projects / kconfig-hardened-check.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4c2090a)
Check that CoreSight Tracing Support is disabled (to cut attack surface)
authorAlexander Popov <alex.popov@linux.com>
Sat, 22 Apr 2023 14:50:25 +0000 (17:50 +0300)
committerAlexander Popov <alex.popov@linux.com>
Sat, 22 Apr 2023 14:50:25 +0000 (17:50 +0300)
The CONFIG_CORESIGHT framework provides a kernel interface for the
CoreSight debug and trace drivers for ARM/ARM64. It's better to have it
disabled to cut attack surface.

kconfig_hardened_check/checks.py patch | blob | history

diff --git a/kconfig_hardened_check/checks.py b/kconfig_hardened_check/checks.py
index 60841e2fc12a8935e65ec0228d00e0609d8045dc..ff1ce79907724c55d1c2da8cdb80ef5cf203d79a 100644 (file)
--- a/kconfig_hardened_check/checks.py
+++ b/kconfig_hardened_check/checks.py
@@ -390,6 +390,7 @@ def add_kconfig_checks(l, arch):
     l += [KconfigCheck('cut_attack_surface', 'my', 'INPUT_EVBUG', 'is not set')] # Can be used as a keylogger
     l += [KconfigCheck('cut_attack_surface', 'my', 'KGDB', 'is not set')]
     l += [KconfigCheck('cut_attack_surface', 'my', 'AIO', 'is not set')]
+    l += [KconfigCheck('cut_attack_surface', 'my', 'CORESIGHT', 'is not set')]
     l += [OR(KconfigCheck('cut_attack_surface', 'my', 'TRIM_UNUSED_KSYMS', 'y'),
              modules_not_set)]
 
kconfig-hardened-check