Clip OS description: it "will eventually be n".

RANDOM_TRUST_BOOTLOADER and RANDOM_TRUST_CPU should be disabled if
HW_RANDOM_TPM is enabled.

The Clip OS description:
Do not credit entropy included in Linux’s entropy pool when generated
by the CPU manufacturer’s HWRNG, the bootloader or the UEFI firmware.
Fast and robust initialization of Linux’s CSPRNG is instead achieved
thanks to the TPM’s HWRNG.

Disabling COREDUMP is needed for cutting userspace attack surface.

These options are enabled by default.

KASLR is enabled by default.

Don't normalize this cmdline option.

SMEP and SMAP are enabled by default.

Explanations from the Linux kernel commit 6a6155f664e31c9be43cd:

When the kernel is compiled with Clang, -fsanitize=bounds expands to
-fsanitize=array-bounds and -fsanitize=local-bounds.

Enabling -fsanitize=local-bounds with Clang has the side-effect of
inserting traps.

That's why UBSAN_LOCAL_BOUNDS can enable the 'local-bounds' option
only when UBSAN_TRAP is enabled.

Android Open Source Project (AOSP):
https://source.android.com/docs/setup/build/building-kernels

Android Generic Kernel Image (GKI):
https://source.android.com/docs/core/architecture/kernel/gki-release-builds

Also add the GKI config `android13-5.10`.

Thanks to @h0t for the idea.

This script is still waiting for fixes from NixOS folks:
  Issue #63
  PR #64

Refers to the issue #71

Refers to the issue #71

The current result on arm64_full_hardened_5.17_clang.config (clang 12):

[+] Special report mode: show_fail
[+] Kconfig file to check: my/arm64_full_hardened_5.17_clang.config
[+] Detected architecture: ARM64
[+] Detected kernel version: 5.17
=========================================================================================================================
              option name               | type  |desired val | decision |      reason      | check result
=========================================================================================================================
CONFIG_GCC_PLUGINS                      |kconfig|     y      |defconfig | self_protection  | FAIL: CONFIG_CC_IS_GCC not "y"
CONFIG_STACKPROTECTOR_PER_TASK          |kconfig|     y      |defconfig | self_protection  | FAIL: not found
CONFIG_FORTIFY_SOURCE                   |kconfig|     y      |   kspp   | self_protection  | FAIL: not found
CONFIG_GCC_PLUGIN_LATENT_ENTROPY        |kconfig|     y      |   kspp   | self_protection  | FAIL: CONFIG_CC_IS_GCC not "y"
CONFIG_ZERO_CALL_USED_REGS              |kconfig|     y      |   kspp   | self_protection  | FAIL: not found
CONFIG_GCC_PLUGIN_RANDSTRUCT            |kconfig|     y      |   kspp   | self_protection  | FAIL: CONFIG_CC_IS_GCC not "y"
CONFIG_GCC_PLUGIN_STACKLEAK             |kconfig|     y      |   kspp   | self_protection  | FAIL: CONFIG_CC_IS_GCC not "y"
CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE|kconfig| is not set |  clipos  | self_protection  | FAIL: CONFIG_CC_IS_GCC not "y"
CONFIG_STACKLEAK_METRICS                |kconfig| is not set |  clipos  | self_protection  | FAIL: CONFIG_CC_IS_GCC not "y"
CONFIG_STACKLEAK_RUNTIME_DISABLE        |kconfig| is not set |  clipos  | self_protection  | FAIL: CONFIG_CC_IS_GCC not "y"

CONFIG_STACKPROTECTOR_PER_TASK, CONFIG_FORTIFY_SOURCE and CONFIG_ZERO_CALL_USED_REGS
will be supported for clang in future (WIP).

Use empty decision and reason for such kind of checks

These are very slow debugging features

Don't normalize this option value since the Linux kernel
doesn't use kstrtobool() for it.