kernel: Enable KPTI for 4.14 on x86_64

This is the new Lernel Page Table Isolation (KPTI, formerly KAISER) introduced with 4.14.11 (and in 4.15.rcX). KPTI runs the kernel and userspace off separate pagetables (and uses PCID on more recent processors to minimise the TLB flush penalty). It comes with a performance hit but is enabled by default as a workaround around some serious, not yet disclosed, bug in Intel processors. When enabled in the kernel config, KPTI will be be dynamically enabled at boot time deping on the CPU it is executing (currently all Intel x86 CPUs). Depending on the environment, you may choose to disable it using 'pti=off' on the kernel commandline. Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
2025-07-21 18:11:35 +00:00 · 2018-01-03 11:14:18 +00:00 · 2018-01-03 11:14:18 +00:00 · 821cb0b829
commit 821cb0b829
parent 7abc1df0ad
1 changed files with 1 additions and 0 deletions
--- a/kernel/config-4.14.x-x86_64
+++ b/kernel/config-4.14.x-x86_64
@ -3857,6 +3857,7 @@ CONFIG_SECURITY=y
 # CONFIG_SECURITY_WRITABLE_HOOKS is not set
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_NETWORK=y
+CONFIG_PAGE_TABLE_ISOLATION=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_PATH=y
 CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y