Re: [patch V2 5/5] x86/kaiser: Add boottime disable switch

From: Dave Hansen
Date: Mon Nov 27 2017 - 13:23:00 EST

Next message: Eric Biggers: "Re: lib/mpi: call cond_resched() from mpi_powm() loop"
Previous message: Gustavo A. R. Silva: "[PATCH] rxrpc: sendmsg: Fix variable overwrite in rxrpc_queue_packet"
In reply to: Peter Zijlstra: "Re: [patch V2 5/5] x86/kaiser: Add boottime disable switch"
Next in thread: Thomas Gleixner: "Re: [patch V2 5/5] x86/kaiser: Add boottime disable switch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 11/26/2017 03:14 PM, Thomas Gleixner wrote:
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -56,7 +56,7 @@ config SECURITY_NETWORK
>
> config KAISER
> bool "Remove the kernel mapping in user mode"
> - depends on X86_64 && SMP && !PARAVIRT
> + depends on X86_64 && SMP && !PARAVIRT && JUMP_LABEL
> help
> This feature reduces the number of hardware side channels by
> ensuring that the majority of kernel addresses are not mapped

One of the reasons for doing the runtime-disable was to get rid of the
!PARAVIRT dependency. I can add a follow-on here that will act as if we
did "nokaiser" whenever Xen is in play so we can remove this dependency.

I just hope Xen is detectable early enough to do the static patching.

Next message: Eric Biggers: "Re: lib/mpi: call cond_resched() from mpi_powm() loop"
Previous message: Gustavo A. R. Silva: "[PATCH] rxrpc: sendmsg: Fix variable overwrite in rxrpc_queue_packet"
In reply to: Peter Zijlstra: "Re: [patch V2 5/5] x86/kaiser: Add boottime disable switch"
Next in thread: Thomas Gleixner: "Re: [patch V2 5/5] x86/kaiser: Add boottime disable switch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]