1 2menu "Common Features" 3 4config COMPAT 5 bool 6 help 7 32-bit interface support on 64-bit Xen which is used for both 8 HVM and PV guests. HVMLoader makes 32-bit hypercalls irrespective 9 of the destination runmode of the guest. 10 11config CORE_PARKING 12 bool 13 14config GRANT_TABLE 15 bool "Grant table support" if EXPERT 16 default y 17 ---help--- 18 Grant table provides a generic mechanism to memory sharing 19 between domains. This shared memory interface underpins the 20 split device drivers for block and network IO in a classic 21 Xen setup. 22 23 If unsure, say Y. 24 25config HAS_ALTERNATIVE 26 bool 27 28config HAS_DEVICE_TREE 29 bool 30 31config HAS_EX_TABLE 32 bool 33 34config HAS_FAST_MULTIPLY 35 bool 36 37config MEM_ACCESS_ALWAYS_ON 38 bool 39 40config MEM_ACCESS 41 def_bool MEM_ACCESS_ALWAYS_ON 42 prompt "Memory Access and VM events" if !MEM_ACCESS_ALWAYS_ON 43 ---help--- 44 45 Framework to configure memory access types for guests and receive 46 related events in userspace. 47 48config HAS_MEM_PAGING 49 bool 50 51config HAS_PDX 52 bool 53 54config HAS_UBSAN 55 bool 56 57config HAS_KEXEC 58 bool 59 60config HAS_IOPORTS 61 bool 62 63config HAS_SCHED_GRANULARITY 64 bool 65 66config NEEDS_LIBELF 67 bool 68 69config NEEDS_LIST_SORT 70 bool 71 72menu "Speculative hardening" 73 74config SPECULATIVE_HARDEN_ARRAY 75 bool "Speculative Array Hardening" 76 default y 77 ---help--- 78 Contemporary processors may use speculative execution as a 79 performance optimisation, but this can potentially be abused by an 80 attacker to leak data via speculative sidechannels. 81 82 One source of data leakage is via speculative out-of-bounds array 83 accesses. 84 85 When enabled, specific array accesses which have been deemed liable 86 to be speculatively abused will be hardened to avoid out-of-bounds 87 accesses. 88 89 This is a best-effort mitigation. There are no guarantees that all 90 areas of code open to abuse have been hardened. 91 92 If unsure, say Y. 93 94config SPECULATIVE_HARDEN_BRANCH 95 bool "Speculative Branch Hardening" 96 default y 97 depends on X86 98 ---help--- 99 Contemporary processors may use speculative execution as a 100 performance optimisation, but this can potentially be abused by an 101 attacker to leak data via speculative sidechannels. 102 103 One source of misbehaviour is by executing the wrong basic block 104 following a conditional jump. 105 106 When enabled, specific conditions which have been deemed liable to 107 be speculatively abused will be hardened to avoid entering the wrong 108 basic block. 109 110 This is a best-effort mitigation. There are no guarantees that all 111 areas of code open to abuse have been hardened, nor that 112 optimisations in the compiler haven't subverted the attempts to 113 harden. 114 115 If unsure, say Y. 116 117endmenu 118 119config HYPFS 120 bool "Hypervisor file system support" 121 default y 122 ---help--- 123 Support Xen hypervisor file system. This file system is used to 124 present various hypervisor internal data to dom0 and in some 125 cases to allow modifying settings. Disabling the support will 126 result in some features not being available, e.g. runtime parameter 127 setting. 128 129 If unsure, say Y. 130 131config HYPFS_CONFIG 132 bool "Provide hypervisor .config via hypfs entry" 133 default y 134 depends on HYPFS 135 ---help--- 136 When enabled the contents of the .config file used to build the 137 hypervisor are provided via the hypfs entry /buildinfo/config. 138 139 Disable this option in case you want to spare some memory or you 140 want to hide the .config contents from dom0. 141 142config KEXEC 143 bool "kexec support" 144 default y 145 depends on HAS_KEXEC 146 ---help--- 147 Allows a running Xen hypervisor to be replaced with another OS 148 without rebooting. This is primarily used to execute a crash 149 environment to collect information on a Xen hypervisor or dom0 crash. 150 151 If unsure, say Y. 152 153config EFI_SET_VIRTUAL_ADDRESS_MAP 154 bool "EFI: call SetVirtualAddressMap()" if EXPERT 155 ---help--- 156 Call EFI SetVirtualAddressMap() runtime service to setup memory map for 157 further runtime services. According to UEFI spec, it isn't strictly 158 necessary, but many UEFI implementations misbehave when this call is 159 missing. 160 161 If unsure, say N. 162 163config XENOPROF 164 def_bool y 165 prompt "Xen Oprofile Support" if EXPERT 166 depends on X86 167 ---help--- 168 Xen OProfile (Xenoprof) is a system-wide profiler for Xen virtual 169 machine environments, capable of profiling the Xen virtual machine 170 monitor, multiple Linux guest operating systems, and applications 171 running on them. 172 173 If unsure, say Y. 174 175config XSM 176 bool "Xen Security Modules support" 177 default ARM 178 ---help--- 179 Enables the security framework known as Xen Security Modules which 180 allows administrators fine-grained control over a Xen domain and 181 its capabilities by defining permissible interactions between domains, 182 the hypervisor itself, and related resources such as memory and 183 devices. 184 185 If unsure, say N. 186 187config XSM_FLASK 188 def_bool y 189 prompt "FLux Advanced Security Kernel support" 190 depends on XSM 191 ---help--- 192 Enables FLASK (FLux Advanced Security Kernel) as the access control 193 mechanism used by the XSM framework. This provides a mandatory access 194 control framework by which security enforcement, isolation, and 195 auditing can be achieved with fine granular control via a security 196 policy. 197 198 If unsure, say Y. 199 200config XSM_FLASK_AVC_STATS 201 def_bool y 202 prompt "Maintain statistics on the FLASK access vector cache" if EXPERT 203 depends on XSM_FLASK 204 ---help--- 205 Maintain counters on the access vector cache that can be viewed using 206 the FLASK_AVC_CACHESTATS sub-op of the xsm_op hypercall. Disabling 207 this will save a tiny amount of memory and time to update the stats. 208 209 If unsure, say Y. 210 211config XSM_FLASK_POLICY 212 bool "Compile Xen with a built-in FLASK security policy" 213 default y if "$(XEN_HAS_CHECKPOLICY)" = "y" 214 depends on XSM_FLASK 215 ---help--- 216 This includes a default XSM policy in the hypervisor so that the 217 bootloader does not need to load a policy to get sane behavior from an 218 XSM-enabled hypervisor. If this is disabled, a policy must be 219 provided by the bootloader or by Domain 0. Even if this is enabled, a 220 policy provided by the bootloader will override it. 221 222 This requires that the SELinux policy compiler (checkpolicy) be 223 available when compiling the hypervisor. 224 225 If unsure, say Y. 226 227config XSM_SILO 228 def_bool y 229 prompt "SILO support" 230 depends on XSM 231 ---help--- 232 Enables SILO as the access control mechanism used by the XSM framework. 233 This is not the default module, add boot parameter xsm=silo to choose 234 it. This will deny any unmediated communication channels (grant tables 235 and event channels) between unprivileged VMs. 236 237 If unsure, say Y. 238 239choice 240 prompt "Default XSM implementation" 241 depends on XSM 242 default XSM_SILO_DEFAULT if XSM_SILO && ARM 243 default XSM_FLASK_DEFAULT if XSM_FLASK 244 default XSM_SILO_DEFAULT if XSM_SILO 245 default XSM_DUMMY_DEFAULT 246 config XSM_DUMMY_DEFAULT 247 bool "Match non-XSM behavior" 248 config XSM_FLASK_DEFAULT 249 bool "FLux Advanced Security Kernel" if XSM_FLASK 250 config XSM_SILO_DEFAULT 251 bool "SILO" if XSM_SILO 252endchoice 253 254config LATE_HWDOM 255 bool "Dedicated hardware domain" 256 default n 257 depends on XSM && X86 258 ---help--- 259 Allows the creation of a dedicated hardware domain distinct from 260 domain 0 that manages devices without needing access to other 261 privileged functionality such as the ability to manage domains. 262 This requires that the actual domain 0 be a stub domain that 263 constructs the actual hardware domain instead of initializing the 264 hardware itself. Because the hardware domain needs access to 265 hypercalls not available to unprivileged guests, an XSM policy 266 is required to properly define the privilege of these domains. 267 268 This feature does nothing if the "hardware_dom" boot parameter is 269 not present. If this feature is being used for security, it should 270 be combined with an IOMMU in strict mode. 271 272 If unsure, say N. 273 274config ARGO 275 bool "Argo: hypervisor-mediated interdomain communication" if EXPERT 276 ---help--- 277 Enables a hypercall for domains to ask the hypervisor to perform 278 data transfer of messages between domains. 279 280 This allows communication channels to be established that do not 281 require any shared memory between domains; the hypervisor is the 282 entity that each domain interacts with. The hypervisor is able to 283 enforce Mandatory Access Control policy over the communication. 284 285 If XSM_FLASK is enabled, XSM policy can govern which domains may 286 communicate via the Argo system. 287 288 This feature does nothing if the "argo" boot parameter is not present. 289 Argo is disabled at runtime by default. 290 291 If unsure, say N. 292 293source "common/sched/Kconfig" 294 295config CRYPTO 296 bool 297 298config LIVEPATCH 299 bool "Live patching support" 300 default X86 301 depends on "$(XEN_HAS_BUILD_ID)" = "y" 302 ---help--- 303 Allows a running Xen hypervisor to be dynamically patched using 304 binary patches without rebooting. This is primarily used to binarily 305 patch in the field an hypervisor with XSA fixes. 306 307 If unsure, say Y. 308 309config FAST_SYMBOL_LOOKUP 310 bool "Fast symbol lookup (bigger binary)" 311 default y 312 depends on LIVEPATCH 313 ---help--- 314 When searching for symbol addresses we can use the built-in system 315 that is optimized for searching symbols using addresses as the key. 316 However using it for the inverse (find address using the symbol name) 317 it is slow. This extra data and code (~55kB) speeds up the search. 318 The only user of this is Live patching. 319 320 If unsure, say Y. 321 322config ENFORCE_UNIQUE_SYMBOLS 323 bool "Enforce unique symbols" 324 default LIVEPATCH 325 ---help--- 326 Multiple symbols with the same name aren't generally a problem 327 unless livepatching is to be used. 328 329 Livepatch loading involves resolving relocations against symbol 330 names, and attempting to a duplicate symbol in a livepatch will 331 result in incorrect livepatch application. 332 333 This option should be used to ensure that a build of Xen can have a 334 livepatch build and apply correctly. 335 336config SUPPRESS_DUPLICATE_SYMBOL_WARNINGS 337 bool "Suppress duplicate symbol warnings" 338 depends on !ENFORCE_UNIQUE_SYMBOLS 339 ---help--- 340 Multiple symbols with the same name aren't generally a problem 341 unless Live patching is to be used, so these warnings can be 342 suppressed by enabling this option. Certain other options (known 343 to produce many duplicate names) may select this to avoid the 344 build becoming overly verbose. 345 346config CMDLINE 347 string "Built-in hypervisor command string" if EXPERT 348 default "" 349 ---help--- 350 Enter arguments here that should be compiled into the hypervisor 351 image and used at boot time. When the system boots, this string 352 will be parsed prior to the bootloader command line. So if a 353 non-cumulative option is set both in this string and in the 354 bootloader command line, only the latter one will take effect. 355 356config CMDLINE_OVERRIDE 357 bool "Built-in command line overrides bootloader arguments" 358 default n 359 depends on CMDLINE != "" 360 ---help--- 361 Set this option to 'Y' to have the hypervisor ignore the bootloader 362 command line, and use ONLY the built-in command line. 363 364 This is used to work around broken bootloaders. This should 365 be set to 'N' under normal conditions. 366 367config DOM0_MEM 368 string "Default value for dom0_mem boot parameter" 369 default "" 370 ---help--- 371 Sets a default value for dom0_mem, e.g. "512M". 372 The specified string will be used for the dom0_mem parameter in 373 case it was not specified on the command line. 374 375 See docs/misc/xen-command-line.markdown for the supported syntax. 376 377 Leave empty if you are not sure what to specify. 378 379config TRACEBUFFER 380 bool "Enable tracing infrastructure" if EXPERT 381 default y 382 ---help--- 383 Enable tracing infrastructure and pre-defined tracepoints within Xen. 384 This will allow live information about Xen's execution and performance 385 to be collected at run time for debugging or performance analysis. 386 Memory and execution overhead when not active is minimal. 387 388endmenu 389