Boot Linux faster!

Check our new training course

Boot Linux faster!

Check our new training course
and Creative Commons CC-BY-SA
lecture and lab materials

Bootlin logo

Elixir Cross Referencer

# IA32-specific X86 subarchitecture options

# Copyright (c) 2019 Intel Corp.
# SPDX-License-Identifier: Apache-2.0

if !X86_64

config NESTED_INTERRUPTS
	bool "Enable nested interrupts"
	default y
	help
	  This option enables support for nested interrupts.

menu "Memory Layout Options"

config IDT_NUM_VECTORS
	int "Number of IDT vectors"
	default 256
	range 32 256
	help
	  This option specifies the number of interrupt vector entries in the
	  Interrupt Descriptor Table (IDT). By default all 256 vectors are
	  supported in an IDT requiring 2048 bytes of memory.

config SET_GDT
	bool "Setup GDT as part of boot process"
	default y
	help
	  This option sets up the GDT as part of the boot process. However,
	  this may conflict with some security scenarios where the GDT is
	  already appropriately set by an earlier bootloader stage, in which
	  case this should be disabled. If disabled, the global _gdt pointer
	  will not be available.

config GDT_DYNAMIC
	bool "Store GDT in RAM so that it can be modified"
	depends on SET_GDT
	help
	  This option stores the GDT in RAM instead of ROM, so that it may
	  be modified at runtime at the expense of some memory.

endmenu

config DISABLE_SSBD
	bool "Disable Speculative Store Bypass"
	depends on USERSPACE
	default y if !X86_NO_SPECTRE_V4
	help
	  This option will disable Speculative Store Bypass in order to
	  mitigate against certain kinds of side channel attacks.  Quoting
	  the "Speculative Execution Side Channels" document, version 2.0:

	      When SSBD is set, loads will not execute speculatively
	      until the addresses of all older stores are known.  This
	      ensure s that a load does not speculatively consume stale
	      data values due to bypassing an older store on the same
	      logical processor.

	  If enabled, this applies to all threads in the system.

	  Even if enabled, will have no effect on CPUs that do not
	  require this feature.

config ENABLE_EXTENDED_IBRS
	bool "Enable Extended IBRS"
	depends on USERSPACE
	default y if !X86_NO_SPECTRE_V2
	help
	  This option will enable the Extended Indirect Branch Restricted
	  Speculation 'always on' feature. This mitigates Indirect Branch
	  Control vulnerabilities (aka Spectre V2).

config X86_RETPOLINE
	bool "Build with retpolines enabled in x86 assembly code"
	depends on USERSPACE
	help
	  This is recommended on platforms with speculative executions, to
	  protect against branch target injection (AKA Spectre-V2).  Full
	  description of how retpolines work can be found here[1].

	  [1] https://support.google.com/faqs/answer/7625886

config X86_BOUNDS_CHECK_BYPASS_MITIGATION
	bool
	depends on USERSPACE
	default y if !X86_NO_SPECTRE_V1
	select BOUNDS_CHECK_BYPASS_MITIGATION
	help
	  Hidden config to select arch-independent option to enable
	  Spectre V1 mitigations by default if the CPU is not known
	  to be immune to it.

menu "Processor Capabilities"

config X86_ENABLE_TSS
	bool
	help
	  This hidden option enables defining a Task State Segment (TSS) for
	  kernel execution. This is needed to handle double-faults or
	  do privilege elevation. It also defines a special TSS and handler
	  for correctly handling double-fault exceptions, instead of just
	  letting the system triple-fault and reset.

config X86_STACK_PROTECTION
	bool
	default y if HW_STACK_PROTECTION
	select SET_GDT
	select GDT_DYNAMIC
	select X86_ENABLE_TSS
	help
	  This option leverages the MMU to cause a system fatal error if the
	  bounds of the current process stack are overflowed. This is done
	  by preceding all stack areas with a 4K guard page.

config X86_USERSPACE
	bool
	default y if USERSPACE
	select THREAD_STACK_INFO
	select SET_GDT
	select GDT_DYNAMIC
	select X86_ENABLE_TSS
	help
	  This option enables APIs to drop a thread's privileges down to ring 3,
	  supporting user-level threads that are protected from each other and
	  from crashing the kernel.

config X86_KPTI
	bool "Enable kernel page table isolation"
	default y
	depends on USERSPACE
	depends on !X86_NO_MELTDOWN
	help
	  Implements kernel page table isolation to mitigate Meltdown exploits
	  to read Kernel RAM. Incurs a significant performance cost for
	  user thread interrupts and system calls, and significant footprint
	  increase for additional page tables and trampoline stacks.

menu "Architecture Floating Point Options"
depends on CPU_HAS_FPU

config SSE
	bool "SSE registers"
	depends on FLOAT
	help
	  This option enables the use of SSE registers by threads.

config SSE_FP_MATH
	bool "Compiler-generated SSEx instructions"
	depends on SSE
	help
	  This option allows the compiler to generate SSEx instructions for
	  performing floating point math. This can greatly improve performance
	  when exactly the same operations are to be performed on multiple
	  data objects; however, it can also significantly reduce performance
	  when preemptive task switches occur because of the larger register
	  set that must be saved and restored.

	  Disabling this option means that the compiler utilizes only the
	  x87 instruction set for floating point operations.

config EAGER_FP_SHARING
	bool
	depends on FLOAT
	depends on USERSPACE
	default y if !X86_NO_LAZY_FP
	help
	  This hidden option unconditionally saves/restores the FPU/SIMD
	  register state on every context switch.

	  Mitigates CVE-2018-3665, but incurs a performance hit.

	  For vulnerable systems that process sensitive information in the
	  FPU register set, should be used any time CONFIG_FLOAT is
	  enabled, regardless if the FPU is used by one thread or multiple.

config LAZY_FP_SHARING
	bool
	depends on FLOAT
	depends on !EAGER_FP_SHARING
	depends on FP_SHARING
	default y if X86_NO_LAZY_FP || !USERSPACE
	help
	  This hidden option allows multiple threads to use the floating point
	  registers, using logic to lazily save/restore the floating point
	  register state on context switch.

	  On Intel Core processors, may be vulnerable to exploits which allows
	  malware to read the contents of all floating point registers, see
	  CVE-2018-3665.

endmenu

config CACHE_LINE_SIZE_DETECT
	bool "Detect cache line size at runtime"
	default y
	help
	  This option enables querying the CPUID register for finding the cache line
	  size at the expense of taking more memory and code and a slightly increased
	  boot time.

	  If the CPU's cache line size is known in advance, disable this option and
	  manually enter the value for CACHE_LINE_SIZE.

config CACHE_LINE_SIZE
	int "Cache line size" if !CACHE_LINE_SIZE_DETECT
	default 64 if CPU_ATOM
	default 0
	help
	  Size in bytes of a CPU cache line.

	  Detect automatically at runtime by selecting CACHE_LINE_SIZE_DETECT.

config CLFLUSH_INSTRUCTION_SUPPORTED
	bool "CLFLUSH instruction supported"
	depends on !CLFLUSH_DETECT && CACHE_FLUSHING
	help
	  An implementation of sys_cache_flush() that uses CLFLUSH is made
	  available, instead of the one using WBINVD.

	  This option should only be enabled if it is known in advance that the
	  CPU supports the CLFLUSH instruction. It disables runtime detection of
	  CLFLUSH support thereby reducing both memory footprint and boot time.

config CLFLUSH_DETECT
	bool "Detect support of CLFLUSH instruction at runtime"
	depends on CACHE_FLUSHING
	help
	  This option should be enabled if it is not known in advance whether the
	  CPU supports the CLFLUSH instruction or not.

	  The CPU is queried at boot time to determine which of the multiple
	  implementations of sys_cache_flush() linked into the image is the
	  correct one to use.

	  If the CPU's support (or lack thereof) of CLFLUSH is known in advance, then
	  disable this option and set CLFLUSH_INSTRUCTION_SUPPORTED as appropriate.

config ARCH_CACHE_FLUSH_DETECT
	bool
	default y
	depends on CLFLUSH_DETECT

config CACHE_FLUSHING
	bool "Enable cache flushing mechanism"
	help
	  This links in the sys_cache_flush() function. A mechanism for flushing the
	  cache must be selected as well. By default, that mechanism is discovered at
	  runtime.

config X86_KERNEL_OOPS
	bool "Enable handling of kernel oops as an exception"
	default y
	help
	  Enable handling of k_oops() API as a CPU exception, which will provide
	  extra debugging information such as program counter and register
	  values when the oops is triggered. Requires an entry in the IDT.

config X86_KERNEL_OOPS_VECTOR
	int "IDT vector to use for kernel oops"
	default 33
	range 32 255
	depends on X86_KERNEL_OOPS
	help
	  Specify the IDT vector to use for the kernel oops exception handler.

config X86_DYNAMIC_IRQ_STUBS
	int "Number of dynamic interrupt stubs"
	depends on DYNAMIC_INTERRUPTS
	default 4
	help
	  Installing interrupt handlers with irq_connect_dynamic() requires
	  some stub code to be generated at build time, one stub per dynamic
	  interrupt.

endmenu

endif # !X86_64