1.. SPDX-License-Identifier: CC-BY-4.0
2
3Frequently Asked Questions
4==========================
5
6How do I...
7-----------
8
9... check whether a Kconfig option is active?
10^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
11
12  Kconfig is a build time configuration system, combining inherent knowledge,
13  the capabilities of the toolchain, and explicit user choice to form a
14  configuration of a build of Xen.
15
16  A file, by default ``.config``, is produced by the build identifying the
17  configuration used.  Kconfig symbols all start with ``CONFIG_``, and come in
18  a variety of types including strings, integers and booleans.  Booleans are
19  the most common, and when active are expressed with ``...=y``.  e.g.::
20
21    xen.git/xen$ grep CONFIG_FOO .config
22    CONFIG_FOO_BOOLEAN=y
23    CONFIG_FOO_STRING="lorem ipsum"
24    CONFIG_FOO_INTEGER=42
25
26  Symbols which are either absent, or expressed as ``... is not set`` are
27  disabled.  e.g.::
28
29    xen.git/xen$ grep CONFIG_BAR .config
30    # CONFIG_BAR is not set
31
32  Builds of Xen configured with ``CONFIG_HYPFS_CONFIG=y`` embed their own
33  ``.config`` at build time, and can provide it to the :term:`control domain`
34  upon requested.  e.g.::
35
36    [root@host ~]# xenhypfs cat /buildinfo/config | grep -e FOO -e BAR
37    CONFIG_FOO=y
38    # CONFIG_BAR is not set
39
40
41... tell if CET is active?
42^^^^^^^^^^^^^^^^^^^^^^^^^^
43
44  Control-flow Enforcement Technology support was added to Xen 4.14.  It is
45  build time conditional, dependent on both having a new-enough toolchain and
46  an explicit Kconfig option, and also requires capable hardware.  See
47  :term:`CET`.
48
49  For CET-SS, Shadow Stacks, the minimum toolchain requirements are ``binutils
50  >= 2.29`` or ``LLVM >= 6``.  No specific compiler support is required.
51  Check for ``CONFIG_XEN_SHSTK`` being active.
52
53  For CET-IBT, Indirect Branch Tracking, the minimum toolchain requirements
54  are ``GCC >= 9`` and ``binutils >= 2.29``.  Xen relies on a compiler feature
55  which is specific to GCC at the time of writing.  Check for
56  ``CONFIG_XEN_IBT`` being active.
57
58  If a capable Xen is booted on capable hardware, and CET is not disabled by
59  command line option or errata, Xen will print some details early on boot
60  about which CET facilities have been turned on::
61
62    ...
63    (XEN) CPU Vendor: Intel, Family 6 (0x6), Model 143 (0x8f), Stepping 8 (raw 000806f8)
64    (XEN) Enabling Supervisor Shadow Stacks
65    (XEN) Enabling Indirect Branch Tracking
66    (XEN)   - IBT disabled in UEFI Runtime Services
67    (XEN) EFI RAM map:
68    ...
69
70  This can be obtained from the control domain with ``xl dmesg``, but remember
71  to confirm that the console ring hasn't wrapped.
72