On Mon, Dec 4, 2017 at 6:08 AM, Thomas Gleixner <[email protected]> wrote: > From: Dave Hansen <[email protected]> > > Finally allow CONFIG_KERNEL_PAGE_TABLE_ISOLATION to be enabled. > > PARAVIRT generally requires that the kernel not manage its own page tables. > It also means that the hypervisor and kernel must agree wholeheartedly > about what format the page tables are in and what they contain. > KERNEL_PAGE_TABLE_ISOLATION, unfortunately, changes the rules and they > can not be used together. > > I've seen conflicting feedback from maintainers lately about whether they > want the Kconfig magic to go first or last in a patch series. It's going > last here because the partially-applied series leads to kernels that can > not boot in a bunch of cases. I did a run through the entire series with > CONFIG_KERNEL_PAGE_TABLE_ISOLATION=y to look for build errors, though. > > [ tglx: Removed SMP and !PARAVIRT dependencies as they not longer exist ] > > Signed-off-by: Dave Hansen <[email protected]> > Signed-off-by: Ingo Molnar <[email protected]> > Signed-off-by: Thomas Gleixner <[email protected]> > Cc: Rik van Riel <[email protected]> > Cc: [email protected] > Cc: Denys Vlasenko <[email protected]> > Cc: [email protected] > Cc: [email protected] > Cc: Peter Zijlstra <[email protected]> > Cc: Brian Gerst <[email protected]> > Cc: [email protected] > Cc: [email protected] > Cc: Borislav Petkov <[email protected]> > Cc: Andy Lutomirski <[email protected]> > Cc: Josh Poimboeuf <[email protected]> > Cc: [email protected] > Cc: Linus Torvalds <[email protected]> > Cc: [email protected] > Link: https://lkml.kernel.org/r/[email protected] > > --- > security/Kconfig | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > --- a/security/Kconfig > +++ b/security/Kconfig > @@ -54,6 +54,16 @@ config SECURITY_NETWORK > implement socket and networking access controls. > If you are unsure how to answer this question, answer N. > > +config KERNEL_PAGE_TABLE_ISOLATION > + bool "Remove the kernel mapping in user mode" > + depends on X86_64 && JUMP_LABEL
select JUMP_LABEL perhaps? > + help > + This feature reduces the number of hardware side channels by > + ensuring that the majority of kernel addresses are not mapped > + into userspace. > + > + See Documentation/x86/pagetable-isolation.txt for more details. > + > config SECURITY_INFINIBAND > bool "Infiniband Security Hooks" > depends on SECURITY && INFINIBAND > >
