Loading...
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 | # IA32-specific X86 subarchitecture options # Copyright (c) 2019 Intel Corp. # SPDX-License-Identifier: Apache-2.0 if !X86_64 config NESTED_INTERRUPTS bool "Enable nested interrupts" default y help This option enables support for nested interrupts. menu "Memory Layout Options" config IDT_NUM_VECTORS int "Number of IDT vectors" default 256 range 32 256 help This option specifies the number of interrupt vector entries in the Interrupt Descriptor Table (IDT). By default all 256 vectors are supported in an IDT requiring 2048 bytes of memory. config SET_GDT bool "Setup GDT as part of boot process" default y help This option sets up the GDT as part of the boot process. However, this may conflict with some security scenarios where the GDT is already appropriately set by an earlier bootloader stage, in which case this should be disabled. If disabled, the global _gdt pointer will not be available. config GDT_DYNAMIC bool "Store GDT in RAM so that it can be modified" depends on SET_GDT help This option stores the GDT in RAM instead of ROM, so that it may be modified at runtime at the expense of some memory. endmenu config DISABLE_SSBD bool "Disable Speculative Store Bypass" depends on USERSPACE default y if !X86_NO_SPECTRE_V4 help This option will disable Speculative Store Bypass in order to mitigate against certain kinds of side channel attacks. Quoting the "Speculative Execution Side Channels" document, version 2.0: When SSBD is set, loads will not execute speculatively until the addresses of all older stores are known. This ensure s that a load does not speculatively consume stale data values due to bypassing an older store on the same logical processor. If enabled, this applies to all threads in the system. Even if enabled, will have no effect on CPUs that do not require this feature. config ENABLE_EXTENDED_IBRS bool "Enable Extended IBRS" depends on USERSPACE default y if !X86_NO_SPECTRE_V2 help This option will enable the Extended Indirect Branch Restricted Speculation 'always on' feature. This mitigates Indirect Branch Control vulnerabilities (aka Spectre V2). config X86_RETPOLINE bool "Build with retpolines enabled in x86 assembly code" depends on USERSPACE help This is recommended on platforms with speculative executions, to protect against branch target injection (AKA Spectre-V2). Full description of how retpolines work can be found here[1]. [1] https://support.google.com/faqs/answer/7625886 config X86_BOUNDS_CHECK_BYPASS_MITIGATION bool depends on USERSPACE default y if !X86_NO_SPECTRE_V1 select BOUNDS_CHECK_BYPASS_MITIGATION help Hidden config to select arch-independent option to enable Spectre V1 mitigations by default if the CPU is not known to be immune to it. menu "Processor Capabilities" config X86_ENABLE_TSS bool help This hidden option enables defining a Task State Segment (TSS) for kernel execution. This is needed to handle double-faults or do privilege elevation. It also defines a special TSS and handler for correctly handling double-fault exceptions, instead of just letting the system triple-fault and reset. config X86_STACK_PROTECTION bool default y if HW_STACK_PROTECTION select SET_GDT select GDT_DYNAMIC select X86_ENABLE_TSS help This option leverages the MMU to cause a system fatal error if the bounds of the current process stack are overflowed. This is done by preceding all stack areas with a 4K guard page. config X86_USERSPACE bool default y if USERSPACE select THREAD_STACK_INFO select SET_GDT select GDT_DYNAMIC select X86_ENABLE_TSS help This option enables APIs to drop a thread's privileges down to ring 3, supporting user-level threads that are protected from each other and from crashing the kernel. config X86_KPTI bool "Enable kernel page table isolation" default y depends on USERSPACE depends on !X86_NO_MELTDOWN help Implements kernel page table isolation to mitigate Meltdown exploits to read Kernel RAM. Incurs a significant performance cost for user thread interrupts and system calls, and significant footprint increase for additional page tables and trampoline stacks. menu "Architecture Floating Point Options" depends on CPU_HAS_FPU config SSE bool "SSE registers" depends on FLOAT help This option enables the use of SSE registers by threads. config SSE_FP_MATH bool "Compiler-generated SSEx instructions" depends on SSE help This option allows the compiler to generate SSEx instructions for performing floating point math. This can greatly improve performance when exactly the same operations are to be performed on multiple data objects; however, it can also significantly reduce performance when preemptive task switches occur because of the larger register set that must be saved and restored. Disabling this option means that the compiler utilizes only the x87 instruction set for floating point operations. config EAGER_FP_SHARING bool depends on FLOAT depends on USERSPACE default y if !X86_NO_LAZY_FP help This hidden option unconditionally saves/restores the FPU/SIMD register state on every context switch. Mitigates CVE-2018-3665, but incurs a performance hit. For vulnerable systems that process sensitive information in the FPU register set, should be used any time CONFIG_FLOAT is enabled, regardless if the FPU is used by one thread or multiple. config LAZY_FP_SHARING bool depends on FLOAT depends on !EAGER_FP_SHARING depends on FP_SHARING default y if X86_NO_LAZY_FP || !USERSPACE help This hidden option allows multiple threads to use the floating point registers, using logic to lazily save/restore the floating point register state on context switch. On Intel Core processors, may be vulnerable to exploits which allows malware to read the contents of all floating point registers, see CVE-2018-3665. endmenu config CACHE_LINE_SIZE_DETECT bool "Detect cache line size at runtime" default y help This option enables querying the CPUID register for finding the cache line size at the expense of taking more memory and code and a slightly increased boot time. If the CPU's cache line size is known in advance, disable this option and manually enter the value for CACHE_LINE_SIZE. config CACHE_LINE_SIZE int "Cache line size" if !CACHE_LINE_SIZE_DETECT default 64 if CPU_ATOM default 0 help Size in bytes of a CPU cache line. Detect automatically at runtime by selecting CACHE_LINE_SIZE_DETECT. config CLFLUSH_INSTRUCTION_SUPPORTED bool "CLFLUSH instruction supported" depends on !CLFLUSH_DETECT && CACHE_FLUSHING help An implementation of sys_cache_flush() that uses CLFLUSH is made available, instead of the one using WBINVD. This option should only be enabled if it is known in advance that the CPU supports the CLFLUSH instruction. It disables runtime detection of CLFLUSH support thereby reducing both memory footprint and boot time. config CLFLUSH_DETECT bool "Detect support of CLFLUSH instruction at runtime" depends on CACHE_FLUSHING help This option should be enabled if it is not known in advance whether the CPU supports the CLFLUSH instruction or not. The CPU is queried at boot time to determine which of the multiple implementations of sys_cache_flush() linked into the image is the correct one to use. If the CPU's support (or lack thereof) of CLFLUSH is known in advance, then disable this option and set CLFLUSH_INSTRUCTION_SUPPORTED as appropriate. config ARCH_CACHE_FLUSH_DETECT bool default y depends on CLFLUSH_DETECT config CACHE_FLUSHING bool "Enable cache flushing mechanism" help This links in the sys_cache_flush() function. A mechanism for flushing the cache must be selected as well. By default, that mechanism is discovered at runtime. config X86_KERNEL_OOPS bool "Enable handling of kernel oops as an exception" default y help Enable handling of k_oops() API as a CPU exception, which will provide extra debugging information such as program counter and register values when the oops is triggered. Requires an entry in the IDT. config X86_KERNEL_OOPS_VECTOR int "IDT vector to use for kernel oops" default 33 range 32 255 depends on X86_KERNEL_OOPS help Specify the IDT vector to use for the kernel oops exception handler. config X86_DYNAMIC_IRQ_STUBS int "Number of dynamic interrupt stubs" depends on DYNAMIC_INTERRUPTS default 4 help Installing interrupt handlers with irq_connect_dynamic() requires some stub code to be generated at build time, one stub per dynamic interrupt. endmenu endif # !X86_64 |