X-Git-Url: https://jxself.org/git/?a=blobdiff_plain;f=kernel_hardening_checker%2Fchecks.py;h=9fc92e5632b2dcb04e0bd8666a11c4093714f899;hb=6a456d6a2e0901059e809008a6e334bc4b7b1e69;hp=d02eb4b8e0b94d5564051f893396e569b7c8743d;hpb=4e3f9782fec90b034e69709e3d8dcda872891d8a;p=kconfig-hardened-check.git

diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py
index d02eb4b..9fc92e5 100644
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -63,9 +63,16 @@ def add_kconfig_checks(l, arch):
         l += [KconfigCheck('self_protection', 'defconfig', 'X86_MCE', 'y')]
         l += [KconfigCheck('self_protection', 'defconfig', 'X86_MCE_INTEL', 'y')]
         l += [KconfigCheck('self_protection', 'defconfig', 'X86_MCE_AMD', 'y')]
-        l += [KconfigCheck('self_protection', 'defconfig', 'MICROCODE', 'y')] # is needed for mitigating CPU bugs
         l += [KconfigCheck('self_protection', 'defconfig', 'RETPOLINE', 'y')]
         l += [KconfigCheck('self_protection', 'defconfig', 'SYN_COOKIES', 'y')] # another reason?
+        microcode_is_set = KconfigCheck('self_protection', 'defconfig', 'MICROCODE', 'y')
+        l += [microcode_is_set] # is needed for mitigating CPU bugs
+        l += [OR(KconfigCheck('self_protection', 'defconfig', 'MICROCODE_INTEL', 'y'),
+                 AND(microcode_is_set,
+                     VersionCheck((6, 6))))] # MICROCODE_INTEL was included in MICROCODE since v6.6
+        l += [OR(KconfigCheck('self_protection', 'defconfig', 'MICROCODE_AMD', 'y'),
+                 AND(microcode_is_set,
+                     VersionCheck((6, 6))))] # MICROCODE_AMD was included in MICROCODE since v6.6
         l += [OR(KconfigCheck('self_protection', 'defconfig', 'X86_SMAP', 'y'),
                  VersionCheck((5, 19)))] # X86_SMAP is enabled by default since v5.19
         l += [OR(KconfigCheck('self_protection', 'defconfig', 'X86_UMIP', 'y'),