1. Patchew
  2. linux
  3. [RFC PATCH 00/56] Dynamic mitigations
  4. View patch

[RFC PATCH 02/56] x86/Kconfig: Add CONFIG_DYNAMIC_MITIGATIONS

David Kaplan posted 56 patches 2 months, 1 week ago
[RFC PATCH 02/56] x86/Kconfig: Add CONFIG_DYNAMIC_MITIGATIONS
Posted by David Kaplan 2 months, 1 week ago 
CONFIG_DYNAMIC_MITIGATIONS enables support for runtime re-patching of the
kernel when mitigation selections are changed.  It depends on
CONFIG_LIVEPATCH because it needs modules to preserve all their ELF
information for later re-patching.  It also depends on CONFIG_FREEZER
because re-patching must be done while all tasks are in the freezer to
avoid race conditions.

CONFIG_DEBUG_ENTRY must be false because dynamic mitigations relies on a
non-reentrant NMI handler which does not unmask NMIs early.

CONFIG_DYNAMIC_MITIGATIONS is optional because support for dynamic
mitigations does increase runtime kernel memory usage.

Signed-off-by: David Kaplan <david.kaplan@amd.com>
---
 arch/x86/Kconfig | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index fa3b616af03a..0c8c1e508223 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2711,6 +2711,18 @@ config MITIGATION_VMSCAPE
 	  Enable mitigation for VMSCAPE attacks. VMSCAPE is a hardware security
 	  vulnerability on Intel and AMD CPUs that may allow a guest to do
 	  Spectre v2 style attacks on userspace hypervisor.
+
+config DYNAMIC_MITIGATIONS
+	bool "Support dynamic reconfiguration of CPU mitigations at runtime"
+	depends on LIVEPATCH && FREEZER && !DEBUG_ENTRY
+	default y
+	help
+	  Allow CPU mitigations to be reconfigured at runtime via
+	  sysfs.  Dynamic mitigation support requires extra kernel memory
+	  to keep around alternative information after kernel boot but
+	  allows CPU mitigation settings to be modified without a
+	  kexec/reboot.
+
 endif
 
 config ARCH_HAS_ADD_PAGES
-- 
2.34.1
Re: [RFC PATCH 02/56] x86/Kconfig: Add CONFIG_DYNAMIC_MITIGATIONS
Posted by Josh Poimboeuf 2 months ago 
On Mon, Oct 13, 2025 at 09:33:50AM -0500, David Kaplan wrote:
> CONFIG_DYNAMIC_MITIGATIONS enables support for runtime re-patching of the
> kernel when mitigation selections are changed.  It depends on
> CONFIG_LIVEPATCH because it needs modules to preserve all their ELF
> information for later re-patching.  It also depends on CONFIG_FREEZER
> because re-patching must be done while all tasks are in the freezer to
> avoid race conditions.

The LIVEPATCH dependency seems a bit arbitrary, can we have an
underlying CONFIG_MODULE_PRESERVE_ELF, which LIVEPATCH and
DYNAMIC_MITIGATIONS both select?

-- 
Josh

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.