/kconfig-hardened-check -p ARM
-        coverage run -a --branch bin/kconfig-hardened-check -p X86_64 --debug
-        coverage run -a --branch bin/kconfig-hardened-check -p X86_64 --json
+        coverage run -a --branch bin/kconfig-hardened-check -p ARM --debug
+        coverage run -a --branch bin/kconfig-hardened-check -p ARM --json
 
         CONFIG_DIR=`find /opt/hostedtoolcache/Python/ -name config_files`
         CONFIGS=`find $CONFIG_DIR -type f|grep "\.config"`
-- 
2.31.1


From 97325e595e3d38b84d6f973d2e216931083d8fcf Mon Sep 17 00:00:00 2001
From: Alexander Popov <alex.popov@linux.com>
Date: Tue, 31 Mar 2020 16:41:40 +0300
Subject: [PATCH 04/16] Newline should be printed by print_checklist() that
 prints the table

---
 kconfig_hardened_check/__init__.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index f56ee37..5bf50c8 100755
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -102,7 +102,6 @@ class OptCheck:
         print('CONFIG_{:<38}|{:^13}|{:^10}|{:^20}'.format(self.name, self.expected, self.decision, self.reason), end='')
         if with_results:
             print('|   {}'.format(self.result), end='')
-        print()
 
 
 class VerCheck:
@@ -129,7 +128,6 @@ class VerCheck:
         print('{:<91}'.format(ver_req), end='')
         if with_results:
             print('|   {}'.format(self.result), end='')
-        print()
 
 
 class ComplexOptCheck:
@@ -162,8 +160,8 @@ class ComplexOptCheck:
             print('    {:87}'.format('<<< ' + self.__class__.__name__ + ' >>>'), end='')
             if with_results:
                 print('|   {}'.format(self.result), end='')
-            print()
             for o in self.opts:
+                print()
                 o.table_print(with_results)
         else:
             o = self.opts[0]
@@ -508,6 +506,7 @@ def print_checklist(checklist, with_results):
     # table contents
     for opt in checklist:
         opt.table_print(with_results)
+        print()
         if debug_mode:
             print('-' * sep_line_len)
     print()
-- 
2.31.1


From c52892249254ed4482fcd6941296328d6bf1a59a Mon Sep 17 00:00:00 2001
From: Alexander Popov <alex.popov@linux.com>
Date: Tue, 31 Mar 2020 16:42:05 +0300
Subject: [PATCH 05/16] Fix ComplexOptCheck result printing

---
 kconfig_hardened_check/__init__.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index 5bf50c8..4e3300c 100755
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -165,7 +165,9 @@ class ComplexOptCheck:
                 o.table_print(with_results)
         else:
             o = self.opts[0]
-            o.table_print(with_results)
+            o.table_print(False)
+            if with_results:
+                print('|   {}'.format(self.result), end='')
 
 
 class OR(ComplexOptCheck):
-- 
2.31.1


From bdac2c22b96b3a682801674efed92fddc8a347b0 Mon Sep 17 00:00:00 2001
From: Alexander Popov <alex.popov@linux.com>
Date: Tue, 31 Mar 2020 16:57:03 +0300
Subject: [PATCH 06/16] Implement PresenceCheck and use it for LDISC_AUTOLOAD

Refers to #32
---
 kconfig_hardened_check/__init__.py | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index 4e3300c..0f3f3d3 100755
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -130,6 +130,26 @@ class VerCheck:
             print('|   {}'.format(self.result), end='')
 
 
+class PresenceCheck:
+    def __init__(self, name):
+        self.name = name
+        self.state = None
+        self.result = None
+
+    def check(self):
+        if self.state is None:
+            self.result = 'FAIL: not present'
+            return False, self.result
+        else:
+            self.result = 'OK: is present'
+            return True, self.result
+
+    def table_print(self, with_results):
+        print('CONFIG_{:<84}'.format(self.name + ' is present'), end='')
+        if with_results:
+            print('|   {}'.format(self.result), end='')
+
+
 class ComplexOptCheck:
     def __init__(self, *opts):
         self.opts = opts
@@ -458,7 +478,7 @@ def construct_checklist(checklist, arch):
     checklist.append(OptCheck('X86_MSR',                  'is not set', 'clipos', 'cut_attack_surface')) # refers to LOCKDOWN
     checklist.append(OptCheck('X86_CPUID',                'is not set', 'clipos', 'cut_attack_surface'))
     checklist.append(AND(OptCheck('LDISC_AUTOLOAD',           'is not set', 'clipos', 'cut_attack_surface'), \
-                         VerCheck((5, 1)))) # LDISC_AUTOLOAD can be disabled since v5.1
+                         PresenceCheck('LDISC_AUTOLOAD')))
 
     checklist.append(OptCheck('AIO',                  'is not set', 'grapheneos', 'cut_attack_surface'))
 
-- 
2.31.1


From 75bed5d6178375a64f93ced4795ee0cf47442df1 Mon Sep 17 00:00:00 2001
From: Alexander Popov <alex.popov@linux.com>
Date: Fri, 3 Apr 2020 20:00:06 +0300
Subject: [PATCH 07/16] Add DRM_LEGACY, FB, and VT checks

Thanks to:
 - Dmitry Vyukov @dvyukov for the idea
 - Daniel Vetter @danvet for the knowledge
---
 README.md                          | 11 +++++++++--
 kconfig_hardened_check/__init__.py |  4 ++++
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index b2389d9..ffae444 100644
--- a/README.md
+++ b/README.md
@@ -16,7 +16,9 @@ against my hardening preferences, which are based on the
 
   - [KSPP recommended settings][1],
   - [CLIP OS kernel configuration][2],
-  - last public [grsecurity][3] patch (options which they disable).
+  - last public [grsecurity][3] patch (options which they disable),
+  - [SECURITY_LOCKDOWN_LSM][5] patchset,
+  - direct feedback from Linux kernel maintainers (Daniel Vetter in [issue #38][6]).
 
 I also created [__Linux Kernel Defence Map__][4] that is a graphical representation of the
 relationships between these hardening features and the corresponding vulnerability classes
@@ -174,6 +176,9 @@ CONFIG_MEM_SOFT_DIRTY                        | is not set  |grsecurity| cut_atta
 CONFIG_DEVPORT                               | is not set  |grsecurity| cut_attack_surface |   FAIL: "y"
 CONFIG_DEBUG_FS                              | is not set  |grsecurity| cut_attack_surface |   FAIL: "y"
 CONFIG_NOTIFIER_ERROR_INJECTION              | is not set  |grsecurity| cut_attack_surface |   FAIL: "m"
+CONFIG_DRM_LEGACY                            | is not set  |maintainer| cut_attack_surface |   OK
+CONFIG_FB                                    | is not set  |maintainer| cut_attack_surface |   FAIL: "y"
+CONFIG_VT                                    | is not set  |maintainer| cut_attack_surface |   FAIL: "y"
 CONFIG_ACPI_TABLE_UPGRADE                    | is not set  | lockdown | cut_attack_surface |   FAIL: "y"
 CONFIG_X86_IOPL_IOPERM                       | is not set  | lockdown | cut_attack_surface |   OK: not found
 CONFIG_EFI_TEST                              | is not set  | lockdown | cut_attack_surface |   FAIL: "m"
@@ -201,7 +206,7 @@ CONFIG_VIDEO_VIVID                           | is not set  |    my    | cut_atta
 CONFIG_INTEGRITY                             |      y      |defconfig |userspace_hardening |   OK
 CONFIG_ARCH_MMAP_RND_BITS                    |     32      |  clipos  |userspace_hardening |   FAIL: "28"
 
-[+] config check is finished: 'OK' - 55 / 'FAIL' - 77
+[+] config check is finished: 'OK' - 56 / 'FAIL' - 79
 ```
 
 ## kconfig-hardened-check versioning
@@ -247,3 +252,5 @@ if we have a kernel oops in the process context, the offending/attacking process
 [2]: https://docs.clip-os.org/clipos/kernel.html#configuration
 [3]: https://grsecurity.net/
 [4]: https://github.com/a13xp0p0v/linux-kernel-defence-map
+[5]: https://lwn.net/Articles/791863/
+[6]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/38
diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index 0f3f3d3..ea5a4c9 100755
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -459,6 +459,10 @@ def construct_checklist(checklist, arch):
     checklist.append(OptCheck('DEBUG_FS',                'is not set', 'grsecurity', 'cut_attack_surface')) # refers to LOCKDOWN
     checklist.append(OptCheck('NOTIFIER_ERROR_INJECTION','is not set', 'grsecurity', 'cut_attack_surface'))
 
+    checklist.append(OptCheck('DRM_LEGACY',     'is not set', 'maintainer', 'cut_attack_surface'))
+    checklist.append(OptCheck('FB',             'is not set', 'maintainer', 'cut_attack_surface'))
+    checklist.append(OptCheck('VT',             'is not set', 'maintainer', 'cut_attack_surface'))
+
     checklist.append(OptCheck('ACPI_TABLE_UPGRADE',   'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN
     checklist.append(OptCheck('X86_IOPL_IOPERM',      'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN
     checklist.append(OptCheck('EFI_TEST',             'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN
-- 
2.31.1


From 100a39e2b01dadd2d27ed805cbe2b4ead7fc8b05 Mon Sep 17 00:00:00 2001
From: Alexander Popov <alex.popov@linux.com>
Date: Mon, 6 Apr 2020 17:36:19 +0300
Subject: [PATCH 08/16] Improve versioning

---
 README.md                           | 7 +++----
 kconfig_hardened_check/__about__.py | 1 +
 kconfig_hardened_check/__init__.py  | 5 ++++-
 setup.cfg                           | 1 -
 setup.py                            | 9 ++++++++-
 5 files changed, 16 insertions(+), 7 deletions(-)
 create mode 100755 kconfig_hardened_check/__about__.py

diff --git a/README.md b/README.md
index ffae444..76d4e1d 100644
--- a/README.md
+++ b/README.md
@@ -44,7 +44,7 @@ or simply run `./bin/kconfig-hardened-check` from the cloned repository.
 ## Usage
 ```
 usage: kconfig-hardened-check [-h] [-p {X86_64,X86_32,ARM64,ARM}] [-c CONFIG]
-                              [--debug] [--json]
+                              [--debug] [--json] [--version]
 
 Checks the hardening options in the Linux kernel config
 
@@ -56,6 +56,7 @@ optional arguments:
                         check the config_file against these preferences
   --debug               enable verbose debug mode
   --json                print results in JSON format
+  --version             show program's version number and exit
 ```
 
 ## Output for `Ubuntu 18.04 (Bionic Beaver with HWE)` kernel config
@@ -215,9 +216,7 @@ I usually update the kernel hardening recommendations after each Linux kernel re
 
 So the version of `kconfig-hardened-check` is associated with the corresponding version of the kernel.
 
-The version format is: __[major_number].[kernel_version]__
-
-The current version of `kconfig-hardened-check` is __0.5.5__, it's marked with the git tag.
+The version format is: __[major_number].[kernel_version].[kernel_patchlevel]__
 
 
 ## Questions and answers
diff --git a/kconfig_hardened_check/__about__.py b/kconfig_hardened_check/__about__.py
new file mode 100755
index 0000000..31d29d8
--- /dev/null
+++ b/kconfig_hardened_check/__about__.py
@@ -0,0 +1 @@
+__version__ = '0.5.5'
diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index ea5a4c9..047beff 100755
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -59,6 +59,7 @@ from argparse import ArgumentParser
 from collections import OrderedDict
 import re
 import json
+from .__about__ import __version__
 
 # debug_mode enables:
 #    - reporting about unknown kernel options in the config,
@@ -603,7 +604,8 @@ def main():
 
     config_checklist = []
 
-    parser = ArgumentParser(description='Checks the hardening options in the Linux kernel config')
+    parser = ArgumentParser(prog='kconfig-hardened-check',
+                            description='Checks the hardening options in the Linux kernel config')
     parser.add_argument('-p', '--print', choices=supported_archs,
                         help='print hardening preferences for selected architecture')
     parser.add_argument('-c', '--config',
@@ -612,6 +614,7 @@ def main():
                         help='enable verbose debug mode')
     parser.add_argument('--json', action='store_true',
                         help='print results in JSON format')
+    parser.add_argument('--version', action='version', version='%(prog)s ' + __version__)
     args = parser.parse_args()
 
     if args.debug:
diff --git a/setup.cfg b/setup.cfg
index 2ac1c3b..66bd0b7 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -1,6 +1,5 @@
 [metadata]
 name = kconfig-hardened-check
-version = 0.5.5
 author = Alexander Popov
 author_email = alex.popov@linux.com
 home-page = https://github.com/a13xp0p0v/kconfig-hardened-check
diff --git a/setup.py b/setup.py
index 7f317b8..8197fab 100755
--- a/setup.py
+++ b/setup.py
@@ -2,4 +2,11 @@
 
 from setuptools import setup
 
-setup()
+about = {}
+with open("kconfig_hardened_check/__about__.py") as f:
+    exec(f.read(), about)
+
+print('v: "{}"'.format(about['__version__']))
+
+# See the options in setup.cfg
+setup(version = about['__version__'])
-- 
2.31.1


From a47bed83770d59987ae270d059a59e4a8fe81117 Mon Sep 17 00:00:00 2001
From: shamilbi <shamilbi@gmail.com>
Date: Wed, 8 Apr 2020 13:57:04 +0700
Subject: [PATCH 09/16] pylint some code

---
 kconfig_hardened_check/__about__.py |  0
 kconfig_hardened_check/__init__.py  | 60 ++++++++++++++---------------
 2 files changed, 29 insertions(+), 31 deletions(-)
 mode change 100755 => 100644 kconfig_hardened_check/__about__.py
 mode change 100755 => 100644 kconfig_hardened_check/__init__.py

diff --git a/kconfig_hardened_check/__about__.py b/kconfig_hardened_check/__about__.py
old mode 100755
new mode 100644
diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
old mode 100755
new mode 100644
index 047beff..c4214a1
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -61,6 +61,9 @@ import re
 import json
 from .__about__ import __version__
 
+# pylint: disable=line-too-long,bad-whitespace,too-many-branches
+# pylint: disable=too-many-statements,global-statement
+
 # debug_mode enables:
 #    - reporting about unknown kernel options in the config,
 #    - verbose printing of ComplexOptChecks (OR, AND).
@@ -69,7 +72,7 @@ debug_mode = False
 # json_mode is for printing results in JSON format
 json_mode = False
 
-supported_archs = [ 'X86_64', 'X86_32', 'ARM64', 'ARM' ]
+supported_archs = ['X86_64', 'X86_32', 'ARM64', 'ARM']
 
 kernel_version = None
 
@@ -96,8 +99,7 @@ class OptCheck:
 
         if self.result.startswith('OK'):
             return True, self.result
-        else:
-            return False, self.result
+        return False, self.result
 
     def table_print(self, with_results):
         print('CONFIG_{:<38}|{:^13}|{:^10}|{:^20}'.format(self.name, self.expected, self.decision, self.reason), end='')
@@ -120,9 +122,8 @@ class VerCheck:
         if kernel_version[1] >= self.ver_expected[1]:
             self.result = 'OK: version >= ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
             return True, self.result
-        else:
-            self.result = 'FAIL: version < ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
-            return False, self.result
+        self.result = 'FAIL: version < ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
+        return False, self.result
 
     def table_print(self, with_results):
         ver_req = 'kernel version >= ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
@@ -141,9 +142,8 @@ class PresenceCheck:
         if self.state is None:
             self.result = 'FAIL: not present'
             return False, self.result
-        else:
-            self.result = 'OK: is present'
-            return True, self.result
+        self.result = 'OK: is present'
+        return True, self.result
 
     def table_print(self, with_results):
         print('CONFIG_{:<84}'.format(self.name + ' is present'), end='')
@@ -202,7 +202,7 @@ class OR(ComplexOptCheck):
             sys.exit('[!] ERROR: invalid OR check')
 
         for i, opt in enumerate(self.opts):
-            ret, msg = opt.check()
+            ret, _ = opt.check()
             if ret:
                 if i == 0 or not hasattr(opt, 'expected'):
                     self.result = opt.result
@@ -220,11 +220,11 @@ class AND(ComplexOptCheck):
 
     def check(self):
         for i, opt in reversed(list(enumerate(self.opts))):
-            ret, msg = opt.check()
+            ret, _ = opt.check()
             if i == 0:
                 self.result = opt.result
                 return ret, self.result
-            elif not ret:
+            if not ret:
                 if hasattr(opt, 'expected'):
                     self.result = 'FAIL: CONFIG_{} is needed'.format(opt.name)
                 else:
@@ -242,7 +242,7 @@ def detect_arch(fname):
             print('[+] Trying to detect architecture in "{}"...'.format(fname))
         for line in f.readlines():
             if arch_pattern.match(line):
-                option, value = line[7:].split('=', 1)
+                option, _ = line[7:].split('=', 1)
                 if option in supported_archs:
                     if not arch:
                         arch = option
@@ -250,8 +250,7 @@ def detect_arch(fname):
                         return None, 'more than one supported architecture is detected'
         if not arch:
             return None, 'failed to detect architecture'
-        else:
-            return arch, 'OK'
+        return arch, 'OK'
 
 
 def detect_version(fname):
@@ -270,8 +269,7 @@ def detect_version(fname):
                 if len(ver_numbers) < 3 or not ver_numbers[0].isdigit() or not ver_numbers[1].isdigit():
                     msg = 'failed to parse the version "' + ver_str + '"'
                     return None, msg
-                else:
-                    return (int(ver_numbers[0]), int(ver_numbers[1])), None
+                return (int(ver_numbers[0]), int(ver_numbers[1])), None
         return None, 'no kernel version detected'
 
 
@@ -293,7 +291,7 @@ def construct_checklist(checklist, arch):
                         VerCheck((5, 5)))) # REFCOUNT_FULL is enabled by default since v5.5
     iommu_support_is_set = OptCheck('IOMMU_SUPPORT',         'y', 'defconfig', 'self_protection') # is needed for mitigating DMA attacks
     checklist.append(iommu_support_is_set)
-    if arch == 'X86_64' or arch == 'X86_32':
+    if arch in ('X86_64', 'X86_32'):
         checklist.append(OptCheck('MICROCODE',                   'y', 'defconfig', 'self_protection')) # is needed for mitigating CPU bugs
         checklist.append(OptCheck('RETPOLINE',                   'y', 'defconfig', 'self_protection'))
         checklist.append(OptCheck('X86_SMAP',                    'y', 'defconfig', 'self_protection'))
@@ -311,15 +309,15 @@ def construct_checklist(checklist, arch):
         checklist.append(OptCheck('UNMAP_KERNEL_AT_EL0',         'y', 'defconfig', 'self_protection'))
         checklist.append(OptCheck('HARDEN_EL2_VECTORS',          'y', 'defconfig', 'self_protection'))
         checklist.append(OptCheck('RODATA_FULL_DEFAULT_ENABLED', 'y', 'defconfig', 'self_protection'))
-    if arch == 'X86_64' or arch == 'ARM64':
+    if arch in ('X86_64', 'ARM64'):
         checklist.append(OptCheck('VMAP_STACK',                  'y', 'defconfig', 'self_protection'))
-    if arch == 'X86_64' or arch == 'ARM64' or arch == 'X86_32':
+    if arch in ('X86_64', 'ARM64', 'X86_32'):
         checklist.append(OptCheck('RANDOMIZE_BASE',              'y', 'defconfig', 'self_protection'))
         checklist.append(OptCheck('THREAD_INFO_IN_TASK',         'y', 'defconfig', 'self_protection'))
     if arch == 'ARM':
         checklist.append(OptCheck('CPU_SW_DOMAIN_PAN',           'y', 'defconfig', 'self_protection'))
         checklist.append(OptCheck('STACKPROTECTOR_PER_TASK',     'y', 'defconfig', 'self_protection'))
-    if arch == 'ARM64' or arch == 'ARM':
+    if arch in ('ARM64', 'ARM'):
         checklist.append(OptCheck('HARDEN_BRANCH_PREDICTOR',     'y', 'defconfig', 'self_protection'))
 
     checklist.append(OptCheck('BUG_ON_DATA_CORRUPTION',           'y', 'kspp', 'self_protection'))
@@ -353,14 +351,14 @@ def construct_checklist(checklist, arch):
     checklist.append(OptCheck('INIT_ON_ALLOC_DEFAULT_ON',         'y', 'kspp', 'self_protection'))
     checklist.append(OR(OptCheck('INIT_ON_FREE_DEFAULT_ON',       'y', 'kspp', 'self_protection'), \
                         OptCheck('PAGE_POISONING',                'y', 'kspp', 'self_protection'))) # before v5.3
-    if arch == 'X86_64' or arch == 'ARM64' or arch == 'X86_32':
+    if arch in ('X86_64', 'ARM64', 'X86_32'):
         stackleak_is_set = OptCheck('GCC_PLUGIN_STACKLEAK',       'y', 'kspp', 'self_protection')
         checklist.append(stackleak_is_set)
         checklist.append(AND(OptCheck('STACKLEAK_METRICS',         'is not set', 'clipos', 'self_protection'), \
                              stackleak_is_set))
         checklist.append(AND(OptCheck('STACKLEAK_RUNTIME_DISABLE', 'is not set', 'clipos', 'self_protection'), \
                              stackleak_is_set))
-    if arch == 'X86_64' or arch == 'X86_32':
+    if arch in ('X86_64', 'X86_32'):
         checklist.append(OptCheck('DEFAULT_MMAP_MIN_ADDR',            '65536', 'kspp', 'self_protection'))
     if arch == 'X86_32':
         checklist.append(OptCheck('PAGE_TABLE_ISOLATION',             'y', 'kspp', 'self_protection'))
@@ -368,7 +366,7 @@ def construct_checklist(checklist, arch):
         checklist.append(OptCheck('X86_PAE',                          'y', 'kspp', 'self_protection'))
     if arch == 'ARM64':
         checklist.append(OptCheck('ARM64_SW_TTBR0_PAN',               'y', 'kspp', 'self_protection'))
-    if arch == 'ARM64' or arch == 'ARM':
+    if arch in ('ARM64', 'ARM'):
         checklist.append(OptCheck('SYN_COOKIES',                      'y', 'kspp', 'self_protection')) # another reason?
         checklist.append(OptCheck('DEFAULT_MMAP_MIN_ADDR',            '32768', 'kspp', 'self_protection'))
 
@@ -380,7 +378,7 @@ def construct_checklist(checklist, arch):
                          randstruct_is_set))
     checklist.append(OptCheck('RANDOM_TRUST_BOOTLOADER',               'is not set', 'clipos', 'self_protection'))
     checklist.append(OptCheck('RANDOM_TRUST_CPU',                      'is not set', 'clipos', 'self_protection'))
-    if arch == 'X86_64' or arch == 'X86_32':
+    if arch in ('X86_64', 'X86_32'):
         checklist.append(AND(OptCheck('INTEL_IOMMU_SVM',                   'y', 'clipos', 'self_protection'), \
                              iommu_support_is_set))
         checklist.append(AND(OptCheck('INTEL_IOMMU_DEFAULT_ON',            'y', 'clipos', 'self_protection'), \
@@ -395,7 +393,7 @@ def construct_checklist(checklist, arch):
         checklist.append(AND(OptCheck('AMD_IOMMU_V2',                   'y', 'my', 'self_protection'), \
                              iommu_support_is_set))
 
-    if arch == 'X86_64' or arch == 'ARM64' or arch == 'X86_32':
+    if arch in ('X86_64', 'ARM64', 'X86_32'):
         checklist.append(OptCheck('SECURITY',                               'y', 'defconfig', 'security_policy')) # and choose your favourite LSM
     if arch == 'ARM':
         checklist.append(OptCheck('SECURITY',                               'y', 'kspp', 'security_policy')) # and choose your favourite LSM
@@ -413,7 +411,7 @@ def construct_checklist(checklist, arch):
 
     checklist.append(OptCheck('SECCOMP',              'y', 'defconfig', 'cut_attack_surface'))
     checklist.append(OptCheck('SECCOMP_FILTER',       'y', 'defconfig', 'cut_attack_surface'))
-    if arch == 'X86_64' or arch == 'ARM64' or arch == 'X86_32':
+    if arch in ('X86_64', 'ARM64', 'X86_32'):
         checklist.append(OR(OptCheck('STRICT_DEVMEM',     'y', 'defconfig', 'cut_attack_surface'), \
                             devmem_not_set)) # refers to LOCKDOWN
 
@@ -470,7 +468,7 @@ def construct_checklist(checklist, arch):
     checklist.append(OptCheck('BPF_SYSCALL',          'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN
     checklist.append(OptCheck('MMIOTRACE_TEST',       'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCKDOWN
 
-    if arch == 'X86_64' or arch == 'X86_32':
+    if arch in ('X86_64', 'X86_32'):
         checklist.append(OptCheck('X86_INTEL_TSX_MODE_OFF',   'y', 'clipos', 'cut_attack_surface')) # tsx=off
     checklist.append(OptCheck('STAGING',                  'is not set', 'clipos', 'cut_attack_surface'))
     checklist.append(OptCheck('KSM',                      'is not set', 'clipos', 'cut_attack_surface')) # to prevent FLUSH+RELOAD attack
@@ -498,11 +496,11 @@ def construct_checklist(checklist, arch):
     checklist.append(OptCheck('INTEGRITY',       'y', 'defconfig', 'userspace_hardening'))
     if arch == 'ARM64':
         checklist.append(OptCheck('ARM64_PTR_AUTH',       'y', 'defconfig', 'userspace_hardening'))
-    if arch == 'ARM' or  arch == 'X86_32':
+    if arch in ('ARM', 'X86_32'):
         checklist.append(OptCheck('VMSPLIT_3G',           'y', 'defconfig', 'userspace_hardening'))
-    if arch == 'X86_64' or arch == 'ARM64':
+    if arch in ('X86_64', 'ARM64'):
         checklist.append(OptCheck('ARCH_MMAP_RND_BITS',   '32', 'clipos', 'userspace_hardening'))
-    if arch == 'X86_32' or arch == 'ARM':
+    if arch in ('X86_32', 'ARM'):
         checklist.append(OptCheck('ARCH_MMAP_RND_BITS',   '16', 'my', 'userspace_hardening'))
 
 #   checklist.append(OptCheck('LKDTM',    'm', 'my', 'feature_test'))
-- 
2.31.1


From a7e1677cea24fec92a6a2c36c1dbc0094413535d Mon Sep 17 00:00:00 2001
From: HacKurx <hackurx@gmail.com>
Date: Thu, 9 Apr 2020 13:25:37 +0200
Subject: [PATCH 10/16] Add CONFIG_INPUT_EVBUG

The "evbug" module records key events and mouse movements in the system log.
Useful for debugging, this is a security threat, its use can be hijacked as a keylogger.

An attacker will be able to retrieve your passwords using this module.
---
 README.md                          | 1 +
 kconfig_hardened_check/__init__.py | 1 +
 2 files changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 76d4e1d..ff129c4 100644
--- a/README.md
+++ b/README.md
@@ -204,6 +204,7 @@ CONFIG_IP_SCTP                               | is not set  |    my    | cut_atta
 CONFIG_FTRACE                                | is not set  |    my    | cut_attack_surface |   FAIL: "y"
 CONFIG_BPF_JIT                               | is not set  |    my    | cut_attack_surface |   FAIL: "y"
 CONFIG_VIDEO_VIVID                           | is not set  |    my    | cut_attack_surface |   FAIL: "m"
+CONFIG_INPUT_EVBUG                           | is not set  |    my    | cut_attack_surface |   FAIL: "m"
 CONFIG_INTEGRITY                             |      y      |defconfig |userspace_hardening |   OK
 CONFIG_ARCH_MMAP_RND_BITS                    |     32      |  clipos  |userspace_hardening |   FAIL: "28"
 
diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index 047beff..15ea3e4 100755
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -494,6 +494,7 @@ def construct_checklist(checklist, arch):
     checklist.append(OptCheck('FTRACE',               'is not set', 'my', 'cut_attack_surface')) # refers to LOCKDOWN
     checklist.append(OptCheck('BPF_JIT',              'is not set', 'my', 'cut_attack_surface'))
     checklist.append(OptCheck('VIDEO_VIVID',          'is not set', 'my', 'cut_attack_surface'))
+    checklist.append(OptCheck('INPUT_EVBUG',          'is not set', 'my', 'cut_attack_surface')) # Can be used as a keylogger
 
     checklist.append(OptCheck('INTEGRITY',       'y', 'defconfig', 'userspace_hardening'))
     if arch == 'ARM64':
-- 
2.31.1


From cb1d79b05f9ab8660ddfdbedc56cf84447a9f27f Mon Sep 17 00:00:00 2001
From: HacKurx <hackurx@gmail.com>
Date: Thu, 9 Apr 2020 13:48:56 +0200
Subject: [PATCH 11/16] Updating the number of failures in the README

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index ff129c4..0e18940 100644
--- a/README.md
+++ b/README.md
@@ -208,7 +208,7 @@ CONFIG_INPUT_EVBUG                           | is not set  |    my    | cut_atta
 CONFIG_INTEGRITY                             |      y      |defconfig |userspace_hardening |   OK
 CONFIG_ARCH_MMAP_RND_BITS                    |     32      |  clipos  |userspace_hardening |   FAIL: "28"
 
-[+] config check is finished: 'OK' - 56 / 'FAIL' - 79
+[+] config check is finished: 'OK' - 56 / 'FAIL' - 80
 ```
 
 ## kconfig-hardened-check versioning
-- 
2.31.1


From 39e1c6ed2ec0a904d8a46dd460763a842046818b Mon Sep 17 00:00:00 2001
From: HacKurx <hackurx@gmail.com>
Date: Tue, 5 May 2020 10:51:33 +0200
Subject: [PATCH 12/16] Upgrading to Ubuntu 20.04 kernel config

CONFIG_RANDOM_TRUST_BOOTLOADER = FAIL: "y"
CONFIG_SECURITY_LOCKDOWN_LSM = OK
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY = OK
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY = FAIL: "is not set"
---
 README.md                                     |  24 +-
 ...nic-generic.config => ubuntu-focal.config} | 265 +++++++++++-------
 2 files changed, 178 insertions(+), 111 deletions(-)
 rename kconfig_hardened_check/config_files/distros/{ubuntu-bionic-generic.config => ubuntu-focal.config} (98%)

diff --git a/README.md b/README.md
index 0e18940..3e95e95 100644
--- a/README.md
+++ b/README.md
@@ -59,15 +59,15 @@ optional arguments:
   --version             show program's version number and exit
 ```
 
-## Output for `Ubuntu 18.04 (Bionic Beaver with HWE)` kernel config
+## Output for `Ubuntu 20.04 LTS (Focal Fossa)` kernel config
 ```
-$ ./bin/kconfig-hardened-check -c kconfig_hardened_check/config_files/distros/ubuntu-bionic-generic.config 
-[+] Trying to detect architecture in "kconfig_hardened_check/config_files/distros/ubuntu-bionic-generic.config"...
+$ ./bin/kconfig-hardened-check -c kconfig_hardened_check/config_files/distros/ubuntu-focal.config 
+[+] Trying to detect architecture in "kconfig_hardened_check/config_files/distros/ubuntu-focal.config"...
 [+] Detected architecture: X86_64
-[+] Trying to detect kernel version in "kconfig_hardened_check/config_files/distros/ubuntu-bionic-generic.config"...
-[+] Found version line: "# Linux/x86 5.3.0-28-generic Kernel Configuration"
-[+] Detected kernel version: 5.3
-[+] Checking "kconfig_hardened_check/config_files/distros/ubuntu-bionic-generic.config" against X86_64 hardening preferences...
+[+] Trying to detect kernel version in "kconfig_hardened_check/config_files/distros/ubuntu-focal.config"...
+[+] Found version line: "# Linux/x86 5.4.0-29-generic Kernel Configuration"
+[+] Detected kernel version: 5.4
+[+] Checking "kconfig_hardened_check/config_files/distros/ubuntu-focal.config" against X86_64 hardening preferences...
 =========================================================================================================================
                  option name                 | desired val | decision |       reason       |   check result
 =========================================================================================================================
@@ -122,7 +122,7 @@ CONFIG_DEBUG_VIRTUAL                         |      y      |  clipos  |  self_pr
 CONFIG_STATIC_USERMODEHELPER                 |      y      |  clipos  |  self_protection   |   FAIL: "is not set"
 CONFIG_SLAB_MERGE_DEFAULT                    | is not set  |  clipos  |  self_protection   |   FAIL: "y"
 CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE     | is not set  |  clipos  |  self_protection   |   FAIL: CONFIG_GCC_PLUGIN_RANDSTRUCT is needed
-CONFIG_RANDOM_TRUST_BOOTLOADER               | is not set  |  clipos  |  self_protection   |   OK: not found
+CONFIG_RANDOM_TRUST_BOOTLOADER               | is not set  |  clipos  |  self_protection   |   FAIL: "y"
 CONFIG_RANDOM_TRUST_CPU                      | is not set  |  clipos  |  self_protection   |   FAIL: "y"
 CONFIG_INTEL_IOMMU_SVM                       |      y      |  clipos  |  self_protection   |   OK
 CONFIG_INTEL_IOMMU_DEFAULT_ON                |      y      |  clipos  |  self_protection   |   FAIL: "is not set"
@@ -132,9 +132,9 @@ CONFIG_AMD_IOMMU_V2                          |      y      |    my    |  self_pr
 CONFIG_SECURITY                              |      y      |defconfig |  security_policy   |   OK
 CONFIG_SECURITY_YAMA                         |      y      |   kspp   |  security_policy   |   OK
 CONFIG_SECURITY_WRITABLE_HOOKS               | is not set  |    my    |  security_policy   |   OK: not found
-CONFIG_SECURITY_LOCKDOWN_LSM                 |      y      |  clipos  |  security_policy   |   FAIL: not found
-CONFIG_SECURITY_LOCKDOWN_LSM_EARLY           |      y      |  clipos  |  security_policy   |   FAIL: not found
-CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY|      y      |  clipos  |  security_policy   |   FAIL: not found
+CONFIG_SECURITY_LOCKDOWN_LSM                 |      y      |  clipos  |  security_policy   |   OK
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY           |      y      |  clipos  |  security_policy   |   OK
+CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY|      y      |  clipos  |  security_policy   |   FAIL: "is not set"
 CONFIG_SECURITY_LOADPIN                      |      y      |    my    |  security_policy   |   FAIL: "is not set"
 CONFIG_SECURITY_LOADPIN_ENFORCE              |      y      |    my    |  security_policy   |   FAIL: CONFIG_SECURITY_LOADPIN is needed
 CONFIG_SECURITY_SAFESETID                    |      y      |    my    |  security_policy   |   OK
@@ -208,7 +208,7 @@ CONFIG_INPUT_EVBUG                           | is not set  |    my    | cut_atta
 CONFIG_INTEGRITY                             |      y      |defconfig |userspace_hardening |   OK
 CONFIG_ARCH_MMAP_RND_BITS                    |     32      |  clipos  |userspace_hardening |   FAIL: "28"
 
-[+] config check is finished: 'OK' - 56 / 'FAIL' - 80
+[+] config check is finished: 'OK' - 57 / 'FAIL' - 79
 ```
 
 ## kconfig-hardened-check versioning
diff --git a/kconfig_hardened_check/config_files/distros/ubuntu-bionic-generic.config b/kconfig_hardened_check/config_files/distros/ubuntu-focal.config
similarity index 98%
rename from kconfig_hardened_check/config_files/distros/ubuntu-bionic-generic.config
rename to kconfig_hardened_check/config_files/distros/ubuntu-focal.config
index 7620c12..ac368fb 100644
--- a/kconfig_hardened_check/config_files/distros/ubuntu-bionic-generic.config
+++ b/kconfig_hardened_check/config_files/distros/ubuntu-focal.config
@@ -1,16 +1,17 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 5.3.0-28-generic Kernel Configuration
+# Linux/x86 5.4.0-29-generic Kernel Configuration
 #
 
 #
-# Compiler: gcc (Ubuntu 7.4.0-1ubuntu1~18.04.1) 7.4.0
+# Compiler: gcc (Ubuntu 9.3.0-10ubuntu2) 9.3.0
 #
 CONFIG_CC_IS_GCC=y
-CONFIG_GCC_VERSION=70400
+CONFIG_GCC_VERSION=90300
 CONFIG_CLANG_VERSION=0
 CONFIG_CC_CAN_LINK=y
 CONFIG_CC_HAS_ASM_GOTO=y
+CONFIG_CC_HAS_ASM_INLINE=y
 CONFIG_CC_HAS_WARN_MAYBE_UNINITIALIZED=y
 CONFIG_IRQ_WORK=y
 CONFIG_BUILDTIME_EXTABLE_SORT=y
@@ -21,7 +22,6 @@ CONFIG_THREAD_INFO_IN_TASK=y
 #
 CONFIG_INIT_ENV_ARG_LIMIT=32
 # CONFIG_COMPILE_TEST is not set
-# CONFIG_HEADER_TEST is not set
 CONFIG_LOCALVERSION=""
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_BUILD_SALT=""
@@ -31,14 +31,14 @@ CONFIG_HAVE_KERNEL_LZMA=y
 CONFIG_HAVE_KERNEL_XZ=y
 CONFIG_HAVE_KERNEL_LZO=y
 CONFIG_HAVE_KERNEL_LZ4=y
-CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_GZIP is not set
 # CONFIG_KERNEL_BZIP2 is not set
 # CONFIG_KERNEL_LZMA is not set
 # CONFIG_KERNEL_XZ is not set
 # CONFIG_KERNEL_LZO is not set
-# CONFIG_KERNEL_LZ4 is not set
+CONFIG_KERNEL_LZ4=y
 CONFIG_DEFAULT_HOSTNAME="(none)"
-CONFIG_VERSION_SIGNATURE="Ubuntu 5.3.0-28.30~18.04.1-generic 5.3.13"
+CONFIG_VERSION_SIGNATURE="Ubuntu 5.4.0-29.33-generic 5.4.30"
 CONFIG_SWAP=y
 CONFIG_SYSVIPC=y
 CONFIG_SYSVIPC_SYSCTL=y
@@ -158,7 +158,8 @@ CONFIG_CGROUP_WRITEBACK=y
 CONFIG_CGROUP_SCHED=y
 CONFIG_FAIR_GROUP_SCHED=y
 CONFIG_CFS_BANDWIDTH=y
-# CONFIG_RT_GROUP_SCHED is not set
+CONFIG_RT_GROUP_SCHED=y
+CONFIG_UCLAMP_TASK_GROUP=y
 CONFIG_CGROUP_PIDS=y
 CONFIG_CGROUP_RDMA=y
 CONFIG_CGROUP_FREEZER=y
@@ -311,7 +312,7 @@ CONFIG_X86_CPU_RESCTRL=y
 CONFIG_X86_EXTENDED_PLATFORM=y
 CONFIG_X86_NUMACHIP=y
 # CONFIG_X86_VSMP is not set
-# CONFIG_X86_UV is not set
+CONFIG_X86_UV=y
 # CONFIG_X86_GOLDFISH is not set
 # CONFIG_X86_INTEL_MID is not set
 CONFIG_X86_INTEL_LPSS=y
@@ -337,6 +338,7 @@ CONFIG_XEN_SAVE_RESTORE=y
 # CONFIG_XEN_DEBUG_FS is not set
 CONFIG_XEN_PVH=y
 CONFIG_KVM_GUEST=y
+CONFIG_ARCH_CPUIDLE_HALTPOLL=y
 CONFIG_PVH=y
 CONFIG_KVM_DEBUG_FS=y
 # CONFIG_PARAVIRT_TIME_ACCOUNTING is not set
@@ -408,7 +410,6 @@ CONFIG_X86_CPUID=m
 # CONFIG_X86_5LEVEL is not set
 CONFIG_X86_DIRECT_GBPAGES=y
 # CONFIG_X86_CPA_STATISTICS is not set
-CONFIG_ARCH_HAS_MEM_ENCRYPT=y
 CONFIG_AMD_MEM_ENCRYPT=y
 # CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT is not set
 CONFIG_NUMA=y
@@ -627,6 +628,8 @@ CONFIG_CPU_IDLE=y
 CONFIG_CPU_IDLE_GOV_LADDER=y
 CONFIG_CPU_IDLE_GOV_MENU=y
 CONFIG_CPU_IDLE_GOV_TEO=y
+CONFIG_CPU_IDLE_GOV_HALTPOLL=y
+CONFIG_HALTPOLL_CPUIDLE=m
 # end of CPU Idle
 
 CONFIG_INTEL_IDLE=y
@@ -689,6 +692,7 @@ CONFIG_EFI_CAPSULE_LOADER=m
 CONFIG_EFI_TEST=m
 CONFIG_APPLE_PROPERTIES=y
 CONFIG_RESET_ATTACK_MITIGATION=y
+CONFIG_EFI_RCI2_TABLE=y
 # end of EFI (Extensible Firmware Interface) Support
 
 CONFIG_UEFI_CPER=y
@@ -763,6 +767,7 @@ CONFIG_ARCH_HAS_SET_MEMORY=y
 CONFIG_ARCH_HAS_SET_DIRECT_MAP=y
 CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y
 CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y
+CONFIG_HAVE_ASM_MODVERSIONS=y
 CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
 CONFIG_HAVE_RSEQ=y
 CONFIG_HAVE_FUNCTION_ARG_ACCESS_API=y
@@ -829,6 +834,7 @@ CONFIG_ARCH_HAS_REFCOUNT=y
 CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y
 CONFIG_ARCH_USE_MEMREMAP_PROT=y
 # CONFIG_LOCK_EVENT_COUNTS is not set
+CONFIG_ARCH_HAS_MEM_ENCRYPT=y
 
 #
 # GCOV-based kernel profiling
@@ -843,6 +849,7 @@ CONFIG_HAVE_GCC_PLUGINS=y
 
 CONFIG_RT_MUTEXES=y
 CONFIG_BASE_SMALL=0
+CONFIG_MODULE_SIG_FORMAT=y
 CONFIG_MODULES=y
 # CONFIG_MODULE_FORCE_LOAD is not set
 CONFIG_MODULE_UNLOAD=y
@@ -859,8 +866,11 @@ CONFIG_MODULE_SIG_ALL=y
 CONFIG_MODULE_SIG_SHA512=y
 CONFIG_MODULE_SIG_HASH="sha512"
 # CONFIG_MODULE_COMPRESS is not set
+# CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS is not set
+CONFIG_UNUSED_SYMBOLS=y
 CONFIG_MODULES_TREE_LOOKUP=y
 CONFIG_BLOCK=y
+CONFIG_BLK_RQ_ALLOC_TIME=y
 CONFIG_BLK_SCSI_REQUEST=y
 CONFIG_BLK_DEV_BSG=y
 CONFIG_BLK_DEV_BSGLIB=y
@@ -871,6 +881,7 @@ CONFIG_BLK_DEV_THROTTLING=y
 CONFIG_BLK_CMDLINE_PARSER=y
 CONFIG_BLK_WBT=y
 # CONFIG_BLK_CGROUP_IOLATENCY is not set
+CONFIG_BLK_CGROUP_IOCOST=y
 CONFIG_BLK_WBT_MQ=y
 CONFIG_BLK_DEBUG_FS=y
 CONFIG_BLK_DEBUG_FS_ZONED=y
@@ -1017,6 +1028,7 @@ CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y
 CONFIG_ARCH_HAS_PKEYS=y
 # CONFIG_PERCPU_STATS is not set
 # CONFIG_GUP_BENCHMARK is not set
+# CONFIG_READ_ONLY_THP_FOR_FS is not set
 CONFIG_ARCH_HAS_PTE_SPECIAL=y
 # end of Memory Management options
 
@@ -1024,6 +1036,7 @@ CONFIG_NET=y
 CONFIG_COMPAT_NETLINK_MESSAGES=y
 CONFIG_NET_INGRESS=y
 CONFIG_NET_EGRESS=y
+CONFIG_NET_REDIRECT=y
 CONFIG_SKB_EXTENSIONS=y
 
 #
@@ -1067,7 +1080,7 @@ CONFIG_NET_IPGRE=m
 CONFIG_NET_IPGRE_BROADCAST=y
 CONFIG_IP_MROUTE_COMMON=y
 CONFIG_IP_MROUTE=y
-# CONFIG_IP_MROUTE_MULTIPLE_TABLES is not set
+CONFIG_IP_MROUTE_MULTIPLE_TABLES=y
 CONFIG_IP_PIMSM_V1=y
 CONFIG_IP_PIMSM_V2=y
 CONFIG_SYN_COOKIES=y
@@ -1561,9 +1574,7 @@ CONFIG_NET_DSA_TAG_GSWIP=m
 CONFIG_NET_DSA_TAG_DSA=m
 CONFIG_NET_DSA_TAG_EDSA=m
 CONFIG_NET_DSA_TAG_MTK=m
-CONFIG_NET_DSA_TAG_KSZ_COMMON=m
 CONFIG_NET_DSA_TAG_KSZ=m
-CONFIG_NET_DSA_TAG_KSZ9477=m
 CONFIG_NET_DSA_TAG_QCA=m
 CONFIG_NET_DSA_TAG_LAN9303=m
 CONFIG_NET_DSA_TAG_SJA1105=m
@@ -1692,6 +1703,7 @@ CONFIG_NET_ACT_SKBMOD=m
 # CONFIG_NET_ACT_IFE is not set
 CONFIG_NET_ACT_TUNNEL_KEY=m
 CONFIG_NET_ACT_CT=m
+CONFIG_NET_TC_SKB_EXT=y
 CONFIG_NET_SCH_FIFO=y
 CONFIG_DCB=y
 CONFIG_DNS_RESOLVER=y
@@ -1741,7 +1753,7 @@ CONFIG_NET_FLOW_LIMIT=y
 # Network testing
 #
 CONFIG_NET_PKTGEN=m
-CONFIG_NET_DROP_MONITOR=m
+CONFIG_NET_DROP_MONITOR=y
 # end of Network testing
 # end of Networking options
 
@@ -1771,6 +1783,7 @@ CONFIG_CAN=m
 CONFIG_CAN_RAW=m
 CONFIG_CAN_BCM=m
 CONFIG_CAN_GW=m
+CONFIG_CAN_J1939=m
 
 #
 # CAN Device Drivers
@@ -1781,6 +1794,7 @@ CONFIG_CAN_SLCAN=m
 CONFIG_CAN_DEV=m
 CONFIG_CAN_CALC_BITTIMING=y
 CONFIG_CAN_JANZ_ICAN3=m
+CONFIG_CAN_KVASER_PCIEFD=m
 CONFIG_CAN_C_CAN=m
 CONFIG_CAN_C_CAN_PLATFORM=m
 CONFIG_CAN_C_CAN_PCI=m
@@ -1789,17 +1803,20 @@ CONFIG_CAN_CC770_ISA=m
 CONFIG_CAN_CC770_PLATFORM=m
 CONFIG_CAN_IFI_CANFD=m
 CONFIG_CAN_M_CAN=m
+CONFIG_CAN_M_CAN_PLATFORM=m
+CONFIG_CAN_M_CAN_TCAN4X5X=m
 CONFIG_CAN_PEAK_PCIEFD=m
 CONFIG_CAN_SJA1000=m
-CONFIG_CAN_SJA1000_ISA=m
-CONFIG_CAN_SJA1000_PLATFORM=m
-CONFIG_CAN_EMS_PCMCIA=m
 CONFIG_CAN_EMS_PCI=m
-CONFIG_CAN_PEAK_PCMCIA=m
+CONFIG_CAN_EMS_PCMCIA=m
+CONFIG_CAN_F81601=m
+CONFIG_CAN_KVASER_PCI=m
 CONFIG_CAN_PEAK_PCI=m
 CONFIG_CAN_PEAK_PCIEC=y
-CONFIG_CAN_KVASER_PCI=m
+CONFIG_CAN_PEAK_PCMCIA=m
 CONFIG_CAN_PLX_PCI=m
+CONFIG_CAN_SJA1000_ISA=m
+CONFIG_CAN_SJA1000_PLATFORM=m
 CONFIG_CAN_SOFTING=m
 CONFIG_CAN_SOFTING_CS=m
 
@@ -2018,7 +2035,6 @@ CONFIG_PCIEAER=y
 # CONFIG_PCIEAER_INJECT is not set
 # CONFIG_PCIE_ECRC is not set
 CONFIG_PCIEASPM=y
-CONFIG_PCIEASPM_DEBUG=y
 CONFIG_PCIEASPM_DEFAULT=y
 # CONFIG_PCIEASPM_POWERSAVE is not set
 # CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
@@ -2061,6 +2077,7 @@ CONFIG_HOTPLUG_PCI_SHPC=y
 # end of Cadence PCIe controllers support
 
 CONFIG_VMD=m
+CONFIG_PCI_HYPERV_INTERFACE=m
 
 #
 # DesignWare PCI Core Support
@@ -2071,7 +2088,7 @@ CONFIG_PCIE_DW_EP=y
 CONFIG_PCIE_DW_PLAT=y
 CONFIG_PCIE_DW_PLAT_HOST=y
 CONFIG_PCIE_DW_PLAT_EP=y
-CONFIG_PCI_MESON=y
+# CONFIG_PCI_MESON is not set
 # end of DesignWare PCI Core Support
 # end of PCI controller drivers
 
@@ -2167,6 +2184,7 @@ CONFIG_REGMAP_W1=m
 CONFIG_REGMAP_MMIO=y
 CONFIG_REGMAP_IRQ=y
 CONFIG_REGMAP_SCCB=m
+CONFIG_REGMAP_I3C=m
 CONFIG_DMA_SHARED_BUFFER=y
 # CONFIG_DMA_FENCE_TRACE is not set
 # end of Generic Driver Options
@@ -2185,12 +2203,12 @@ CONFIG_GNSS_SIRF_SERIAL=m
 CONFIG_GNSS_UBX_SERIAL=m
 CONFIG_MTD=m
 # CONFIG_MTD_TESTS is not set
-CONFIG_MTD_CMDLINE_PARTS=m
-CONFIG_MTD_AR7_PARTS=m
 
 #
 # Partition parsers
 #
+CONFIG_MTD_AR7_PARTS=m
+CONFIG_MTD_CMDLINE_PARTS=m
 CONFIG_MTD_REDBOOT_PARTS=m
 CONFIG_MTD_REDBOOT_DIRECTORY_BLOCK=-1
 # CONFIG_MTD_REDBOOT_PARTS_UNALLOCATED is not set
@@ -2266,7 +2284,6 @@ CONFIG_MTD_PMC551=m
 CONFIG_MTD_DATAFLASH=m
 # CONFIG_MTD_DATAFLASH_WRITE_VERIFY is not set
 CONFIG_MTD_DATAFLASH_OTP=y
-CONFIG_MTD_M25P80=m
 CONFIG_MTD_MCHP23K256=m
 CONFIG_MTD_SST25L=m
 CONFIG_MTD_SLRAM=m
@@ -2299,6 +2316,7 @@ CONFIG_MTD_NAND_ECC_SW_BCH=y
 CONFIG_MTD_NAND_DENALI=m
 CONFIG_MTD_NAND_DENALI_PCI=m
 CONFIG_MTD_NAND_CAFE=m
+CONFIG_MTD_NAND_MXIC=m
 CONFIG_MTD_NAND_GPIO=m
 CONFIG_MTD_NAND_PLATFORM=m
 
@@ -2439,12 +2457,14 @@ CONFIG_AD525X_DPOT_SPI=m
 CONFIG_DUMMY_IRQ=m
 CONFIG_IBM_ASM=m
 CONFIG_PHANTOM=m
-CONFIG_SGI_IOC4=m
 CONFIG_TIFM_CORE=m
 CONFIG_TIFM_7XX1=m
 CONFIG_ICS932S401=m
 CONFIG_ENCLOSURE_SERVICES=m
+CONFIG_SGI_XP=m
 CONFIG_HP_ILO=m
+CONFIG_SGI_GRU=m
+# CONFIG_SGI_GRU_DEBUG is not set
 CONFIG_APDS9802ALS=m
 CONFIG_ISL29003=m
 CONFIG_ISL29020=m
@@ -2835,6 +2855,7 @@ CONFIG_DM_CACHE=m
 CONFIG_DM_CACHE_SMQ=m
 CONFIG_DM_WRITECACHE=m
 CONFIG_DM_ERA=m
+CONFIG_DM_CLONE=m
 CONFIG_DM_MIRROR=m
 CONFIG_DM_LOG_USERSPACE=m
 CONFIG_DM_RAID=m
@@ -2848,6 +2869,7 @@ CONFIG_DM_INIT=y
 CONFIG_DM_UEVENT=y
 CONFIG_DM_FLAKEY=m
 CONFIG_DM_VERITY=m
+CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
 # CONFIG_DM_VERITY_FEC is not set
 CONFIG_DM_SWITCH=m
 CONFIG_DM_LOG_WRITES=m
@@ -2991,12 +3013,16 @@ CONFIG_NET_DSA_MT7530=m
 CONFIG_NET_DSA_MV88E6060=m
 CONFIG_NET_DSA_MICROCHIP_KSZ_COMMON=m
 CONFIG_NET_DSA_MICROCHIP_KSZ9477=m
+CONFIG_NET_DSA_MICROCHIP_KSZ9477_I2C=m
 CONFIG_NET_DSA_MICROCHIP_KSZ9477_SPI=m
+CONFIG_NET_DSA_MICROCHIP_KSZ8795=m
+CONFIG_NET_DSA_MICROCHIP_KSZ8795_SPI=m
 CONFIG_NET_DSA_MV88E6XXX=m
 CONFIG_NET_DSA_MV88E6XXX_GLOBAL2=y
 CONFIG_NET_DSA_MV88E6XXX_PTP=y
 CONFIG_NET_DSA_SJA1105=m
 CONFIG_NET_DSA_SJA1105_PTP=y
+CONFIG_NET_DSA_SJA1105_TAS=y
 CONFIG_NET_DSA_QCA8K=m
 CONFIG_NET_DSA_REALTEK_SMI=m
 CONFIG_NET_DSA_SMSC_LAN9303=m
@@ -3178,6 +3204,7 @@ CONFIG_MLX5_EN_IPSEC=y
 CONFIG_MLX5_FPGA_TLS=y
 CONFIG_MLX5_TLS=y
 CONFIG_MLX5_EN_TLS=y
+CONFIG_MLX5_SW_STEERING=y
 CONFIG_MLXSW_CORE=m
 CONFIG_MLXSW_CORE_HWMON=y
 CONFIG_MLXSW_CORE_THERMAL=y
@@ -3230,13 +3257,14 @@ CONFIG_ETHOC=m
 CONFIG_NET_VENDOR_PACKET_ENGINES=y
 CONFIG_HAMACHI=m
 CONFIG_YELLOWFIN=m
+CONFIG_NET_VENDOR_PENSANDO=y
+CONFIG_IONIC=m
 CONFIG_NET_VENDOR_QLOGIC=y
 CONFIG_QLA3XXX=m
 CONFIG_QLCNIC=m
 CONFIG_QLCNIC_SRIOV=y
 CONFIG_QLCNIC_DCB=y
 CONFIG_QLCNIC_HWMON=y
-CONFIG_QLGE=m
 CONFIG_NETXEN_NIC=m
 CONFIG_QED=m
 CONFIG_QED_LL2=y
@@ -3290,7 +3318,7 @@ CONFIG_STMMAC_ETH=m
 # CONFIG_STMMAC_SELFTESTS is not set
 CONFIG_STMMAC_PLATFORM=m
 CONFIG_DWMAC_GENERIC=m
-# CONFIG_STMMAC_PCI is not set
+CONFIG_STMMAC_PCI=m
 CONFIG_NET_VENDOR_SUN=y
 CONFIG_HAPPYMEAL=m
 CONFIG_SUNGEM=m
@@ -3344,6 +3372,7 @@ CONFIG_LED_TRIGGER_PHY=y
 # MII PHY device drivers
 #
 CONFIG_SFP=m
+CONFIG_ADIN_PHY=m
 CONFIG_AMD_PHY=m
 CONFIG_AQUANTIA_PHY=m
 CONFIG_AX88796B_PHY=m
@@ -3470,6 +3499,7 @@ CONFIG_ATH9K_WOW=y
 CONFIG_ATH9K_RFKILL=y
 CONFIG_ATH9K_CHANNEL_CONTEXT=y
 CONFIG_ATH9K_PCOEM=y
+CONFIG_ATH9K_PCI_NO_EEPROM=m
 CONFIG_ATH9K_HTC=m
 CONFIG_ATH9K_HTC_DEBUGFS=y
 CONFIG_ATH9K_HWRNG=y
@@ -3578,7 +3608,6 @@ CONFIG_IWLDVM=m
 CONFIG_IWLMVM=m
 CONFIG_IWLWIFI_OPMODE_MODULAR=y
 # CONFIG_IWLWIFI_BCAST_FILTERING is not set
-# CONFIG_IWLWIFI_PCIE_RTPM is not set
 
 #
 # Debugging Options
@@ -3700,8 +3729,10 @@ CONFIG_RTW88_CORE=m
 CONFIG_RTW88_PCI=m
 CONFIG_RTW88_8822BE=y
 CONFIG_RTW88_8822CE=y
+CONFIG_RTW88_8723DE=y
 CONFIG_RTW88_DEBUG=y
 CONFIG_RTW88_DEBUGFS=y
+# CONFIG_RTW88_REGD_USER_REG_HINTS is not set
 CONFIG_WLAN_VENDOR_RSI=y
 CONFIG_RSI_91X=m
 # CONFIG_RSI_DEBUGFS is not set
@@ -3755,9 +3786,6 @@ CONFIG_PCI200SYN=m
 CONFIG_WANXL=m
 CONFIG_PC300TOO=m
 CONFIG_FARSYNC=m
-CONFIG_DSCC4=m
-CONFIG_DSCC4_PCISYNC=y
-CONFIG_DSCC4_PCI_RST=y
 CONFIG_DLCI=m
 CONFIG_DLCI_MAX=8
 CONFIG_LAPBETHER=m
@@ -3929,6 +3957,7 @@ CONFIG_JOYSTICK_WALKERA0701=m
 CONFIG_JOYSTICK_PSXPAD_SPI=m
 CONFIG_JOYSTICK_PSXPAD_SPI_FF=y
 CONFIG_JOYSTICK_PXRC=m
+CONFIG_JOYSTICK_FSIA6B=m
 CONFIG_INPUT_TABLET=y
 CONFIG_TABLET_USB_ACECAD=m
 CONFIG_TABLET_USB_AIPTEK=m
@@ -4192,11 +4221,11 @@ CONFIG_SERIAL_8250_MANY_PORTS=y
 CONFIG_SERIAL_8250_SHARE_IRQ=y
 # CONFIG_SERIAL_8250_DETECT_IRQ is not set
 CONFIG_SERIAL_8250_RSA=y
+CONFIG_SERIAL_8250_DWLIB=y
 CONFIG_SERIAL_8250_DW=m
 CONFIG_SERIAL_8250_RT288X=y
 CONFIG_SERIAL_8250_LPSS=m
 CONFIG_SERIAL_8250_MID=m
-CONFIG_SERIAL_8250_MOXA=m
 
 #
 # Non-8250 serial port support
@@ -4226,6 +4255,7 @@ CONFIG_SERIAL_ARC_NR_PORTS=1
 CONFIG_SERIAL_RP2=m
 CONFIG_SERIAL_RP2_NR_UARTS=32
 CONFIG_SERIAL_FSL_LPUART=m
+CONFIG_SERIAL_FSL_LINFLEXUART=m
 CONFIG_SERIAL_MEN_Z135=m
 # end of Serial drivers
 
@@ -4277,6 +4307,7 @@ CONFIG_HPET=y
 CONFIG_HPET_MMAP=y
 CONFIG_HPET_MMAP_DEFAULT=y
 CONFIG_HANGCHECK_TIMER=m
+CONFIG_UV_MMTIMER=m
 CONFIG_TCG_TPM=y
 CONFIG_HW_RANDOM_TPM=y
 CONFIG_TCG_TIS_CORE=y
@@ -4301,6 +4332,7 @@ CONFIG_XILLYBUS_PCIE=m
 # end of Character devices
 
 CONFIG_RANDOM_TRUST_CPU=y
+CONFIG_RANDOM_TRUST_BOOTLOADER=y
 
 #
 # I2C support
@@ -4504,9 +4536,11 @@ CONFIG_PINCTRL_ICELAKE=m
 CONFIG_PINCTRL_LEWISBURG=m
 CONFIG_PINCTRL_SUNRISEPOINT=m
 CONFIG_PINCTRL_MADERA=m
+CONFIG_PINCTRL_CS47L15=y
 CONFIG_PINCTRL_CS47L35=y
 CONFIG_PINCTRL_CS47L85=y
 CONFIG_PINCTRL_CS47L90=y
+CONFIG_PINCTRL_CS47L92=y
 CONFIG_GPIOLIB=y
 CONFIG_GPIOLIB_FASTPATH_LIMIT=512
 CONFIG_GPIO_ACPI=y
@@ -4629,6 +4663,7 @@ CONFIG_W1_MASTER_DS2490=m
 CONFIG_W1_MASTER_DS2482=m
 CONFIG_W1_MASTER_DS1WM=m
 CONFIG_W1_MASTER_GPIO=m
+CONFIG_W1_MASTER_SGI=m
 # end of 1-wire Bus Masters
 
 #
@@ -4647,6 +4682,7 @@ CONFIG_W1_SLAVE_DS2431=m
 CONFIG_W1_SLAVE_DS2433=m
 # CONFIG_W1_SLAVE_DS2433_CRC is not set
 CONFIG_W1_SLAVE_DS2438=m
+CONFIG_W1_SLAVE_DS250X=m
 CONFIG_W1_SLAVE_DS2780=m
 CONFIG_W1_SLAVE_DS2781=m
 CONFIG_W1_SLAVE_DS28E04=m
@@ -4744,6 +4780,7 @@ CONFIG_SENSORS_ADT7411=m
 CONFIG_SENSORS_ADT7462=m
 CONFIG_SENSORS_ADT7470=m
 CONFIG_SENSORS_ADT7475=m
+CONFIG_SENSORS_AS370=m
 CONFIG_SENSORS_ASC7621=m
 CONFIG_SENSORS_K8TEMP=m
 CONFIG_SENSORS_K10TEMP=m
@@ -4832,6 +4869,7 @@ CONFIG_PMBUS=m
 CONFIG_SENSORS_PMBUS=m
 CONFIG_SENSORS_ADM1275=m
 CONFIG_SENSORS_IBM_CFFPS=m
+CONFIG_SENSORS_INSPUR_IPSPS=m
 CONFIG_SENSORS_IR35221=m
 CONFIG_SENSORS_IR38064=m
 CONFIG_SENSORS_IRPS5401=m
@@ -4869,7 +4907,6 @@ CONFIG_SENSORS_SCH5636=m
 CONFIG_SENSORS_STTS751=m
 CONFIG_SENSORS_SMM665=m
 CONFIG_SENSORS_ADC128D818=m
-CONFIG_SENSORS_ADS1015=m
 CONFIG_SENSORS_ADS7828=m
 CONFIG_SENSORS_ADS7871=m
 CONFIG_SENSORS_AMC6821=m
@@ -5075,8 +5112,7 @@ CONFIG_MFD_BCM590XX=m
 CONFIG_MFD_BD9571MWV=m
 CONFIG_MFD_AXP20X=m
 CONFIG_MFD_AXP20X_I2C=m
-CONFIG_MFD_CROS_EC=m
-CONFIG_MFD_CROS_EC_CHARDEV=m
+CONFIG_MFD_CROS_EC_DEV=m
 CONFIG_MFD_MADERA=m
 CONFIG_MFD_MADERA_I2C=m
 CONFIG_MFD_MADERA_SPI=m
@@ -5327,6 +5363,7 @@ CONFIG_MEDIA_CONTROLLER_DVB=y
 CONFIG_VIDEO_DEV=m
 CONFIG_VIDEO_V4L2_SUBDEV_API=y
 CONFIG_VIDEO_V4L2=m
+CONFIG_VIDEO_V4L2_I2C=y
 # CONFIG_VIDEO_ADV_DEBUG is not set
 # CONFIG_VIDEO_FIXED_MINOR_RANGES is not set
 # CONFIG_VIDEO_PCI_SKELETON is not set
@@ -5780,6 +5817,7 @@ CONFIG_VIDEO_OV2685=m
 CONFIG_VIDEO_OV5647=m
 CONFIG_VIDEO_OV6650=m
 CONFIG_VIDEO_OV5670=m
+CONFIG_VIDEO_OV5675=m
 CONFIG_VIDEO_OV5695=m
 CONFIG_VIDEO_OV7251=m
 CONFIG_VIDEO_OV772X=m
@@ -6091,6 +6129,7 @@ CONFIG_VGA_ARB=y
 CONFIG_VGA_ARB_MAX_GPUS=16
 CONFIG_VGA_SWITCHEROO=y
 CONFIG_DRM=m
+CONFIG_DRM_MIPI_DBI=m
 CONFIG_DRM_MIPI_DSI=y
 CONFIG_DRM_DP_AUX_CHARDEV=y
 # CONFIG_DRM_DEBUG_SELFTEST is not set
@@ -6142,6 +6181,7 @@ CONFIG_DRM_AMD_ACP=y
 CONFIG_DRM_AMD_DC=y
 CONFIG_DRM_AMD_DC_DCN1_0=y
 CONFIG_DRM_AMD_DC_DCN2_0=y
+CONFIG_DRM_AMD_DC_DCN2_1=y
 CONFIG_DRM_AMD_DC_DSC_SUPPORT=y
 # CONFIG_DEBUG_KERNEL_DC is not set
 # end of Display Engine Configuration
@@ -6217,8 +6257,7 @@ CONFIG_DRM_ANALOGIX_ANX78XX=m
 # end of Display Interface Bridges
 
 # CONFIG_DRM_ETNAVIV is not set
-CONFIG_DRM_TINYDRM=m
-CONFIG_TINYDRM_MIPI_DBI=m
+CONFIG_DRM_GM12U320=m
 CONFIG_TINYDRM_HX8357D=m
 CONFIG_TINYDRM_ILI9225=m
 CONFIG_TINYDRM_ILI9341=m
@@ -6575,6 +6614,8 @@ CONFIG_SND_HDA_COMPONENT=y
 CONFIG_SND_HDA_I915=y
 CONFIG_SND_HDA_EXT_CORE=m
 CONFIG_SND_HDA_PREALLOC_SIZE=64
+CONFIG_SND_INTEL_NHLT=y
+CONFIG_SND_INTEL_DSP_CONFIG=m
 CONFIG_SND_SPI=y
 CONFIG_SND_USB=y
 CONFIG_SND_USB_AUDIO=m
@@ -6656,18 +6697,18 @@ CONFIG_SND_SOC_INTEL_HASWELL=m
 CONFIG_SND_SST_ATOM_HIFI2_PLATFORM=m
 CONFIG_SND_SST_ATOM_HIFI2_PLATFORM_PCI=m
 CONFIG_SND_SST_ATOM_HIFI2_PLATFORM_ACPI=m
-CONFIG_SND_SOC_INTEL_SKYLAKE=m
+# CONFIG_SND_SOC_INTEL_SKYLAKE is not set
 CONFIG_SND_SOC_INTEL_SKL=m
 CONFIG_SND_SOC_INTEL_APL=m
 CONFIG_SND_SOC_INTEL_KBL=m
 CONFIG_SND_SOC_INTEL_GLK=m
-CONFIG_SND_SOC_INTEL_CNL=m
-CONFIG_SND_SOC_INTEL_CFL=m
-CONFIG_SND_SOC_INTEL_CML_H=m
-CONFIG_SND_SOC_INTEL_CML_LP=m
+# CONFIG_SND_SOC_INTEL_CNL is not set
+# CONFIG_SND_SOC_INTEL_CFL is not set
+# CONFIG_SND_SOC_INTEL_CML_H is not set
+# CONFIG_SND_SOC_INTEL_CML_LP is not set
 CONFIG_SND_SOC_INTEL_SKYLAKE_FAMILY=m
 CONFIG_SND_SOC_INTEL_SKYLAKE_SSP_CLK=m
-CONFIG_SND_SOC_INTEL_SKYLAKE_HDAUDIO_CODEC=y
+# CONFIG_SND_SOC_INTEL_SKYLAKE_HDAUDIO_CODEC is not set
 CONFIG_SND_SOC_INTEL_SKYLAKE_COMMON=m
 CONFIG_SND_SOC_ACPI_INTEL_MATCH=m
 CONFIG_SND_SOC_INTEL_MACH=y
@@ -6687,6 +6728,7 @@ CONFIG_SND_SOC_INTEL_BYT_CHT_ES8316_MACH=m
 CONFIG_SND_SOC_INTEL_SKL_RT286_MACH=m
 CONFIG_SND_SOC_INTEL_SKL_NAU88L25_SSM4567_MACH=m
 CONFIG_SND_SOC_INTEL_SKL_NAU88L25_MAX98357A_MACH=m
+CONFIG_SND_SOC_INTEL_DA7219_MAX98357A_GENERIC=m
 CONFIG_SND_SOC_INTEL_BXT_DA7219_MAX98357A_MACH=m
 CONFIG_SND_SOC_INTEL_BXT_RT298_MACH=m
 CONFIG_SND_SOC_INTEL_KBL_RT5663_MAX98927_MACH=m
@@ -6697,6 +6739,7 @@ CONFIG_SND_SOC_INTEL_KBL_RT5660_MACH=m
 CONFIG_SND_SOC_INTEL_GLK_RT5682_MAX98357A_MACH=m
 CONFIG_SND_SOC_INTEL_SKL_HDA_DSP_GENERIC_MACH=m
 CONFIG_SND_SOC_INTEL_SOF_RT5682_MACH=m
+CONFIG_SND_SOC_INTEL_CML_LP_DA7219_MAX98357A_MACH=m
 CONFIG_SND_SOC_MTK_BTCVSD=m
 CONFIG_SND_SOC_SOF_TOPLEVEL=y
 CONFIG_SND_SOC_SOF_PCI=m
@@ -6731,10 +6774,15 @@ CONFIG_SND_SOC_SOF_COMETLAKE_LP=m
 CONFIG_SND_SOC_SOF_COMETLAKE_LP_SUPPORT=y
 CONFIG_SND_SOC_SOF_COMETLAKE_H=m
 CONFIG_SND_SOC_SOF_COMETLAKE_H_SUPPORT=y
+CONFIG_SND_SOC_SOF_TIGERLAKE_SUPPORT=y
+CONFIG_SND_SOC_SOF_TIGERLAKE=m
+CONFIG_SND_SOC_SOF_ELKHARTLAKE_SUPPORT=y
+CONFIG_SND_SOC_SOF_ELKHARTLAKE=m
 CONFIG_SND_SOC_SOF_HDA_COMMON=m
 CONFIG_SND_SOC_SOF_HDA_LINK=y
 CONFIG_SND_SOC_SOF_HDA_AUDIO_CODEC=y
-# CONFIG_SND_SOC_SOF_HDA_ALWAYS_ENABLE_DMI_L1 is not set
+CONFIG_SND_SOC_SOF_HDA_ALWAYS_ENABLE_DMI_L1=y
+CONFIG_SND_SOC_SOF_HDA_COMMON_HDMI_CODEC=y
 CONFIG_SND_SOC_SOF_HDA_LINK_BASELINE=m
 CONFIG_SND_SOC_SOF_HDA=m
 CONFIG_SND_SOC_SOF_XTENSA=m
@@ -6891,6 +6939,7 @@ CONFIG_SND_SOC_TLV320AIC3X=m
 CONFIG_SND_SOC_TS3A227E=m
 CONFIG_SND_SOC_TSCS42XX=m
 CONFIG_SND_SOC_TSCS454=m
+CONFIG_SND_SOC_UDA1334=m
 CONFIG_SND_SOC_WCD9335=m
 CONFIG_SND_SOC_WM8510=m
 CONFIG_SND_SOC_WM8523=m
@@ -6967,6 +7016,7 @@ CONFIG_HID_MACALLY=m
 CONFIG_HID_PRODIKEYS=m
 CONFIG_HID_CMEDIA=m
 CONFIG_HID_CP2112=m
+CONFIG_HID_CREATIVE_SB0540=m
 CONFIG_HID_CYPRESS=m
 CONFIG_HID_DRAGONRISE=m
 CONFIG_DRAGONRISE_FF=y
@@ -7090,6 +7140,9 @@ CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER=m
 CONFIG_USB_OHCI_LITTLE_ENDIAN=y
 CONFIG_USB_SUPPORT=y
 CONFIG_USB_COMMON=y
+CONFIG_USB_LED_TRIG=y
+CONFIG_USB_ULPI_BUS=m
+CONFIG_USB_CONN_GPIO=m
 CONFIG_USB_ARCH_HAS_HCD=y
 CONFIG_USB=y
 CONFIG_USB_PCI=y
@@ -7106,9 +7159,6 @@ CONFIG_USB_DYNAMIC_MINORS=y
 CONFIG_USB_LEDS_TRIGGER_USBPORT=m
 CONFIG_USB_AUTOSUSPEND_DELAY=2
 CONFIG_USB_MON=m
-CONFIG_USB_WUSB=m
-CONFIG_USB_WUSB_CBAF=m
-# CONFIG_USB_WUSB_CBAF_DEBUG is not set
 
 #
 # USB Host Controller Drivers
@@ -7137,8 +7187,6 @@ CONFIG_USB_SL811_HCD=m
 CONFIG_USB_SL811_HCD_ISO=y
 CONFIG_USB_SL811_CS=m
 CONFIG_USB_R8A66597_HCD=m
-CONFIG_USB_WHCI_HCD=m
-CONFIG_USB_HWA_HCD=m
 CONFIG_USB_HCD_BCMA=m
 CONFIG_USB_HCD_SSB=m
 # CONFIG_USB_HCD_TEST_MODE is not set
@@ -7188,6 +7236,10 @@ CONFIG_USBIP_VHCI_NR_HCS=1
 CONFIG_USBIP_HOST=m
 CONFIG_USBIP_VUDC=m
 # CONFIG_USBIP_DEBUG is not set
+CONFIG_USB_CDNS3=m
+CONFIG_USB_CDNS3_GADGET=y
+CONFIG_USB_CDNS3_HOST=y
+CONFIG_USB_CDNS3_PCI_WRAP=m
 CONFIG_USB_MUSB_HDRC=m
 # CONFIG_USB_MUSB_HOST is not set
 # CONFIG_USB_MUSB_GADGET is not set
@@ -7470,12 +7522,6 @@ CONFIG_TYPEC_NVIDIA_ALTMODE=m
 
 CONFIG_USB_ROLE_SWITCH=m
 CONFIG_USB_ROLES_INTEL_XHCI=m
-CONFIG_USB_LED_TRIG=y
-CONFIG_USB_ULPI_BUS=m
-CONFIG_UWB=m
-CONFIG_UWB_HWA=m
-CONFIG_UWB_WHCI=m
-CONFIG_UWB_I1480U=m
 CONFIG_MMC=y
 CONFIG_MMC_BLOCK=m
 CONFIG_MMC_BLOCK_MINORS=8
@@ -7487,6 +7533,7 @@ CONFIG_SDIO_UART=m
 #
 # CONFIG_MMC_DEBUG is not set
 CONFIG_MMC_SDHCI=m
+CONFIG_MMC_SDHCI_IO_ACCESSORS=y
 CONFIG_MMC_SDHCI_PCI=m
 CONFIG_MMC_RICOH_MMC=y
 CONFIG_MMC_SDHCI_ACPI=m
@@ -7847,6 +7894,7 @@ CONFIG_DMA_ENGINE_RAID=y
 CONFIG_SYNC_FILE=y
 CONFIG_SW_SYNC=y
 CONFIG_UDMABUF=y
+# CONFIG_DMABUF_SELFTESTS is not set
 # end of DMABUF options
 
 CONFIG_DCA=m
@@ -7878,18 +7926,18 @@ CONFIG_UIO_NETX=m
 CONFIG_UIO_PRUSS=m
 CONFIG_UIO_MF624=m
 CONFIG_UIO_HV_GENERIC=m
-CONFIG_VFIO_IOMMU_TYPE1=m
-CONFIG_VFIO_VIRQFD=m
-CONFIG_VFIO=m
+CONFIG_VFIO_IOMMU_TYPE1=y
+CONFIG_VFIO_VIRQFD=y
+CONFIG_VFIO=y
 CONFIG_VFIO_NOIOMMU=y
-CONFIG_VFIO_PCI=m
+CONFIG_VFIO_PCI=y
 CONFIG_VFIO_PCI_VGA=y
 CONFIG_VFIO_PCI_MMAP=y
 CONFIG_VFIO_PCI_INTX=y
 CONFIG_VFIO_PCI_IGD=y
 CONFIG_VFIO_MDEV=m
 CONFIG_VFIO_MDEV_DEVICE=m
-CONFIG_IRQ_BYPASS_MANAGER=m
+CONFIG_IRQ_BYPASS_MANAGER=y
 CONFIG_VIRT_DRIVERS=y
 # CONFIG_VBOXGUEST is not set
 CONFIG_VIRTIO=y
@@ -7907,7 +7955,6 @@ CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y
 #
 CONFIG_HYPERV=m
 CONFIG_HYPERV_TIMER=y
-CONFIG_HYPERV_TSCPAGE=y
 CONFIG_HYPERV_UTILS=m
 CONFIG_HYPERV_BALLOON=m
 # end of Microsoft Hyper-V guest support
@@ -7946,6 +7993,8 @@ CONFIG_XEN_HAVE_VPMU=y
 CONFIG_XEN_FRONT_PGDIR_SHBUF=m
 # end of Xen driver support
 
+CONFIG_GREYBUS=m
+CONFIG_GREYBUS_ES2=m
 CONFIG_STAGING=y
 CONFIG_PRISM2_USB=m
 CONFIG_COMEDI=m
@@ -8182,7 +8231,6 @@ CONFIG_SPEAKUP_SYNTH_DUMMY=m
 # end of Speakup console speech
 
 CONFIG_STAGING_MEDIA=y
-CONFIG_I2C_BCM2048=m
 CONFIG_VIDEO_IPU3_IMGU=m
 
 #
@@ -8218,8 +8266,6 @@ CONFIG_MOST_VIDEO=m
 CONFIG_MOST_I2C=m
 CONFIG_MOST_USB=m
 CONFIG_KS7010=m
-CONFIG_GREYBUS=m
-CONFIG_GREYBUS_ES2=m
 CONFIG_GREYBUS_AUDIO=m
 CONFIG_GREYBUS_BOOTROM=m
 CONFIG_GREYBUS_FIRMWARE=m
@@ -8247,15 +8293,6 @@ CONFIG_STAGING_GASKET_FRAMEWORK=m
 CONFIG_STAGING_APEX_DRIVER=m
 # end of Gasket devices
 
-CONFIG_EROFS_FS=m
-# CONFIG_EROFS_FS_DEBUG is not set
-CONFIG_EROFS_FS_XATTR=y
-CONFIG_EROFS_FS_POSIX_ACL=y
-CONFIG_EROFS_FS_SECURITY=y
-# CONFIG_EROFS_FS_USE_VM_MAP_RAM is not set
-# CONFIG_EROFS_FAULT_INJECTION is not set
-CONFIG_EROFS_FS_IO_MAX_RETRIES=5
-# CONFIG_EROFS_FS_ZIP is not set
 CONFIG_FIELDBUS_DEV=m
 CONFIG_KPC2000=y
 CONFIG_KPC2000_CORE=m
@@ -8283,6 +8320,24 @@ CONFIG_HYSDN=m
 CONFIG_HYSDN_CAPI=y
 # end of ISDN CAPI drivers
 
+CONFIG_USB_WUSB=m
+CONFIG_USB_WUSB_CBAF=m
+# CONFIG_USB_WUSB_CBAF_DEBUG is not set
+CONFIG_USB_WHCI_HCD=m
+CONFIG_USB_HWA_HCD=m
+CONFIG_UWB=m
+CONFIG_UWB_HWA=m
+CONFIG_UWB_WHCI=m
+CONFIG_UWB_I1480U=m
+CONFIG_EXFAT_FS=m
+CONFIG_EXFAT_DONT_MOUNT_VFAT=y
+CONFIG_EXFAT_DISCARD=y
+# CONFIG_EXFAT_DELAYED_SYNC is not set
+# CONFIG_EXFAT_KERNEL_DEBUG is not set
+# CONFIG_EXFAT_DEBUG_MSG is not set
+CONFIG_EXFAT_DEFAULT_CODEPAGE=437
+CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8"
+CONFIG_QLGE=m
 CONFIG_X86_PLATFORM_DEVICES=y
 CONFIG_ACER_WMI=m
 CONFIG_ACER_WIRELESS=m
@@ -8379,16 +8434,19 @@ CONFIG_INTEL_SPEED_SELECT_INTERFACE=m
 # end of Intel Speed Select Technology interface support
 
 CONFIG_PMC_ATOM=y
+CONFIG_MFD_CROS_EC=m
 CONFIG_CHROME_PLATFORMS=y
 CONFIG_CHROMEOS_LAPTOP=m
 CONFIG_CHROMEOS_PSTORE=m
 CONFIG_CHROMEOS_TBMC=m
+CONFIG_CROS_EC=m
 CONFIG_CROS_EC_I2C=m
 CONFIG_CROS_EC_ISHTP=m
 CONFIG_CROS_EC_SPI=m
 CONFIG_CROS_EC_LPC=m
 CONFIG_CROS_EC_PROTO=y
 CONFIG_CROS_KBD_LED_BACKLIGHT=m
+CONFIG_CROS_EC_CHARDEV=m
 CONFIG_CROS_EC_LIGHTBAR=m
 CONFIG_CROS_EC_DEBUGFS=m
 CONFIG_CROS_EC_SYSFS=m
@@ -8457,7 +8515,7 @@ CONFIG_HYPERV_IOMMU=y
 #
 # Remoteproc drivers
 #
-CONFIG_REMOTEPROC=m
+CONFIG_REMOTEPROC=y
 # end of Remoteproc drivers
 
 #
@@ -8470,7 +8528,7 @@ CONFIG_RPMSG_QCOM_GLINK_RPM=m
 CONFIG_RPMSG_VIRTIO=m
 # end of Rpmsg drivers
 
-CONFIG_SOUNDWIRE=y
+CONFIG_SOUNDWIRE=m
 
 #
 # SoundWire Devices
@@ -8851,6 +8909,7 @@ CONFIG_SI7020=m
 # Inertial measurement units
 #
 CONFIG_ADIS16400=m
+CONFIG_ADIS16460=m
 CONFIG_ADIS16480=m
 CONFIG_BMI160=m
 CONFIG_BMI160_I2C=m
@@ -8862,6 +8921,7 @@ CONFIG_INV_MPU6050_SPI=m
 CONFIG_IIO_ST_LSM6DSX=m
 CONFIG_IIO_ST_LSM6DSX_I2C=m
 CONFIG_IIO_ST_LSM6DSX_SPI=m
+CONFIG_IIO_ST_LSM6DSX_I3C=m
 # end of Inertial measurement units
 
 CONFIG_IIO_ADIS_LIB=m
@@ -8895,6 +8955,7 @@ CONFIG_LTR501=m
 CONFIG_LV0104CS=m
 CONFIG_MAX44000=m
 CONFIG_MAX44009=m
+CONFIG_NOA1305=m
 CONFIG_OPT3001=m
 CONFIG_PA12203001=m
 CONFIG_SI1133=m
@@ -8965,6 +9026,7 @@ CONFIG_IIO_SYSFS_TRIGGER=m
 #
 CONFIG_AD5272=m
 CONFIG_DS1803=m
+CONFIG_MAX5432=m
 CONFIG_MAX5481=m
 CONFIG_MAX5487=m
 CONFIG_MCP4018=m
@@ -9284,6 +9346,9 @@ CONFIG_EXPORTFS_BLOCK_OPS=y
 CONFIG_FILE_LOCKING=y
 CONFIG_MANDATORY_FILE_LOCKING=y
 CONFIG_FS_ENCRYPTION=y
+CONFIG_FS_VERITY=y
+# CONFIG_FS_VERITY_DEBUG is not set
+CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y
 CONFIG_FSNOTIFY=y
 CONFIG_DNOTIFY=y
 CONFIG_INOTIFY_USER=y
@@ -9302,6 +9367,7 @@ CONFIG_AUTOFS4_FS=m
 CONFIG_AUTOFS_FS=m
 CONFIG_FUSE_FS=y
 CONFIG_CUSE=m
+CONFIG_VIRTIO_FS=m
 CONFIG_OVERLAY_FS=m
 # CONFIG_OVERLAY_FS_REDIRECT_DIR is not set
 CONFIG_OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW=y
@@ -9458,6 +9524,13 @@ CONFIG_SYSV_FS=m
 CONFIG_UFS_FS=m
 # CONFIG_UFS_FS_WRITE is not set
 # CONFIG_UFS_DEBUG is not set
+CONFIG_EROFS_FS=m
+# CONFIG_EROFS_FS_DEBUG is not set
+CONFIG_EROFS_FS_XATTR=y
+CONFIG_EROFS_FS_POSIX_ACL=y
+CONFIG_EROFS_FS_SECURITY=y
+CONFIG_EROFS_FS_ZIP=y
+CONFIG_EROFS_FS_CLUSTER_PAGE_LIMIT=1
 CONFIG_AUFS_FS=m
 CONFIG_AUFS_BRANCH_MAX_127=y
 # CONFIG_AUFS_BRANCH_MAX_511 is not set
@@ -9506,7 +9579,6 @@ CONFIG_NFSD_BLOCKLAYOUT=y
 CONFIG_NFSD_SCSILAYOUT=y
 CONFIG_NFSD_FLEXFILELAYOUT=y
 CONFIG_NFSD_V4_SECURITY_LABEL=y
-# CONFIG_NFSD_FAULT_INJECTION is not set
 CONFIG_GRACE_PERIOD=m
 CONFIG_LOCKD=m
 CONFIG_LOCKD_V4=y
@@ -9631,10 +9703,6 @@ CONFIG_HARDENED_USERCOPY_FALLBACK=y
 # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set
 CONFIG_FORTIFY_SOURCE=y
 # CONFIG_STATIC_USERMODEHELPER is not set
-CONFIG_LOCK_DOWN_KERNEL=y
-# CONFIG_LOCK_DOWN_KERNEL_FORCE is not set
-CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ=y
-CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
 CONFIG_SECURITY_SELINUX=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
 # CONFIG_SECURITY_SELINUX_DISABLE is not set
@@ -9659,6 +9727,12 @@ CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
 # CONFIG_SECURITY_LOADPIN is not set
 CONFIG_SECURITY_YAMA=y
 CONFIG_SECURITY_SAFESETID=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_LOCK_DOWN_IN_SECURE_BOOT=y
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
 CONFIG_INTEGRITY=y
 CONFIG_INTEGRITY_SIGNATURE=y
 CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
@@ -9683,6 +9757,7 @@ CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
 CONFIG_IMA_APPRAISE_BOOTPARAM=y
+CONFIG_IMA_APPRAISE_MODSIG=y
 CONFIG_IMA_TRUSTED_KEYRING=y
 # CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
@@ -9697,7 +9772,7 @@ CONFIG_EVM_ADD_XATTRS=y
 # CONFIG_DEFAULT_SECURITY_TOMOYO is not set
 CONFIG_DEFAULT_SECURITY_APPARMOR=y
 # CONFIG_DEFAULT_SECURITY_DAC is not set
-CONFIG_LSM="yama,integrity,apparmor"
+CONFIG_LSM="lockdown,yama,integrity,apparmor"
 
 #
 # Kernel hardening options
@@ -9771,18 +9846,7 @@ CONFIG_CRYPTO_CCM=m
 CONFIG_CRYPTO_GCM=y
 CONFIG_CRYPTO_CHACHA20POLY1305=m
 CONFIG_CRYPTO_AEGIS128=m
-CONFIG_CRYPTO_AEGIS128L=m
-CONFIG_CRYPTO_AEGIS256=m
 CONFIG_CRYPTO_AEGIS128_AESNI_SSE2=m
-CONFIG_CRYPTO_AEGIS128L_AESNI_SSE2=m
-CONFIG_CRYPTO_AEGIS256_AESNI_SSE2=m
-CONFIG_CRYPTO_MORUS640=m
-CONFIG_CRYPTO_MORUS640_GLUE=m
-CONFIG_CRYPTO_MORUS640_SSE2=m
-CONFIG_CRYPTO_MORUS1280=m
-CONFIG_CRYPTO_MORUS1280_GLUE=m
-CONFIG_CRYPTO_MORUS1280_SSE2=m
-CONFIG_CRYPTO_MORUS1280_AVX2=m
 CONFIG_CRYPTO_SEQIV=y
 CONFIG_CRYPTO_ECHAINIV=m
 
@@ -9803,6 +9867,7 @@ CONFIG_CRYPTO_NHPOLY1305=m
 CONFIG_CRYPTO_NHPOLY1305_SSE2=m
 CONFIG_CRYPTO_NHPOLY1305_AVX2=m
 CONFIG_CRYPTO_ADIANTUM=m
+CONFIG_CRYPTO_ESSIV=m
 
 #
 # Hash modes
@@ -9836,6 +9901,7 @@ CONFIG_CRYPTO_SHA1=y
 CONFIG_CRYPTO_SHA1_SSSE3=m
 CONFIG_CRYPTO_SHA256_SSSE3=m
 CONFIG_CRYPTO_SHA512_SSSE3=m
+CONFIG_CRYPTO_LIB_SHA256=y
 CONFIG_CRYPTO_SHA256=y
 CONFIG_CRYPTO_SHA512=y
 CONFIG_CRYPTO_SHA3=m
@@ -9848,9 +9914,9 @@ CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m
 #
 # Ciphers
 #
+CONFIG_CRYPTO_LIB_AES=y
 CONFIG_CRYPTO_AES=y
 CONFIG_CRYPTO_AES_TI=m
-CONFIG_CRYPTO_AES_X86_64=m
 CONFIG_CRYPTO_AES_NI_INTEL=m
 CONFIG_CRYPTO_ANUBIS=m
 CONFIG_CRYPTO_LIB_ARC4=m
@@ -9867,6 +9933,7 @@ CONFIG_CRYPTO_CAST5=m
 CONFIG_CRYPTO_CAST5_AVX_X86_64=m
 CONFIG_CRYPTO_CAST6=m
 CONFIG_CRYPTO_CAST6_AVX_X86_64=m
+CONFIG_CRYPTO_LIB_DES=m
 CONFIG_CRYPTO_DES=m
 CONFIG_CRYPTO_DES3_EDE_X86_64=m
 CONFIG_CRYPTO_FCRYPT=m
@@ -9926,19 +9993,21 @@ CONFIG_CRYPTO_DEV_CCP_DD=m
 CONFIG_CRYPTO_DEV_SP_CCP=y
 CONFIG_CRYPTO_DEV_CCP_CRYPTO=m
 CONFIG_CRYPTO_DEV_SP_PSP=y
+# CONFIG_CRYPTO_DEV_CCP_DEBUGFS is not set
 CONFIG_CRYPTO_DEV_QAT=m
 CONFIG_CRYPTO_DEV_QAT_DH895xCC=m
-# CONFIG_CRYPTO_DEV_QAT_C3XXX is not set
-# CONFIG_CRYPTO_DEV_QAT_C62X is not set
+CONFIG_CRYPTO_DEV_QAT_C3XXX=m
+CONFIG_CRYPTO_DEV_QAT_C62X=m
 CONFIG_CRYPTO_DEV_QAT_DH895xCCVF=m
-# CONFIG_CRYPTO_DEV_QAT_C3XXXVF is not set
-# CONFIG_CRYPTO_DEV_QAT_C62XVF is not set
+CONFIG_CRYPTO_DEV_QAT_C3XXXVF=m
+CONFIG_CRYPTO_DEV_QAT_C62XVF=m
 CONFIG_CRYPTO_DEV_NITROX=m
 CONFIG_CRYPTO_DEV_NITROX_CNN55XX=m
 CONFIG_CRYPTO_DEV_CHELSIO=m
 CONFIG_CHELSIO_IPSEC_INLINE=y
 CONFIG_CRYPTO_DEV_CHELSIO_TLS=m
 CONFIG_CRYPTO_DEV_VIRTIO=m
+CONFIG_CRYPTO_DEV_SAFEXCEL=m
 CONFIG_ASYMMETRIC_KEY_TYPE=y
 CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
 CONFIG_ASYMMETRIC_TPM_KEY_SUBTYPE=m
@@ -10044,7 +10113,6 @@ CONFIG_HAS_DMA=y
 CONFIG_NEED_SG_DMA_LENGTH=y
 CONFIG_NEED_DMA_MAP_STATE=y
 CONFIG_ARCH_DMA_ADDR_T_64BIT=y
-CONFIG_DMA_DECLARE_COHERENT=y
 CONFIG_ARCH_HAS_FORCE_DMA_UNENCRYPTED=y
 CONFIG_DMA_VIRT_OPS=y
 CONFIG_SWIOTLB=y
@@ -10123,7 +10191,6 @@ CONFIG_GDB_SCRIPTS=y
 CONFIG_FRAME_WARN=1024
 # CONFIG_STRIP_ASM_SYMS is not set
 # CONFIG_READABLE_ASM is not set
-CONFIG_UNUSED_SYMBOLS=y
 CONFIG_DEBUG_FS=y
 # CONFIG_HEADERS_INSTALL is not set
 CONFIG_OPTIMIZE_INLINING=y
-- 
2.31.1


From 1991da2ea96cb1f67f48b687ca7e010346d3fb31 Mon Sep 17 00:00:00 2001
From: Alexander Popov <a13xp0p0v@users.noreply.github.com>
Date: Sat, 30 May 2020 23:17:46 +0300
Subject: [PATCH 13/16] Add the link to @BlackIkeEagle article

---
 README.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/README.md b/README.md
index 3e95e95..b2a62bd 100644
--- a/README.md
+++ b/README.md
@@ -248,9 +248,17 @@ __A:__ I personally don't support this recommendation because it provides easy d
 attacks for the whole system (kernel oops is not a rare situation). I think having `CONFIG_BUG` is enough here --
 if we have a kernel oops in the process context, the offending/attacking process is killed.
 
+<br />
+
+__Q:__ What about performance impact of these kernel hardening options?
+
+__A:__ Ike Devolder [@BlackIkeEagle][7] made some performance tests and described the results in [this article][8].
+
 [1]: http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
 [2]: https://docs.clip-os.org/clipos/kernel.html#configuration
 [3]: https://grsecurity.net/
 [4]: https://github.com/a13xp0p0v/linux-kernel-defence-map
 [5]: https://lwn.net/Articles/791863/
 [6]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/38
+[7]: https://github.com/BlackIkeEagle
+[8]: https://blog.herecura.eu/blog/2020-05-30-kconfig-hardening-tests/
-- 
2.31.1


From d4063eeed7895b44c6ed1586059b45ad243ff4e1 Mon Sep 17 00:00:00 2001
From: Alexander Popov <alex.popov@linux.com>
Date: Fri, 3 Jul 2020 21:10:56 +0300
Subject: [PATCH 14/16] Add the link to huldufolk project by @tych0

---
 README.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/README.md b/README.md
index b2a62bd..c5cc464 100644
--- a/README.md
+++ b/README.md
@@ -254,6 +254,17 @@ __Q:__ What about performance impact of these kernel hardening options?
 
 __A:__ Ike Devolder [@BlackIkeEagle][7] made some performance tests and described the results in [this article][8].
 
+<br />
+
+__Q:__ Why enabling `CONFIG_STATIC_USERMODEHELPER` breaks various things in my GNU/Linux system?
+Do I really need that feature?
+
+__A:__ Linux kernel usermode helpers can be used for privilege escalation in kernel exploits
+([example 1][9], [example 2][10]). `CONFIG_STATIC_USERMODEHELPER` prevents that method. But it
+requires the corresponding support in the userspace: see the [example implementation][11] by
+Tycho Andersen [@tych0][12].
+
+
 [1]: http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
 [2]: https://docs.clip-os.org/clipos/kernel.html#configuration
 [3]: https://grsecurity.net/
@@ -262,3 +273,7 @@ __A:__ Ike Devolder [@BlackIkeEagle][7] made some performance tests and describe
 [6]: https://github.com/a13xp0p0v/kconfig-hardened-check/issues/38
 [7]: https://github.com/BlackIkeEagle
 [8]: https://blog.herecura.eu/blog/2020-05-30-kconfig-hardening-tests/
+[9]: https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html
+[10]: https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html
+[11]: https://github.com/tych0/huldufolk
+[12]: https://github.com/tych0
-- 
2.31.1


From 3c896896129b48ed36a3afd49f558618de45a5af Mon Sep 17 00:00:00 2001
From: Alexander Popov <alex.popov@linux.com>
Date: Tue, 7 Jul 2020 01:55:21 +0300
Subject: [PATCH 15/16] ARM64_PTR_AUTH is now supported for the kernel (from
 v5.7)

---
 kconfig_hardened_check/__init__.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index 9bc7828..4da068f 100644
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -309,6 +309,7 @@ def construct_checklist(checklist, arch):
         checklist.append(OptCheck('UNMAP_KERNEL_AT_EL0',         'y', 'defconfig', 'self_protection'))
         checklist.append(OptCheck('HARDEN_EL2_VECTORS',          'y', 'defconfig', 'self_protection'))
         checklist.append(OptCheck('RODATA_FULL_DEFAULT_ENABLED', 'y', 'defconfig', 'self_protection'))
+        checklist.append(OptCheck('ARM64_PTR_AUTH',              'y', 'defconfig', 'self_protection'))
     if arch in ('X86_64', 'ARM64'):
         checklist.append(OptCheck('VMAP_STACK',                  'y', 'defconfig', 'self_protection'))
     if arch in ('X86_64', 'ARM64', 'X86_32'):
@@ -495,8 +496,6 @@ def construct_checklist(checklist, arch):
     checklist.append(OptCheck('INPUT_EVBUG',          'is not set', 'my', 'cut_attack_surface')) # Can be used as a keylogger
 
     checklist.append(OptCheck('INTEGRITY',       'y', 'defconfig', 'userspace_hardening'))
-    if arch == 'ARM64':
-        checklist.append(OptCheck('ARM64_PTR_AUTH',       'y', 'defconfig', 'userspace_hardening'))
     if arch in ('ARM', 'X86_32'):
         checklist.append(OptCheck('VMSPLIT_3G',           'y', 'defconfig', 'userspace_hardening'))
     if arch in ('X86_64', 'ARM64'):
-- 
2.31.1


From 08ce37731061a74fc3711567231be71461d7eeff Mon Sep 17 00:00:00 2001
From: Alexander Popov <alex.popov@linux.com>
Date: Thu, 9 Jul 2020 08:59:24 +0300
Subject: [PATCH 16/16] Don't return self.result in check() method -- it's not
 used

---
 kconfig_hardened_check/__init__.py | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py
index 4da068f..6640200 100644
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -98,8 +98,8 @@ class OptCheck:
             self.result = 'FAIL: "' + self.state + '"'
 
         if self.result.startswith('OK'):
-            return True, self.result
-        return False, self.result
+            return True
+        return False
 
     def table_print(self, with_results):
         print('CONFIG_{:<38}|{:^13}|{:^10}|{:^20}'.format(self.name, self.expected, self.decision, self.reason), end='')
@@ -115,15 +115,15 @@ class VerCheck:
     def check(self):
         if kernel_version[0] > self.ver_expected[0]:
             self.result = 'OK: version >= ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
-            return True, self.result
+            return True
         if kernel_version[0] < self.ver_expected[0]:
             self.result = 'FAIL: version < ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
-            return False, self.result
+            return False
         if kernel_version[1] >= self.ver_expected[1]:
             self.result = 'OK: version >= ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
-            return True, self.result
+            return True
         self.result = 'FAIL: version < ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
-        return False, self.result
+        return False
 
     def table_print(self, with_results):
         ver_req = 'kernel version >= ' + str(self.ver_expected[0]) + '.' + str(self.ver_expected[1])
@@ -141,9 +141,9 @@ class PresenceCheck:
     def check(self):
         if self.state is None:
             self.result = 'FAIL: not present'
-            return False, self.result
+            return False
         self.result = 'OK: is present'
-        return True, self.result
+        return True
 
     def table_print(self, with_results):
         print('CONFIG_{:<84}'.format(self.name + ' is present'), end='')
@@ -202,15 +202,15 @@ class OR(ComplexOptCheck):
             sys.exit('[!] ERROR: invalid OR check')
 
         for i, opt in enumerate(self.opts):
-            ret, _ = opt.check()
+            ret = opt.check()
             if ret:
                 if i == 0 or not hasattr(opt, 'expected'):
                     self.result = opt.result
                 else:
                     self.result = 'OK: CONFIG_{} "{}"'.format(opt.name, opt.expected)
-                return True, self.result
+                return True
         self.result = self.opts[0].result
-        return False, self.result
+        return False
 
 
 class AND(ComplexOptCheck):
@@ -220,16 +220,16 @@ class AND(ComplexOptCheck):
 
     def check(self):
         for i, opt in reversed(list(enumerate(self.opts))):
-            ret, _ = opt.check()
+            ret = opt.check()
             if i == 0:
                 self.result = opt.result
-                return ret, self.result
+                return ret
             if not ret:
                 if hasattr(opt, 'expected'):
                     self.result = 'FAIL: CONFIG_{} is needed'.format(opt.name)
                 else:
                     self.result = opt.result
-                return False, self.result
+                return False
 
         sys.exit('[!] ERROR: invalid AND check')
 
-- 
2.31.1