Add the check for the iommu cmdline option

author Alexander Popov <alex.popov@linux.com>

Sat, 21 Jan 2023 21:58:41 +0000 (00:58 +0300)

committer Alexander Popov <alex.popov@linux.com>

Sat, 21 Jan 2023 22:00:14 +0000 (01:00 +0300)
author Alexander Popov <alex.popov@linux.com>
Sat, 21 Jan 2023 21:58:41 +0000 (00:58 +0300)
committer Alexander Popov <alex.popov@linux.com>
Sat, 21 Jan 2023 22:00:14 +0000 (01:00 +0300)
diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py

index fae452415afbe96eb8feb2e53a2f8dcb0fcfe027..d3fc58dcfa725f055b90a3ea633925cba2a8497e 100644 (file)
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -10,9 +10,6 @@
  # Please don't cry if my Python code looks like C.
  #
  #
-# N.B Missing hardening command line parameters:
-#    iommu=force (does it help against DMA attacks?)
-#
  #    Hardware tag-based KASAN with arm64 Memory Tagging Extension (MTE):
  #           kasan=on
  #           kasan.stacktrace=off
@@ -796,6 +793,8 @@ def add_cmdline_checks(l, arch):
  
      # 'self_protection', 'clipos'
      l += [CmdlineCheck('self_protection', 'clipos', 'page_alloc.shuffle', '1')]
+    if arch in ('X86_64', 'X86_32'):
+        l += [CmdlineCheck('self_protection', 'clipos', 'iommu', 'force')]
  
      # 'cut_attack_surface', 'defconfig'
      if arch in ('X86_64', 'X86_32'):
author	Alexander Popov <alex.popov@linux.com>
	Sat, 21 Jan 2023 21:58:41 +0000 (00:58 +0300)
committer	Alexander Popov <alex.popov@linux.com>
	Sat, 21 Jan 2023 22:00:14 +0000 (01:00 +0300)