'mitigations=auto,nosmt' is now recommended by KSPP

author Alexander Popov <alex.popov@linux.com>

Mon, 16 Oct 2023 20:22:59 +0000 (23:22 +0300)

committer Alexander Popov <alex.popov@linux.com>

Mon, 16 Oct 2023 20:22:59 +0000 (23:22 +0300)
author Alexander Popov <alex.popov@linux.com>
Mon, 16 Oct 2023 20:22:59 +0000 (23:22 +0300)
committer Alexander Popov <alex.popov@linux.com>
Mon, 16 Oct 2023 20:22:59 +0000 (23:22 +0300)
diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py

index 4bebb8c4da1e36e36396958f7f61d5a203f3b346..f1530f58af99a6bf403ad96bd4dbffdb657be578 100644 (file)
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -457,8 +457,8 @@ def add_cmdline_checks(l, arch):
                   CmdlineCheck('self_protection', 'defconfig', 'rodata', 'is not set'))]
  
      # 'self_protection', 'kspp'
-    l += [CmdlineCheck('self_protection', 'kspp', 'nosmt', 'is present')]
-    l += [CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt')] # 'nosmt' by kspp + 'auto' by defconfig
+    l += [CmdlineCheck('self_protection', 'kspp', 'mitigations', 'auto,nosmt')]
+    l += [CmdlineCheck('self_protection', 'kspp', 'nosmt', 'is present')] # slow (high performance penalty)
      l += [CmdlineCheck('self_protection', 'kspp', 'slab_merge', 'is not set')] # consequence of 'slab_nomerge' by kspp
      l += [CmdlineCheck('self_protection', 'kspp', 'slub_merge', 'is not set')] # consequence of 'slab_nomerge' by kspp
      l += [OR(CmdlineCheck('self_protection', 'kspp', 'slab_nomerge', 'is present'),
author	Alexander Popov <alex.popov@linux.com>
	Mon, 16 Oct 2023 20:22:59 +0000 (23:22 +0300)
committer	Alexander Popov <alex.popov@linux.com>
	Mon, 16 Oct 2023 20:22:59 +0000 (23:22 +0300)