From 82f3f9ae9a8e0519af40f55322f996c827a67f1d Mon Sep 17 00:00:00 2001 From: Rolf Neugebauer Date: Thu, 1 Feb 2018 13:45:58 +0000 Subject: [PATCH] kernel: Enable new BPF_JIT_ALWAYS_ON This option is not enabled by default, but disables the BPF interpreter which can be used to inject speculative execution into the kernel. Enabled it as it seems like a good security measure. Signed-off-by: Rolf Neugebauer --- kernel/config-4.14.x-aarch64 | 1 + kernel/config-4.14.x-x86_64 | 1 + kernel/config-4.9.x-aarch64 | 1 + kernel/config-4.9.x-x86_64 | 1 + 4 files changed, 4 insertions(+) diff --git a/kernel/config-4.14.x-aarch64 b/kernel/config-4.14.x-aarch64 index ec4bf79c0..4565196ee 100644 --- a/kernel/config-4.14.x-aarch64 +++ b/kernel/config-4.14.x-aarch64 @@ -199,6 +199,7 @@ CONFIG_SIGNALFD=y CONFIG_TIMERFD=y CONFIG_EVENTFD=y CONFIG_BPF_SYSCALL=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_SHMEM=y CONFIG_AIO=y CONFIG_ADVISE_SYSCALLS=y diff --git a/kernel/config-4.14.x-x86_64 b/kernel/config-4.14.x-x86_64 index 047d3e9fa..edfe0af6d 100644 --- a/kernel/config-4.14.x-x86_64 +++ b/kernel/config-4.14.x-x86_64 @@ -224,6 +224,7 @@ CONFIG_SIGNALFD=y CONFIG_TIMERFD=y CONFIG_EVENTFD=y CONFIG_BPF_SYSCALL=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_SHMEM=y CONFIG_AIO=y CONFIG_ADVISE_SYSCALLS=y diff --git a/kernel/config-4.9.x-aarch64 b/kernel/config-4.9.x-aarch64 index 4ea0aa75c..b14d2376a 100644 --- a/kernel/config-4.9.x-aarch64 +++ b/kernel/config-4.9.x-aarch64 @@ -188,6 +188,7 @@ CONFIG_SIGNALFD=y CONFIG_TIMERFD=y CONFIG_EVENTFD=y CONFIG_BPF_SYSCALL=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_SHMEM=y CONFIG_AIO=y CONFIG_ADVISE_SYSCALLS=y diff --git a/kernel/config-4.9.x-x86_64 b/kernel/config-4.9.x-x86_64 index c24ae1ad5..ddab36bdf 100644 --- a/kernel/config-4.9.x-x86_64 +++ b/kernel/config-4.9.x-x86_64 @@ -217,6 +217,7 @@ CONFIG_SIGNALFD=y CONFIG_TIMERFD=y CONFIG_EVENTFD=y CONFIG_BPF_SYSCALL=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_SHMEM=y CONFIG_AIO=y CONFIG_ADVISE_SYSCALLS=y