From 95218c7868047d7075465fb4e112975460acff00 Mon Sep 17 00:00:00 2001
From: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Date: Tue, 11 Jun 2024 18:45:49 +0400
Subject: [PATCH] fix: enable PAGE_TABLE_CHECK

Enforced by KSPP:

```
                 option name                 | desired val | decision |       reason
===========================================================================================
CONFIG_PAGE_TABLE_CHECK                      |      y      |   kspp   |  self_protection
CONFIG_PAGE_TABLE_CHECK_ENFORCED             |      y      |   kspp   |  self_protection
```

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
---
 kernel/build/config-amd64                     | 5 +++--
 kernel/build/config-arm64                     | 5 +++--
 kernel/build/scripts/filter-hardened-check.py | 1 +
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/kernel/build/config-amd64 b/kernel/build/config-amd64
index 8ef40141f..7e18db1df 100644
--- a/kernel/build/config-amd64
+++ b/kernel/build/config-amd64
@@ -6267,12 +6267,13 @@ CONFIG_HAVE_KCSAN_COMPILER=y
 #
 # Memory Debugging
 #
-# CONFIG_PAGE_EXTENSION is not set
+CONFIG_PAGE_EXTENSION=y
 # CONFIG_DEBUG_PAGEALLOC is not set
 CONFIG_SLUB_DEBUG=y
 # CONFIG_SLUB_DEBUG_ON is not set
 # CONFIG_PAGE_OWNER is not set
-# CONFIG_PAGE_TABLE_CHECK is not set
+CONFIG_PAGE_TABLE_CHECK=y
+CONFIG_PAGE_TABLE_CHECK_ENFORCED=y
 CONFIG_PAGE_POISONING=y
 # CONFIG_DEBUG_PAGE_REF is not set
 # CONFIG_DEBUG_RODATA_TEST is not set
diff --git a/kernel/build/config-arm64 b/kernel/build/config-arm64
index dd5c4c9c0..b2684a169 100644
--- a/kernel/build/config-arm64
+++ b/kernel/build/config-arm64
@@ -8983,12 +8983,13 @@ CONFIG_HAVE_KCSAN_COMPILER=y
 #
 # Memory Debugging
 #
-# CONFIG_PAGE_EXTENSION is not set
+CONFIG_PAGE_EXTENSION=y
 # CONFIG_DEBUG_PAGEALLOC is not set
 CONFIG_SLUB_DEBUG=y
 # CONFIG_SLUB_DEBUG_ON is not set
 # CONFIG_PAGE_OWNER is not set
-# CONFIG_PAGE_TABLE_CHECK is not set
+CONFIG_PAGE_TABLE_CHECK=y
+CONFIG_PAGE_TABLE_CHECK_ENFORCED=y
 CONFIG_PAGE_POISONING=y
 # CONFIG_DEBUG_PAGE_REF is not set
 # CONFIG_DEBUG_RODATA_TEST is not set
diff --git a/kernel/build/scripts/filter-hardened-check.py b/kernel/build/scripts/filter-hardened-check.py
index e08e7563e..b13a5d481 100644
--- a/kernel/build/scripts/filter-hardened-check.py
+++ b/kernel/build/scripts/filter-hardened-check.py
@@ -39,6 +39,7 @@
 IGNORE_VIOLATIONS_BY_ARCH = {
     'arm64': {
         'CONFIG_ARM64_BTI_KERNEL', # can't seem to enable this, probably because we're using gcc, see https://github.com/siderolabs/pkgs/issues/918
+        'CONFIG_UNWIND_PATCH_PAC_INTO_SCS', # this is a Clang feature, we use gcc
     },
     'amd64': {},
 }