Don't recommend disabling IKCONFIG anymore

author Alexander Popov <alex.popov@linux.com>

Thu, 28 Nov 2019 16:30:01 +0000 (19:30 +0300)

committer Alexander Popov <alex.popov@linux.com>

Thu, 28 Nov 2019 16:30:01 +0000 (19:30 +0300)
author Alexander Popov <alex.popov@linux.com>
Thu, 28 Nov 2019 16:30:01 +0000 (19:30 +0300)
committer Alexander Popov <alex.popov@linux.com>
Thu, 28 Nov 2019 16:30:01 +0000 (19:30 +0300)
diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py

index 5c60fb7a63d02e0a8f64fb9a27bf804373c969ce..2ed79cda1113c015ab45af7d6f54b6397822fc52 100755 (executable)
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -363,7 +363,7 @@ def construct_checklist(checklist, arch):
      checklist.append(OptCheck('MMIOTRACE_TEST',       'is not set', 'lockdown', 'cut_attack_surface')) # refers to LOCK_DOWN_KERNEL
  
      checklist.append(OptCheck('KSM',                      'is not set', 'clipos', 'cut_attack_surface')) # to prevent FLUSH+RELOAD attack
-    checklist.append(OptCheck('IKCONFIG',                 'is not set', 'clipos', 'cut_attack_surface'))
+#   checklist.append(OptCheck('IKCONFIG',                 'is not set', 'clipos', 'cut_attack_surface')) # no, this info is needed for this check :)
      checklist.append(OptCheck('KALLSYMS',                 'is not set', 'clipos', 'cut_attack_surface'))
      checklist.append(OptCheck('X86_VSYSCALL_EMULATION',   'is not set', 'clipos', 'cut_attack_surface'))
      checklist.append(OptCheck('MAGIC_SYSRQ',              'is not set', 'clipos', 'cut_attack_surface'))
author	Alexander Popov <alex.popov@linux.com>
	Thu, 28 Nov 2019 16:30:01 +0000 (19:30 +0300)
committer	Alexander Popov <alex.popov@linux.com>
	Thu, 28 Nov 2019 16:30:01 +0000 (19:30 +0300)