1 2menu "Common Features" 3 4config COMPAT 5 bool 6 help 7 32-bit interface support on 64-bit Xen which is used for both 8 HVM and PV guests. HVMLoader makes 32-bit hypercalls irrespective 9 of the destination runmode of the guest. 10 11config CORE_PARKING 12 bool 13 depends on NR_CPUS > 1 14 15config GRANT_TABLE 16 bool "Grant table support" if EXPERT 17 default y 18 help 19 Grant table provides a generic mechanism to memory sharing 20 between domains. This shared memory interface underpins the 21 split device drivers for block and network IO in a classic 22 Xen setup. 23 24 If unsure, say Y. 25 26config PDX_COMPRESSION 27 bool "PDX (Page inDeX) compression" if EXPERT && !X86 && !RISCV 28 default ARM || PPC 29 help 30 PDX compression is a technique designed to reduce the memory 31 overhead of physical memory management on platforms with sparse RAM 32 banks. 33 34 If your platform does have sparse RAM banks, enabling PDX 35 compression may reduce the memory overhead of Xen, but does carry a 36 runtime performance cost. 37 38 If your platform does not have sparse RAM banks, do not enable PDX 39 compression. 40 41config ALTERNATIVE_CALL 42 bool 43 44config ARCH_MAP_DOMAIN_PAGE 45 bool 46 47config GENERIC_BUG_FRAME 48 bool 49 50config HAS_ALTERNATIVE 51 bool 52 53config HAS_COMPAT 54 bool 55 56config HAS_DEVICE_TREE 57 bool 58 59config HAS_DIT # Data Independent Timing 60 bool 61 62config HAS_EX_TABLE 63 bool 64 65config HAS_FAST_MULTIPLY 66 bool 67 68config HAS_IOPORTS 69 bool 70 71config HAS_KEXEC 72 bool 73 74config HAS_PIRQ 75 bool 76 77config HAS_PMAP 78 bool 79 80config HAS_SCHED_GRANULARITY 81 bool 82 83config HAS_UBSAN 84 bool 85 86config MEM_ACCESS_ALWAYS_ON 87 bool 88 89config MEM_ACCESS 90 def_bool MEM_ACCESS_ALWAYS_ON 91 prompt "Memory Access and VM events" if !MEM_ACCESS_ALWAYS_ON 92 depends on HVM 93 help 94 95 Framework to configure memory access types for guests and receive 96 related events in userspace. 97 98config NEEDS_LIBELF 99 bool 100 101config NUMA 102 bool 103 104config STATIC_MEMORY 105 bool "Static Allocation Support (UNSUPPORTED)" if UNSUPPORTED 106 depends on DOM0LESS_BOOT 107 help 108 Static Allocation refers to system or sub-system(domains) for 109 which memory areas are pre-defined by configuration using physical 110 address ranges. 111 112 When enabled, memory can be statically allocated to a domain using 113 the property "xen,static-mem" defined in the domain configuration. 114 115 If unsure, say N. 116 117menu "Speculative hardening" 118 119config INDIRECT_THUNK 120 bool "Speculative Branch Target Injection Protection" 121 depends on CC_HAS_INDIRECT_THUNK 122 default y 123 help 124 Contemporary processors may use speculative execution as a 125 performance optimisation, but this can potentially be abused by an 126 attacker to leak data via speculative sidechannels. 127 128 One source of data leakage is via branch target injection. 129 130 When enabled, indirect branches are implemented using a new construct 131 called "retpoline" that prevents speculation. 132 133config SPECULATIVE_HARDEN_ARRAY 134 bool "Speculative Array Hardening" 135 default y 136 help 137 Contemporary processors may use speculative execution as a 138 performance optimisation, but this can potentially be abused by an 139 attacker to leak data via speculative sidechannels. 140 141 One source of data leakage is via speculative out-of-bounds array 142 accesses. 143 144 When enabled, specific array accesses which have been deemed liable 145 to be speculatively abused will be hardened to avoid out-of-bounds 146 accesses. 147 148 This is a best-effort mitigation. There are no guarantees that all 149 areas of code open to abuse have been hardened. 150 151 If unsure, say Y. 152 153config SPECULATIVE_HARDEN_BRANCH 154 bool "Speculative Branch Hardening" 155 default y 156 depends on X86 157 help 158 Contemporary processors may use speculative execution as a 159 performance optimisation, but this can potentially be abused by an 160 attacker to leak data via speculative sidechannels. 161 162 One source of misbehaviour is by executing the wrong basic block 163 following a conditional jump. 164 165 When enabled, specific conditions which have been deemed liable to 166 be speculatively abused will be hardened to avoid entering the wrong 167 basic block. 168 169 This is a best-effort mitigation. There are no guarantees that all 170 areas of code open to abuse have been hardened, nor that 171 optimisations in the compiler haven't subverted the attempts to 172 harden. 173 174 If unsure, say Y. 175 176config SPECULATIVE_HARDEN_GUEST_ACCESS 177 bool "Speculative PV Guest Memory Access Hardening" 178 default y 179 depends on PV 180 help 181 Contemporary processors may use speculative execution as a 182 performance optimisation, but this can potentially be abused by an 183 attacker to leak data via speculative sidechannels. 184 185 One source of data leakage is via speculative accesses to hypervisor 186 memory through guest controlled values used to access guest memory. 187 188 When enabled, code paths accessing PV guest memory will have guest 189 controlled addresses massaged such that memory accesses through them 190 won't touch hypervisor address space. 191 192 If unsure, say Y. 193 194config SPECULATIVE_HARDEN_LOCK 195 bool "Speculative lock context hardening" 196 default y 197 depends on X86 198 help 199 Contemporary processors may use speculative execution as a 200 performance optimisation, but this can potentially be abused by an 201 attacker to leak data via speculative sidechannels. 202 203 One source of data leakage is via speculative accesses to lock 204 critical regions. 205 206 This option is disabled by default at run time, and needs to be 207 enabled on the command line. 208 209 If unsure, say Y. 210 211endmenu 212 213config DIT_DEFAULT 214 bool "Data Independent Timing default" 215 depends on HAS_DIT 216 help 217 Hardware often surfaces instructions the timing of which is dependent 218 on the data they process. Some of these instructions may be used in 219 timing sensitive environments, e.g. cryptography. When such 220 instructions exist, hardware may further surface a control allowing 221 to make the behavior of such instructions independent of the data 222 they act upon. Note the build time value can be overridden at runtime 223 using the "dit" command line option. 224 225 NB: Intel calls the feature DOITM (Data Operand Independent Timing 226 Mode). 227 228config HYPFS 229 bool "Hypervisor file system support" 230 default y 231 help 232 Support Xen hypervisor file system. This file system is used to 233 present various hypervisor internal data to dom0 and in some 234 cases to allow modifying settings. Disabling the support will 235 result in some features not being available, e.g. runtime parameter 236 setting. 237 238 If unsure, say Y. 239 240config HYPFS_CONFIG 241 bool "Provide hypervisor .config via hypfs entry" 242 default y 243 depends on HYPFS 244 help 245 When enabled the contents of the .config file used to build the 246 hypervisor are provided via the hypfs entry /buildinfo/config. 247 248 Disable this option in case you want to spare some memory or you 249 want to hide the .config contents from dom0. 250 251config IOREQ_SERVER 252 bool "IOREQ support (EXPERT)" if EXPERT && !X86 253 default X86 254 depends on HVM 255 help 256 Enables generic mechanism for providing emulated devices to the guests. 257 258 If unsure, say N. 259 260config KEXEC 261 bool "kexec support" 262 default y 263 depends on HAS_KEXEC 264 help 265 Allows a running Xen hypervisor to be replaced with another OS 266 without rebooting. This is primarily used to execute a crash 267 environment to collect information on a Xen hypervisor or dom0 crash. 268 269 If unsure, say Y. 270 271config EFI_SET_VIRTUAL_ADDRESS_MAP 272 bool "EFI: call SetVirtualAddressMap()" if EXPERT 273 help 274 Call EFI SetVirtualAddressMap() runtime service to setup memory map for 275 further runtime services. According to UEFI spec, it isn't strictly 276 necessary, but many UEFI implementations misbehave when this call is 277 missing. 278 279 If unsure, say N. 280 281config XENOPROF 282 bool "Xen Oprofile Support" if EXPERT 283 depends on X86 284 help 285 Xen OProfile (Xenoprof) is a system-wide profiler for Xen virtual 286 machine environments, capable of profiling the Xen virtual machine 287 monitor, multiple Linux guest operating systems, and applications 288 running on them. 289 290 If unsure, say Y. 291 292config XSM 293 bool "Xen Security Modules support" 294 default ARM 295 help 296 Enables the security framework known as Xen Security Modules which 297 allows administrators fine-grained control over a Xen domain and 298 its capabilities by defining permissible interactions between domains, 299 the hypervisor itself, and related resources such as memory and 300 devices. 301 302 If unsure, say N. 303 304config XSM_FLASK 305 def_bool y 306 prompt "FLux Advanced Security Kernel support" 307 depends on XSM 308 help 309 Enables FLASK (FLux Advanced Security Kernel) as the access control 310 mechanism used by the XSM framework. This provides a mandatory access 311 control framework by which security enforcement, isolation, and 312 auditing can be achieved with fine granular control via a security 313 policy. 314 315 If unsure, say Y. 316 317config XSM_FLASK_AVC_STATS 318 def_bool y 319 prompt "Maintain statistics on the FLASK access vector cache" if EXPERT 320 depends on XSM_FLASK 321 help 322 Maintain counters on the access vector cache that can be viewed using 323 the FLASK_AVC_CACHESTATS sub-op of the xsm_op hypercall. Disabling 324 this will save a tiny amount of memory and time to update the stats. 325 326 If unsure, say Y. 327 328config XSM_FLASK_POLICY 329 bool "Compile Xen with a built-in FLASK security policy" 330 default y if "$(XEN_HAS_CHECKPOLICY)" = "y" 331 depends on XSM_FLASK 332 help 333 This includes a default XSM policy in the hypervisor so that the 334 bootloader does not need to load a policy to get sane behavior from an 335 XSM-enabled hypervisor. If this is disabled, a policy must be 336 provided by the bootloader or by Domain 0. Even if this is enabled, a 337 policy provided by the bootloader will override it. 338 339 This requires that the SELinux policy compiler (checkpolicy) be 340 available when compiling the hypervisor. 341 342 If unsure, say Y. 343 344config XSM_SILO 345 def_bool y 346 prompt "SILO support" 347 depends on XSM 348 help 349 Enables SILO as the access control mechanism used by the XSM framework. 350 This is not the default module, add boot parameter xsm=silo to choose 351 it. This will deny any unmediated communication channels (grant tables 352 and event channels) between unprivileged VMs. 353 354 If unsure, say Y. 355 356choice 357 prompt "Default XSM implementation" 358 depends on XSM 359 default XSM_SILO_DEFAULT if XSM_SILO && ARM 360 default XSM_FLASK_DEFAULT if XSM_FLASK 361 default XSM_SILO_DEFAULT if XSM_SILO 362 default XSM_DUMMY_DEFAULT 363 config XSM_DUMMY_DEFAULT 364 bool "Match non-XSM behavior" 365 config XSM_FLASK_DEFAULT 366 bool "FLux Advanced Security Kernel" if XSM_FLASK 367 config XSM_SILO_DEFAULT 368 bool "SILO" if XSM_SILO 369endchoice 370 371config LATE_HWDOM 372 bool "Dedicated hardware domain" 373 default n 374 depends on XSM && X86 375 help 376 Allows the creation of a dedicated hardware domain distinct from 377 domain 0 that manages devices without needing access to other 378 privileged functionality such as the ability to manage domains. 379 This requires that the actual domain 0 be a stub domain that 380 constructs the actual hardware domain instead of initializing the 381 hardware itself. Because the hardware domain needs access to 382 hypercalls not available to unprivileged guests, an XSM policy 383 is required to properly define the privilege of these domains. 384 385 This feature does nothing if the "hardware_dom" boot parameter is 386 not present. If this feature is being used for security, it should 387 be combined with an IOMMU in strict mode. 388 389 If unsure, say N. 390 391config ARGO 392 bool "Argo: hypervisor-mediated interdomain communication (UNSUPPORTED)" if UNSUPPORTED 393 help 394 Enables a hypercall for domains to ask the hypervisor to perform 395 data transfer of messages between domains. 396 397 This allows communication channels to be established that do not 398 require any shared memory between domains; the hypervisor is the 399 entity that each domain interacts with. The hypervisor is able to 400 enforce Mandatory Access Control policy over the communication. 401 402 If XSM_FLASK is enabled, XSM policy can govern which domains may 403 communicate via the Argo system. 404 405 This feature does nothing if the "argo" boot parameter is not present. 406 Argo is disabled at runtime by default. 407 408 If unsure, say N. 409 410source "common/sched/Kconfig" 411 412config CRYPTO 413 bool 414 415config LIVEPATCH 416 bool "Live patching support" 417 default X86 418 depends on "$(XEN_HAS_BUILD_ID)" = "y" 419 select CC_SPLIT_SECTIONS 420 help 421 Allows a running Xen hypervisor to be dynamically patched using 422 binary patches without rebooting. This is primarily used to binarily 423 patch in the field an hypervisor with XSA fixes. 424 425 If unsure, say Y. 426 427config FAST_SYMBOL_LOOKUP 428 bool "Fast symbol lookup (bigger binary)" 429 default y 430 depends on LIVEPATCH 431 help 432 When searching for symbol addresses we can use the built-in system 433 that is optimized for searching symbols using addresses as the key. 434 However using it for the inverse (find address using the symbol name) 435 it is slow. This extra data and code (~55kB) speeds up the search. 436 The only user of this is Live patching. 437 438 If unsure, say Y. 439 440config ENFORCE_UNIQUE_SYMBOLS 441 bool "Enforce unique symbols" 442 default LIVEPATCH 443 help 444 Multiple symbols with the same name aren't generally a problem 445 unless livepatching is to be used. 446 447 Livepatch loading involves resolving relocations against symbol 448 names, and attempting to a duplicate symbol in a livepatch will 449 result in incorrect livepatch application. 450 451 This option should be used to ensure that a build of Xen can have a 452 livepatch build and apply correctly. 453 454config SUPPRESS_DUPLICATE_SYMBOL_WARNINGS 455 bool "Suppress duplicate symbol warnings" 456 depends on !ENFORCE_UNIQUE_SYMBOLS 457 help 458 Multiple symbols with the same name aren't generally a problem 459 unless Live patching is to be used, so these warnings can be 460 suppressed by enabling this option. Certain other options (known 461 to produce many duplicate names) may select this to avoid the 462 build becoming overly verbose. 463 464config CMDLINE 465 string "Built-in hypervisor command string" if EXPERT 466 default "" 467 help 468 Enter arguments here that should be compiled into the hypervisor 469 image and used at boot time. When the system boots, this string 470 will be parsed prior to the bootloader command line. So if a 471 non-cumulative option is set both in this string and in the 472 bootloader command line, only the latter one will take effect. 473 474config CMDLINE_OVERRIDE 475 bool "Built-in command line overrides bootloader arguments" 476 default n 477 depends on CMDLINE != "" 478 help 479 Set this option to 'Y' to have the hypervisor ignore the bootloader 480 command line, and use ONLY the built-in command line. 481 482 This is used to work around broken bootloaders. This should 483 be set to 'N' under normal conditions. 484 485config DOM0_MEM 486 string "Default value for dom0_mem boot parameter" 487 default "" 488 help 489 Sets a default value for dom0_mem, e.g. "512M". 490 The specified string will be used for the dom0_mem parameter in 491 case it was not specified on the command line. 492 493 See docs/misc/xen-command-line.pandoc for the supported syntax. 494 495 Leave empty if you are not sure what to specify. 496 497config DTB_FILE 498 string "Absolute path to device tree blob" 499 depends on HAS_DEVICE_TREE 500 help 501 When using a bootloader that has no device tree support or when there 502 is no bootloader at all, use this option to specify the absolute path 503 to a device tree that will be linked directly inside Xen binary. 504 505 This is an optional config. Leave empty if not needed. 506 507config TRACEBUFFER 508 bool "Enable tracing infrastructure" if EXPERT 509 default y 510 help 511 Enable tracing infrastructure and pre-defined tracepoints within Xen. 512 This will allow live information about Xen's execution and performance 513 to be collected at run time for debugging or performance analysis. 514 Memory and execution overhead when not active is minimal. 515 516endmenu 517