Skip to content

Commit c907579

Browse files
graysky2robimarko
graysky2
authored and
robimarko
committed
x86/64: 6.18: enable recent MITIGATION options
These mitigations are low-overhead, upstream-supported hardening options that only activate on CPUs affected by their respective vulnerabilities. Enabling them provides consistent, defense-in-depth coverage across Intel and AMD systems without impacting unaffected hardware. Detailed list: - CONFIG_MITIGATION_SRSO to guard against known a vulnerability found on AMD processors (Zen generations 1-4) for sure, maybe others. This is tracked under CVE-2023-20569. - CONFIG_MITIGATION_ITS to guard against a bug in BPU on some Intel CPUs that may allow Spectre V2 style attacks. We never enabled this option (and its dependencies). - CONFIG_MITIGATION_SRBDS to guard against Special Register Buffer Data Sampling on affected Intel CPUs (CVE-2020-0543), preventing cross-core leakage of RDRAND/RDSEED/EGETKEY values. - CONFIG_MITIGATION_SLS to guard against Spectre-v4 gadgets on x86 by inserting speculation barriers around RET/JMP/CALL sites when required by CPU/microcode state. - CONFIG_MITIGATION_CALL_DEPTH_TRACKING to guard against speculative call-stack underflow on x86 by enabling hardware-assisted depth tracking where supported, reducing exposure to RET-based misprediction attacks. - CONFIG_MITIGATION_UNRET_ENTRY to guard against RET-based speculation attacks on x86 by replacing vulnerable function returns in kernel entry paths with UNRET sequences when required by CPU/microcode state. Signed-off-by: John Audia <therealgraysky@proton.me> Link: openwrt/openwrt#21078 Signed-off-by: Robert Marko <robimarko@gmail.com>
1 parent 8a7417e commit c907579

2 files changed

Lines changed: 8 additions & 2 deletions

File tree

target/linux/x86/64/config-6.18

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -73,6 +73,7 @@ CONFIG_BLK_MQ_VIRTIO=y
7373
CONFIG_BLK_PM=y
7474
CONFIG_BOOT_VESA_SUPPORT=y
7575
CONFIG_BTT=y
76+
# CONFIG_CALL_THUNKS_DEBUG is not set
7677
CONFIG_CDROM=y
7778
CONFIG_CGROUP_HUGETLB=y
7879
CONFIG_CONNECTOR=y
@@ -331,10 +332,15 @@ CONFIG_MFD_CORE=y
331332
# CONFIG_MFD_INTEL_PMC_BXT is not set
332333
CONFIG_MICROCODE_LATE_FORCE_MINREV=y
333334
CONFIG_MICROCODE_LATE_LOADING=y
335+
CONFIG_MITIGATION_CALL_DEPTH_TRACKING=y
334336
CONFIG_MITIGATION_IBPB_ENTRY=y
335337
CONFIG_MITIGATION_IBRS_ENTRY=y
338+
CONFIG_MITIGATION_ITS=y
336339
CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y
337-
# CONFIG_MITIGATION_SLS is not set
340+
CONFIG_MITIGATION_SLS=y
341+
CONFIG_MITIGATION_SRBDS=y
342+
CONFIG_MITIGATION_SRSO=y
343+
CONFIG_MITIGATION_UNRET_ENTRY=y
338344
CONFIG_MMC=y
339345
CONFIG_MMCONF_FAM10H=y
340346
CONFIG_MMC_BLOCK=y

target/linux/x86/config-6.18

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -264,7 +264,7 @@ CONFIG_MITIGATION_L1TF=y
264264
CONFIG_MITIGATION_MDS=y
265265
CONFIG_MITIGATION_MMIO_STALE_DATA=y
266266
CONFIG_MITIGATION_RETBLEED=y
267-
# CONFIG_MITIGATION_RETHUNK is not set
267+
CONFIG_MITIGATION_RETHUNK=y
268268
CONFIG_MITIGATION_RETPOLINE=y
269269
CONFIG_MITIGATION_RFDS=y
270270
CONFIG_MITIGATION_SPECTRE_BHI=y

0 commit comments

Comments
 (0)