On Mon, Dec 4, 2017 at 6:08 AM, Thomas Gleixner <tglx@xxxxxxxxxxxxx> wrote: > From: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx> > > Finally allow CONFIG_KERNEL_PAGE_TABLE_ISOLATION to be enabled. > > PARAVIRT generally requires that the kernel not manage its own page tables. > It also means that the hypervisor and kernel must agree wholeheartedly > about what format the page tables are in and what they contain. > KERNEL_PAGE_TABLE_ISOLATION, unfortunately, changes the rules and they > can not be used together. > > I've seen conflicting feedback from maintainers lately about whether they > want the Kconfig magic to go first or last in a patch series. It's going > last here because the partially-applied series leads to kernels that can > not boot in a bunch of cases. I did a run through the entire series with > CONFIG_KERNEL_PAGE_TABLE_ISOLATION=y to look for build errors, though. > > [ tglx: Removed SMP and !PARAVIRT dependencies as they not longer exist ] > > Signed-off-by: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx> > Signed-off-by: Ingo Molnar <mingo@xxxxxxxxxx> > Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx> > Cc: Rik van Riel <riel@xxxxxxxxxx> > Cc: keescook@xxxxxxxxxx > Cc: Denys Vlasenko <dvlasenk@xxxxxxxxxx> > Cc: moritz.lipp@xxxxxxxxxxxxxx > Cc: linux-mm@xxxxxxxxx > Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx> > Cc: Brian Gerst <brgerst@xxxxxxxxx> > Cc: hughd@xxxxxxxxxx > Cc: daniel.gruss@xxxxxxxxxxxxxx > Cc: Borislav Petkov <bp@xxxxxxxxx> > Cc: Andy Lutomirski <luto@xxxxxxxxxx> > Cc: Josh Poimboeuf <jpoimboe@xxxxxxxxxx> > Cc: michael.schwarz@xxxxxxxxxxxxxx > Cc: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> > Cc: richard.fellner@xxxxxxxxxxxxxxxxx > Link: https://lkml.kernel.org/r/20171123003524.88C90659@xxxxxxxxxxxxxxxxxx > > --- > security/Kconfig | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > --- a/security/Kconfig > +++ b/security/Kconfig > @@ -54,6 +54,16 @@ config SECURITY_NETWORK > implement socket and networking access controls. > If you are unsure how to answer this question, answer N. > > +config KERNEL_PAGE_TABLE_ISOLATION > + bool "Remove the kernel mapping in user mode" > + depends on X86_64 && JUMP_LABEL select JUMP_LABEL perhaps? > + help > + This feature reduces the number of hardware side channels by > + ensuring that the majority of kernel addresses are not mapped > + into userspace. > + > + See Documentation/x86/pagetable-isolation.txt for more details. > + > config SECURITY_INFINIBAND > bool "Infiniband Security Hooks" > depends on SECURITY && INFINIBAND > > -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>
