arm64: Add skeleton to harden the branch predictor against aliasing attacks

[mirror_ubuntu-artful-kernel.git] / arch / arm64 / Kconfig

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index b0066730b78618e5d14a3fa880acb089d5416382..809d81914164e430c0898707b899ba4a5634efa7 100644 (file)
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -521,20 +521,13 @@ config CAVIUM_ERRATUM_30115
 config QCOM_FALKOR_ERRATUM_1003
        bool "Falkor E1003: Incorrect translation due to ASID change"
        default y
-       select ARM64_PAN if ARM64_SW_TTBR0_PAN
        help
          On Falkor v1, an incorrect ASID may be cached in the TLB when ASID
-         and BADDR are changed together in TTBRx_EL1. The workaround for this
-         issue is to use a reserved ASID in cpu_do_switch_mm() before
-         switching to the new ASID. Saying Y here selects ARM64_PAN if
-         ARM64_SW_TTBR0_PAN is selected. This is done because implementing and
-         maintaining the E1003 workaround in the software PAN emulation code
-         would be an unnecessary complication. The affected Falkor v1 CPU
-         implements ARMv8.1 hardware PAN support and using hardware PAN
-         support versus software PAN emulation is mutually exclusive at
-         runtime.
-
-         If unsure, say Y.
+         and BADDR are changed together in TTBRx_EL1. Since we keep the ASID
+         in TTBR1_EL1, this situation only occurs in the entry trampoline and
+         then only for entries in the walk cache, since the leaf translation
+         is unchanged. Work around the erratum by invalidating the walk cache
+         entries for the trampoline before entering the kernel proper.
 
 config QCOM_FALKOR_ERRATUM_1009
        bool "Falkor E1009: Prematurely complete a DSB after a TLBI"
@@ -831,6 +824,35 @@ config FORCE_MAX_ZONEORDER
          However for 4K, we choose a higher default value, 11 as opposed to 10, giving us
          4M allocations matching the default size used by generic code.
 
+config UNMAP_KERNEL_AT_EL0
+       bool "Unmap kernel when running in userspace (aka \"KAISER\")" if EXPERT
+       default y
+       help
+         Speculation attacks against some high-performance processors can
+         be used to bypass MMU permission checks and leak kernel data to
+         userspace. This can be defended against by unmapping the kernel
+         when running in userspace, mapping it back in on exception entry
+         via a trampoline page in the vector table.
+
+         If unsure, say Y.
+
+config HARDEN_BRANCH_PREDICTOR
+       bool "Harden the branch predictor against aliasing attacks" if EXPERT
+       default y
+       help
+         Speculation attacks against some high-performance processors rely on
+         being able to manipulate the branch predictor for a victim context by
+         executing aliasing branches in the attacker context.  Such attacks
+         can be partially mitigated against by clearing internal branch
+         predictor state and limiting the prediction logic in some situations.
+
+         This config option will take CPU-specific actions to harden the
+         branch predictor against aliasing attacks and may rely on specific
+         instruction sequences or control bits being set by the system
+         firmware.
+
+         If unsure, say Y.
+
 menuconfig ARMV8_DEPRECATED
        bool "Emulate deprecated/obsolete ARMv8 instructions"
        depends on COMPAT