KCC recommends to disable DEVMEM and set STRICT_DEVMEM and
IO_STRICT_DEVMEM, but from [1]
> # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)
> # CONFIG_DEVMEM is not set
> CONFIG_STRICT_DEVMEM=y
> CONFIG_IO_STRICT_DEVMEM=y
From lib/Kconfig.debug file, STRICT_DEVMEM depends on MMU && DEVMEM,
and IO_STRICT_DEVMEM depends on STRICT_DEVMEM.
On Linux commit https://github.com/torvalds/linux/commit/045f6d7942be248fbda6e85b2393f2735695ed39
some messed up configurations were fixed and for kernels > 5.6,
when DEVMEM "is not set", STRICT_DEVMEM is showed as "is not set"
in the kernel config file. This brings a false positive error
message for kernels >= 5.7.
As STRICT_DEVMEM and IO_STRICT_DEVMEM are not set when DEVMEN
"is not set", let's remove them from KCC
[1] https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
* --query option didn't work because kconfig is always set to
Kconfig.default(). Fixed by passing must_be_{set,set_or_module,unset}
to Kconfig
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
John Andersen