projects / kconfig-hardened-check.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 76f37ee)
Drop CONFIG_X86_MSR from the recommendations
authorAlexander Popov <alex.popov@linux.com>
Tue, 4 Jun 2019 22:04:07 +0000 (01:04 +0300)
committerAlexander Popov <alex.popov@linux.com>
Tue, 4 Jun 2019 22:04:07 +0000 (01:04 +0300)
It exposes MSRs to the userspace, IMO it is not needed for mitigating
X86 CPU bugs.

Refers to the issue #19 (comment by @Bernhard40)

README.md patch | blob | history
kconfig-hardened-check.py patch | blob | history

diff --git a/README.md b/README.md
index 3f661fd4cbc95d1d4e30163db068195328a56713..c69a5e7f228bc290aac09c00331384bc3d30079d 100644 (file)
--- a/README.md
+++ b/README.md
@@ -100,7 +100,6 @@ CONFIG_STACKLEAK_METRICS                | is not set  |  clipos  |  self_protect
 CONFIG_STACKLEAK_RUNTIME_DISABLE        | is not set  |  clipos  |  self_protection   ||FAIL: CONFIG_GCC_PLUGIN_STACKLEAK is needed
 CONFIG_RANDOM_TRUST_CPU                 | is not set  |  clipos  |  self_protection   ||       OK: not found        
 CONFIG_MICROCODE                        |      y      |  clipos  |  self_protection   ||             OK             
-CONFIG_X86_MSR                          |      y      |  clipos  |  self_protection   ||         FAIL: "m"          
 CONFIG_IOMMU_SUPPORT                    |      y      |  clipos  |  self_protection   ||             OK             
 CONFIG_INTEL_IOMMU                      |      y      |  clipos  |  self_protection   ||             OK             
 CONFIG_INTEL_IOMMU_SVM                  |      y      |  clipos  |  self_protection   ||             OK             
@@ -173,7 +172,7 @@ CONFIG_FTRACE                           | is not set  |    my    | cut_attack_su
 CONFIG_BPF_JIT                          | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
 CONFIG_ARCH_MMAP_RND_BITS               |     32      |  clipos  |userspace_protection||         FAIL: "28"         
 
-[+] config check is finished: 'OK' - 50 / 'FAIL' - 71
+[+] config check is finished: 'OK' - 50 / 'FAIL' - 70
 ```
 
 
diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py
index cb59e39402ddb6d82edc5f4d6db39bc9e9197c59..9ca0279700ae1d9c4ce911f27f72f9e90c6a6519 100755 (executable)
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -257,7 +257,6 @@ def construct_checklist(arch):
     if debug_mode or arch == 'X86_64' or arch == 'X86_32':
         checklist.append(OptCheck('RANDOM_TRUST_CPU',             'is not set', 'clipos', 'self_protection'))
         checklist.append(OptCheck('MICROCODE',                    'y', 'clipos', 'self_protection')) # is needed for mitigating CPU bugs
-        checklist.append(OptCheck('X86_MSR',                      'y', 'clipos', 'self_protection')) # is needed for mitigating CPU bugs
         iommu_support_is_set = OptCheck('IOMMU_SUPPORT',          'y', 'clipos', 'self_protection') # is needed for mitigating DMA attacks
         checklist.append(iommu_support_is_set)
         checklist.append(AND(OptCheck('INTEL_IOMMU',              'y', 'clipos', 'self_protection'), \
kconfig-hardened-check