forked from Imagelibrary/seL4
x64: SKIM window to mitigate Meltdown (CVE-2017-5754) on x86-64
Introduces a kernel option that, when enabled, reduces the kernel window in a user address space to just be Static Kernel Image and Microstate (SKIM), instead of the full kernel address space. This isolates the important kernel data from the user preventing a Meltdown style attack being able to violate secrecy. The kernel text and read only data, i.e. anything that is static from boot, is not secret and can be allowed in the SKIM window and potentially read by the user. Additionally to switch to and from the actual kernel address space a small amount of state needs to also be in the SKIM window. This is only an implementation for x86-64, although the same design is applicable to ia32
This commit is contained in:
Adrian Danis
@@ -242,7 +242,7 @@ config_option(KernelDangerousCodeInjection DANGEROUS_CODE_INJECTION
|
||||
"Adds a system call that allows users to specify code to be run in kernel mode. \
|
||||
Useful for profiling."
|
||||
DEFAULT OFF
|
||||
DEPENDS "NOT KernelARMHypervisorSupport;NOT KernelVerificationBuild;NOT KernelPlatformHikey"
|
||||
DEPENDS "NOT KernelARMHypervisorSupport;NOT KernelVerificationBuild;NOT KernelPlatformHikey;NOT KernelSkimWindow"
|
||||
)
|
||||
|
||||
config_option(KernelDebugDisablePrefetchers DEBUG_DISABLE_PREFETCHERS
|
||||
|
||||
Reference in New Issue
Block a user