| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081 |
- From 0692cf84257a92f7be9553af55d65c668e2b3bc8 Mon Sep 17 00:00:00 2001
- From: Dave Hansen <[email protected]>
- Date: Mon, 4 Dec 2017 15:08:03 +0100
- Subject: [PATCH 214/242] x86/mm/pti: Add Kconfig
- MIME-Version: 1.0
- Content-Type: text/plain; charset=UTF-8
- Content-Transfer-Encoding: 8bit
- CVE-2017-5754
- Finally allow CONFIG_PAGE_TABLE_ISOLATION to be enabled.
- PARAVIRT generally requires that the kernel not manage its own page tables.
- It also means that the hypervisor and kernel must agree wholeheartedly
- about what format the page tables are in and what they contain.
- PAGE_TABLE_ISOLATION, unfortunately, changes the rules and they
- can not be used together.
- I've seen conflicting feedback from maintainers lately about whether they
- want the Kconfig magic to go first or last in a patch series. It's going
- last here because the partially-applied series leads to kernels that can
- not boot in a bunch of cases. I did a run through the entire series with
- CONFIG_PAGE_TABLE_ISOLATION=y to look for build errors, though.
- [ tglx: Removed SMP and !PARAVIRT dependencies as they not longer exist ]
- Signed-off-by: Dave Hansen <[email protected]>
- Signed-off-by: Thomas Gleixner <[email protected]>
- Cc: Andy Lutomirski <[email protected]>
- Cc: Boris Ostrovsky <[email protected]>
- Cc: Borislav Petkov <[email protected]>
- Cc: Brian Gerst <[email protected]>
- Cc: David Laight <[email protected]>
- Cc: Denys Vlasenko <[email protected]>
- Cc: Eduardo Valentin <[email protected]>
- Cc: Greg KH <[email protected]>
- Cc: H. Peter Anvin <[email protected]>
- Cc: Josh Poimboeuf <[email protected]>
- Cc: Juergen Gross <[email protected]>
- Cc: Linus Torvalds <[email protected]>
- Cc: Peter Zijlstra <[email protected]>
- Cc: Will Deacon <[email protected]>
- Cc: [email protected]
- Cc: [email protected]
- Cc: [email protected]
- Cc: [email protected]
- Cc: [email protected]
- Signed-off-by: Ingo Molnar <[email protected]>
- (cherry picked from commit 385ce0ea4c078517fa51c261882c4e72fba53005)
- Signed-off-by: Andy Whitcroft <[email protected]>
- Signed-off-by: Kleber Sacilotto de Souza <[email protected]>
- (cherry picked from commit ce12963b837e809f6ae048587d9377a298c1094d)
- Signed-off-by: Fabian Grünbichler <[email protected]>
- ---
- security/Kconfig | 10 ++++++++++
- 1 file changed, 10 insertions(+)
- diff --git a/security/Kconfig b/security/Kconfig
- index 305b496ff6a3..91cb8f611a0d 100644
- --- a/security/Kconfig
- +++ b/security/Kconfig
- @@ -96,6 +96,16 @@ config SECURITY_NETWORK
- implement socket and networking access controls.
- If you are unsure how to answer this question, answer N.
-
- +config PAGE_TABLE_ISOLATION
- + bool "Remove the kernel mapping in user mode"
- + depends on X86_64 && !UML
- + help
- + This feature reduces the number of hardware side channels by
- + ensuring that the majority of kernel addresses are not mapped
- + into userspace.
- +
- + See Documentation/x86/pagetable-isolation.txt for more details.
- +
- config SECURITY_INFINIBAND
- bool "Infiniband Security Hooks"
- depends on SECURITY && INFINIBAND
- --
- 2.14.2
|
