From c9075798cca162962f4472ebe793a3fddc940a35 Mon Sep 17 00:00:00 2001 From: John Audia Date: Mon, 5 Jan 2026 15:02:37 -0500 Subject: [PATCH] x86/64: 6.18: enable recent MITIGATION options These mitigations are low-overhead, upstream-supported hardening options that only activate on CPUs affected by their respective vulnerabilities. Enabling them provides consistent, defense-in-depth coverage across Intel and AMD systems without impacting unaffected hardware. Detailed list: - CONFIG_MITIGATION_SRSO to guard against known a vulnerability found on AMD processors (Zen generations 1-4) for sure, maybe others. This is tracked under CVE-2023-20569. - CONFIG_MITIGATION_ITS to guard against a bug in BPU on some Intel CPUs that may allow Spectre V2 style attacks. We never enabled this option (and its dependencies). - CONFIG_MITIGATION_SRBDS to guard against Special Register Buffer Data Sampling on affected Intel CPUs (CVE-2020-0543), preventing cross-core leakage of RDRAND/RDSEED/EGETKEY values. - CONFIG_MITIGATION_SLS to guard against Spectre-v4 gadgets on x86 by inserting speculation barriers around RET/JMP/CALL sites when required by CPU/microcode state. - CONFIG_MITIGATION_CALL_DEPTH_TRACKING to guard against speculative call-stack underflow on x86 by enabling hardware-assisted depth tracking where supported, reducing exposure to RET-based misprediction attacks. - CONFIG_MITIGATION_UNRET_ENTRY to guard against RET-based speculation attacks on x86 by replacing vulnerable function returns in kernel entry paths with UNRET sequences when required by CPU/microcode state. Signed-off-by: John Audia Link: https://github.com/openwrt/openwrt/pull/21078 Signed-off-by: Robert Marko --- target/linux/x86/64/config-6.18 | 8 +++++++- target/linux/x86/config-6.18 | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/target/linux/x86/64/config-6.18 b/target/linux/x86/64/config-6.18 index 14f63288e9..dce96966e7 100644 --- a/target/linux/x86/64/config-6.18 +++ b/target/linux/x86/64/config-6.18 @@ -73,6 +73,7 @@ CONFIG_BLK_MQ_VIRTIO=y CONFIG_BLK_PM=y CONFIG_BOOT_VESA_SUPPORT=y CONFIG_BTT=y +# CONFIG_CALL_THUNKS_DEBUG is not set CONFIG_CDROM=y CONFIG_CGROUP_HUGETLB=y CONFIG_CONNECTOR=y @@ -331,10 +332,15 @@ CONFIG_MFD_CORE=y # CONFIG_MFD_INTEL_PMC_BXT is not set CONFIG_MICROCODE_LATE_FORCE_MINREV=y CONFIG_MICROCODE_LATE_LOADING=y +CONFIG_MITIGATION_CALL_DEPTH_TRACKING=y CONFIG_MITIGATION_IBPB_ENTRY=y CONFIG_MITIGATION_IBRS_ENTRY=y +CONFIG_MITIGATION_ITS=y CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y -# CONFIG_MITIGATION_SLS is not set +CONFIG_MITIGATION_SLS=y +CONFIG_MITIGATION_SRBDS=y +CONFIG_MITIGATION_SRSO=y +CONFIG_MITIGATION_UNRET_ENTRY=y CONFIG_MMC=y CONFIG_MMCONF_FAM10H=y CONFIG_MMC_BLOCK=y diff --git a/target/linux/x86/config-6.18 b/target/linux/x86/config-6.18 index f8b45cdba1..9930e45c50 100644 --- a/target/linux/x86/config-6.18 +++ b/target/linux/x86/config-6.18 @@ -264,7 +264,7 @@ CONFIG_MITIGATION_L1TF=y CONFIG_MITIGATION_MDS=y CONFIG_MITIGATION_MMIO_STALE_DATA=y CONFIG_MITIGATION_RETBLEED=y -# CONFIG_MITIGATION_RETHUNK is not set +CONFIG_MITIGATION_RETHUNK=y CONFIG_MITIGATION_RETPOLINE=y CONFIG_MITIGATION_RFDS=y CONFIG_MITIGATION_SPECTRE_BHI=y