diff --git a/kernel/build/config-arm64 b/kernel/build/config-arm64 index 98099db3a..a107e79e8 100644 --- a/kernel/build/config-arm64 +++ b/kernel/build/config-arm64 @@ -2080,7 +2080,7 @@ CONFIG_EFI_BOOTLOADER_CONTROL=y CONFIG_EFI_CAPSULE_LOADER=y CONFIG_EFI_TEST=y CONFIG_RESET_ATTACK_MITIGATION=y -CONFIG_EFI_DISABLE_PCI_DMA=y +# CONFIG_EFI_DISABLE_PCI_DMA is not set CONFIG_EFI_EARLYCON=y CONFIG_EFI_CUSTOM_SSDT_OVERLAYS=y # CONFIG_EFI_DISABLE_RUNTIME is not set diff --git a/kernel/build/pkg.yaml b/kernel/build/pkg.yaml index d54453848..27aaccf22 100644 --- a/kernel/build/pkg.yaml +++ b/kernel/build/pkg.yaml @@ -21,7 +21,7 @@ steps: {{ else }} - | cd /src - python3 /toolchain/kernel-hardening-checker/bin/kernel-hardening-checker -c .config -m json | python3 /pkg/scripts/filter-hardened-check.py + python3 /toolchain/kernel-hardening-checker/bin/kernel-hardening-checker -c .config -m json | python3 /pkg/scripts/filter-hardened-check.py ${CARCH} - | cd /src diff --git a/kernel/build/scripts/filter-hardened-check.py b/kernel/build/scripts/filter-hardened-check.py index 2b5b49a32..085ae2bf8 100644 --- a/kernel/build/scripts/filter-hardened-check.py +++ b/kernel/build/scripts/filter-hardened-check.py @@ -27,11 +27,28 @@ 'CONFIG_RANDSTRUCT_PERFORMANCE', # disabled due to performance reasons 'CONFIG_UBSAN_TRAP', # disabled due to performance reasons 'CONFIG_CFI_CLANG', # SideroLabs toolchain uses gcc, investigae more, see https://github.com/siderolabs/pkgs/issues/918 - 'CONFIG_CFI_PERMISSIVE', # SideroLabs toolchain uses gcc, investigae more, see https://github.com/siderolabs/pkgs/issues/918 - 'CONFIG_ARM64_BTI_KERNEL', # can't seem to enable this, probably because we're using gcc, see https://github.com/siderolabs/pkgs/issues/918 + 'CONFIG_CFI_PERMISSIVE', # SideroLabs toolchain uses gcc, investigae more, see https://github.com/siderolabs/pkgs/issues/91 +} + +""" +Names of violations per arch we ignore for a good reason. +""" +IGNORE_VIOLATIONS_BY_ARCH = { + 'arm64': { + 'CONFIG_ARM64_BTI_KERNEL', # can't seem to enable this, probably because we're using gcc, see https://github.com/siderolabs/pkgs/issues/918 + 'CONFIG_EFI_DISABLE_PCI_DMA', # for arm64, enabling this breaks boot with no visible error messages to debug. + }, + 'amd64': {}, } def main(): + if len(sys.argv) != 2: + print("Usage: {} ".format(sys.argv[0])) + + sys.exit(1) + + arch = sys.argv[1] + violations = json.load(sys.stdin) # filter out non-failures @@ -40,6 +57,9 @@ def main(): # filter only failures in the groups we're interested in violations = [item for item in violations if item["decision"] in GROUPS] + # add violations we ignore per arch + IGNORE_VIOLATIONS.update(IGNORE_VIOLATIONS_BY_ARCH[arch]) + # filter out violations we ignore violations = [item for item in violations if item["option_name"] not in IGNORE_VIOLATIONS]