mirrors/openwrt
1
0
Fork 0
mirror of https://git.openwrt.org/openwrt/openwrt.git synced 2026-05-05 18:06:12 +02:00
Code Issues Projects Releases Wiki Activity

x86/64: 6.18: enable recent MITIGATION options

Browse Source 
These mitigations are low-overhead, upstream-supported hardening options
that only activate on CPUs affected by their respective vulnerabilities.
Enabling them provides consistent, defense-in-depth coverage across Intel
and AMD systems without impacting unaffected hardware.

Detailed list:
- CONFIG_MITIGATION_SRSO to guard against known a vulnerability found on
  AMD processors (Zen generations 1-4) for sure, maybe others. This is
  tracked under CVE-2023-20569.
- CONFIG_MITIGATION_ITS to guard against a bug in BPU on some Intel CPUs
  that may allow Spectre V2 style attacks. We never enabled this option
  (and its dependencies).
- CONFIG_MITIGATION_SRBDS to guard against Special Register Buffer Data
  Sampling on affected Intel CPUs (CVE-2020-0543), preventing cross-core
  leakage of RDRAND/RDSEED/EGETKEY values.
- CONFIG_MITIGATION_SLS to guard against Spectre-v4 gadgets on x86 by
  inserting speculation barriers around RET/JMP/CALL sites when required
  by CPU/microcode state.
- CONFIG_MITIGATION_CALL_DEPTH_TRACKING to guard against speculative
  call-stack underflow on x86 by enabling hardware-assisted depth
  tracking where supported, reducing exposure to RET-based misprediction
  attacks.
- CONFIG_MITIGATION_UNRET_ENTRY to guard against RET-based speculation
  attacks on x86 by replacing vulnerable function returns in kernel
  entry paths with UNRET sequences when required by CPU/microcode state.

Signed-off-by: John Audia <therealgraysky@proton.me>
Link: https://github.com/openwrt/openwrt/pull/21078
Signed-off-by: Robert Marko <robimarko@gmail.com>
This commit is contained in:
John Audia 2026-01-05 15:02:37 -05:00 committed by Robert Marko
parent 8a7417ef95
commit c9075798cc
2 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
target/linux/x86/64/config-6.18
View File

@ -73,6 +73,7 @@ CONFIG_BLK_MQ_VIRTIO=y
CONFIG_BLK_PM=y
CONFIG_BOOT_VESA_SUPPORT=y
CONFIG_BTT=y
# CONFIG_CALL_THUNKS_DEBUG is not set
CONFIG_CDROM=y
CONFIG_CGROUP_HUGETLB=y
CONFIG_CONNECTOR=y
@ -331,10 +332,15 @@ CONFIG_MFD_CORE=y
# CONFIG_MFD_INTEL_PMC_BXT is not set
CONFIG_MICROCODE_LATE_FORCE_MINREV=y
CONFIG_MICROCODE_LATE_LOADING=y
CONFIG_MITIGATION_CALL_DEPTH_TRACKING=y
CONFIG_MITIGATION_IBPB_ENTRY=y
CONFIG_MITIGATION_IBRS_ENTRY=y
CONFIG_MITIGATION_ITS=y
CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y
# CONFIG_MITIGATION_SLS is not set
CONFIG_MITIGATION_SLS=y
CONFIG_MITIGATION_SRBDS=y
CONFIG_MITIGATION_SRSO=y
CONFIG_MITIGATION_UNRET_ENTRY=y
CONFIG_MMC=y
CONFIG_MMCONF_FAM10H=y
CONFIG_MMC_BLOCK=y

2
target/linux/x86/config-6.18
View File

@ -264,7 +264,7 @@ CONFIG_MITIGATION_L1TF=y
CONFIG_MITIGATION_MDS=y
CONFIG_MITIGATION_MMIO_STALE_DATA=y
CONFIG_MITIGATION_RETBLEED=y
# CONFIG_MITIGATION_RETHUNK is not set
CONFIG_MITIGATION_RETHUNK=y
CONFIG_MITIGATION_RETPOLINE=y
CONFIG_MITIGATION_RFDS=y
CONFIG_MITIGATION_SPECTRE_BHI=y