From patchwork Tue Jun 9 17:30:39 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 3175 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 49hHGw4FWkz3yQv for ; Tue, 9 Jun 2020 17:31:36 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 49hHGv2XLWzlF; Tue, 9 Jun 2020 17:31:35 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 49hHGv1PGqz2y3k; Tue, 9 Jun 2020 17:31:35 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 49hHGr71kMz2xFj for ; Tue, 9 Jun 2020 17:31:32 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 49hHGn5GYvz1Vv for ; Tue, 9 Jun 2020 17:31:29 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1591723890; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=S8IWb6v/SQNbt4ZGySDDxHbIeQ0iXQUBsNB+IKHYg5U=; b=Kc0kWo0nzCZSZ9tY7kfK+GVCveLy6vpV+lojQvJ8woXVOV0fMB3gyI8ffL8oL8Upkt4M3/ 5QZF4BdClOFjKUDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1591723890; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=S8IWb6v/SQNbt4ZGySDDxHbIeQ0iXQUBsNB+IKHYg5U=; b=Wn8ZOHold0XQ5V9xtdT6LAaU5QVcjwmKRQz0PfSC+CAGPhVb1rrCSVQ4FQEc8jWp4Vnh66 I0Cr160o0s6mxMpPagwJFir/v6u+GCK3fg1Hhd+pBSHjL7QCJhoPS0eBFjYCM7ZhN4tPNK J2WiyDKtCcpwrFvT/kbI4CVjTlBS1L6YveZH1OTk0pbxDDzRBR1vwYdiD55uztUX43Q9cP adoirQssYzDRqKfrzjryQEUDEqsNiefqL83x9qnXOi266zv84AcCFizcAmmo0YOrelp71Q /g4Tsc8yKI1Rb5XYm6ul7VUejovzx7R7s9fDn3C96+kxqIoiuAu0Bi/Wys9YTA== To: development@lists.ipfire.org From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH] kernel: enable CONFIG_X86_INTEL_UMIP on x86_64 Message-ID: <6eb7b950-49e4-531f-a8ff-fa97470bd141@ipfire.org> Date: Tue, 9 Jun 2020 17:30:39 +0000 MIME-Version: 1.0 Content-Language: en-US Authentication-Results: mail01.ipfire.org; auth=pass smtp.mailfrom=peter.mueller@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Quoted from https://capsule8.com/blog/kernel-configuration-glossary/: > Significance: High > > The User Mode Instruction Prevention (UMIP) is a security feature in newer > Intel processors. If enabled a general protection fault is issued if the SGDT > SLDT SIDT SMSW or STR instructions are executed in user mode. These > instructions unnecessarily expose information about the hardware state. Personally, I do not like Intel's "hardware security features" as they often turned out as being difficult to handle, to implement and completely useless or even contraproductive at the end of the day (SGX? Why, did anyone mentioned SGX?!). Anyway, here we go... Fixes: #12367 Cc: Arne Fitzenreiter Cc: Michael Tremer Signed-off-by: Peter Müller --- config/kernel/kernel.config.x86_64-ipfire | 1 + 1 file changed, 1 insertion(+) diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 6a5fbbfe9..f37b4b5d4 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -459,6 +459,7 @@ CONFIG_X86_EXTENDED_PLATFORM=y # CONFIG_X86_GOLDFISH is not set # CONFIG_X86_INTEL_MID is not set CONFIG_X86_INTEL_LPSS=y +CONFIG_X86_INTEL_UMIP=y CONFIG_X86_AMD_PLATFORM_DEVICE=y CONFIG_IOSF_MBI=y # CONFIG_IOSF_MBI_DEBUG is not set