From 75e1ff6b1e2d9cdf0fa1134c21a1e9987ab6b9c8 Mon Sep 17 00:00:00 2001 From: Marian Buschsieweke Date: Sun, 7 Jan 2018 17:19:01 +0100 Subject: main/linux-vanilla: Update 4.9.73 --> 4.9.75 (Fix for Meltdown) This commit updates to kernel version 4.9.75 and enables CONFIG_PAGE_TABLE_ISOLATION for x86, x86_64 and aarch64. For all other architectures, CONFIG_PAGE_TABLE_ISOLATION is disabled. CONFIG_PAGE_TABLE_ISOLATION mitigates the Meltdown security flaw almost all Intel CPUs and some ARM CPUs are suspect to [1,2]. (This patch does not solve the Spectre security threat [2], which affects also non-Intel CPUs [3].) I believe this commit will cause some discussion, especially the following points seem worth discussing: a) CONFIG_PAGE_TABLE_ISOLATION has a performance impact on syscalls, which can slow down specific applications significantly. AMD users might benefit from a kernel without KPTI (unless Meltdown turns out to affect them as well) b) Is disabling this feature a reasonable choice for CPU architectures different from x86, x86_64 and aarch64? [1]: https://meltdownattack.com/#faq-systems-meltdown [2]: http://kroah.com/log/blog/2018/01/06/meltdown-status/ [3]: https://meltdownattack.com/#faq-systems-spectre --- main/linux-vanilla/config-vanilla.aarch64 | 1 + 1 file changed, 1 insertion(+) (limited to 'main/linux-vanilla/config-vanilla.aarch64') diff --git a/main/linux-vanilla/config-vanilla.aarch64 b/main/linux-vanilla/config-vanilla.aarch64 index cef31f02d9..32345b96cb 100644 --- a/main/linux-vanilla/config-vanilla.aarch64 +++ b/main/linux-vanilla/config-vanilla.aarch64 @@ -6752,6 +6752,7 @@ CONFIG_ENCRYPTED_KEYS=m CONFIG_KEY_DH_OPERATIONS=y # CONFIG_SECURITY_DMESG_RESTRICT is not set CONFIG_SECURITY=y +CONFIG_PAGE_TABLE_ISOLATION=y CONFIG_SECURITYFS=y # CONFIG_SECURITY_NETWORK is not set # CONFIG_SECURITY_PATH is not set -- cgit v1.2.3