From 821cb0b829e28d2042efc4e22d5d79925626f4b1 Mon Sep 17 00:00:00 2001
From: Rolf Neugebauer <rolf.neugebauer@docker.com>
Date: Wed, 3 Jan 2018 11:14:18 +0000
Subject: [PATCH] kernel: Enable KPTI for 4.14 on x86_64

This is the new Lernel Page Table Isolation (KPTI,
formerly KAISER) introduced with 4.14.11 (and in
4.15.rcX).

KPTI runs the kernel and userspace off separate
pagetables (and uses PCID on more recent processors
to minimise the TLB flush penalty). It comes with
a performance hit but is enabled by default as a
workaround around some serious, not yet disclosed,
bug in Intel processors.

When enabled in the kernel config, KPTI will be
be dynamically enabled at boot time deping on the
CPU it is executing (currently all Intel x86 CPUs).

Depending on the environment, you may choose to
disable it using 'pti=off' on the kernel commandline.

Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
---
 kernel/config-4.14.x-x86_64 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kernel/config-4.14.x-x86_64 b/kernel/config-4.14.x-x86_64
index eb95778fc..892e244c6 100644
--- a/kernel/config-4.14.x-x86_64
+++ b/kernel/config-4.14.x-x86_64
@@ -3857,6 +3857,7 @@ CONFIG_SECURITY=y
 # CONFIG_SECURITY_WRITABLE_HOOKS is not set
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_NETWORK=y
+CONFIG_PAGE_TABLE_ISOLATION=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_PATH=y
 CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y