mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-09 23:39:18 +00:00
c1821c2e97
This provides a noexec protection on s390 hardware. Our hardware does not have any bits left in the pte for a hw noexec bit, so this is a different approach using shadow page tables and a special addressing mode that allows separate address spaces for code and data. As a special feature of our "secondary-space" addressing mode, separate page tables can be specified for the translation of data addresses (storage operands) and instruction addresses. The shadow page table is used for the instruction addresses and the standard page table for the data addresses. The shadow page table is linked to the standard page table by a pointer in page->lru.next of the struct page corresponding to the page that contains the standard page table (since page->private is not really private with the pte_lock and the page table pages are not in the LRU list). Depending on the software bits of a pte, it is either inserted into both page tables or just into the standard (data) page table. Pages of a vma that does not have the VM_EXEC bit set get mapped only in the data address space. Any try to execute code on such a page will cause a page translation exception. The standard reaction to this is a SIGSEGV with two exceptions: the two system call opcodes 0x0a77 (sys_sigreturn) and 0x0aad (sys_rt_sigreturn) are allowed. They are stored by the kernel to the signal stack frame. Unfortunately, the signal return mechanism cannot be modified to use an SA_RESTORER because the exception unwinding code depends on the system call opcode stored behind the signal stack frame. This feature requires that user space is executed in secondary-space mode and the kernel in home-space mode, which means that the addressing modes need to be switched and that the noexec protection only works for user space. After switching the addressing modes, we cannot use the mvcp/mvcs instructions anymore to copy between kernel and user space. A new mvcos instruction has been added to the z9 EC/BC hardware which allows to copy between arbitrary address spaces, but on older hardware the page tables need to be walked manually. Signed-off-by: Gerald Schaefer <geraldsc@de.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
555 lines
16 KiB
Plaintext
555 lines
16 KiB
Plaintext
#
|
|
# For a description of the syntax of this configuration file,
|
|
# see Documentation/kbuild/kconfig-language.txt.
|
|
#
|
|
|
|
config MMU
|
|
bool
|
|
default y
|
|
|
|
config LOCKDEP_SUPPORT
|
|
bool
|
|
default y
|
|
|
|
config STACKTRACE_SUPPORT
|
|
bool
|
|
default y
|
|
|
|
config RWSEM_GENERIC_SPINLOCK
|
|
bool
|
|
|
|
config RWSEM_XCHGADD_ALGORITHM
|
|
bool
|
|
default y
|
|
|
|
config ARCH_HAS_ILOG2_U32
|
|
bool
|
|
default n
|
|
|
|
config ARCH_HAS_ILOG2_U64
|
|
bool
|
|
default n
|
|
|
|
config GENERIC_HWEIGHT
|
|
bool
|
|
default y
|
|
|
|
config GENERIC_CALIBRATE_DELAY
|
|
bool
|
|
default y
|
|
|
|
config GENERIC_TIME
|
|
def_bool y
|
|
|
|
mainmenu "Linux Kernel Configuration"
|
|
|
|
config S390
|
|
bool
|
|
default y
|
|
|
|
source "init/Kconfig"
|
|
|
|
menu "Base setup"
|
|
|
|
comment "Processor type and features"
|
|
|
|
config 64BIT
|
|
bool "64 bit kernel"
|
|
help
|
|
Select this option if you have a 64 bit IBM zSeries machine
|
|
and want to use the 64 bit addressing mode.
|
|
|
|
config 32BIT
|
|
bool
|
|
default y if !64BIT
|
|
|
|
config SMP
|
|
bool "Symmetric multi-processing support"
|
|
---help---
|
|
This enables support for systems with more than one CPU. If you have
|
|
a system with only one CPU, like most personal computers, say N. If
|
|
you have a system with more than one CPU, say Y.
|
|
|
|
If you say N here, the kernel will run on single and multiprocessor
|
|
machines, but will use only one CPU of a multiprocessor machine. If
|
|
you say Y here, the kernel will run on many, but not all,
|
|
singleprocessor machines. On a singleprocessor machine, the kernel
|
|
will run faster if you say N here.
|
|
|
|
See also the <file:Documentation/smp.txt> and the SMP-HOWTO
|
|
available at <http://www.tldp.org/docs.html#howto>.
|
|
|
|
Even if you don't know what to do here, say Y.
|
|
|
|
config NR_CPUS
|
|
int "Maximum number of CPUs (2-64)"
|
|
range 2 64
|
|
depends on SMP
|
|
default "32"
|
|
help
|
|
This allows you to specify the maximum number of CPUs which this
|
|
kernel will support. The maximum supported value is 64 and the
|
|
minimum value which makes sense is 2.
|
|
|
|
This is purely to save memory - each supported CPU adds
|
|
approximately sixteen kilobytes to the kernel image.
|
|
|
|
config HOTPLUG_CPU
|
|
bool "Support for hot-pluggable CPUs"
|
|
depends on SMP
|
|
select HOTPLUG
|
|
default n
|
|
help
|
|
Say Y here to be able to turn CPUs off and on. CPUs
|
|
can be controlled through /sys/devices/system/cpu/cpu#.
|
|
Say N if you want to disable CPU hotplug.
|
|
|
|
config DEFAULT_MIGRATION_COST
|
|
int
|
|
default "1000000"
|
|
|
|
config MATHEMU
|
|
bool "IEEE FPU emulation"
|
|
depends on MARCH_G5
|
|
help
|
|
This option is required for IEEE compliant floating point arithmetic
|
|
on older S/390 machines. Say Y unless you know your machine doesn't
|
|
need this.
|
|
|
|
config COMPAT
|
|
bool "Kernel support for 31 bit emulation"
|
|
depends on 64BIT
|
|
help
|
|
Select this option if you want to enable your system kernel to
|
|
handle system-calls from ELF binaries for 31 bit ESA. This option
|
|
(and some other stuff like libraries and such) is needed for
|
|
executing 31 bit applications. It is safe to say "Y".
|
|
|
|
config SYSVIPC_COMPAT
|
|
bool
|
|
depends on COMPAT && SYSVIPC
|
|
default y
|
|
|
|
config AUDIT_ARCH
|
|
bool
|
|
default y
|
|
|
|
config S390_SWITCH_AMODE
|
|
bool "Switch kernel/user addressing modes"
|
|
help
|
|
This option allows to switch the addressing modes of kernel and user
|
|
space. The kernel parameter switch_amode=on will enable this feature,
|
|
default is disabled. Enabling this (via kernel parameter) on machines
|
|
earlier than IBM System z9-109 EC/BC will reduce system performance.
|
|
|
|
Note that this option will also be selected by selecting the execute
|
|
protection option below. Enabling the execute protection via the
|
|
noexec kernel parameter will also switch the addressing modes,
|
|
independent of the switch_amode kernel parameter.
|
|
|
|
|
|
config S390_EXEC_PROTECT
|
|
bool "Data execute protection"
|
|
select S390_SWITCH_AMODE
|
|
help
|
|
This option allows to enable a buffer overflow protection for user
|
|
space programs and it also selects the addressing mode option above.
|
|
The kernel parameter noexec=on will enable this feature and also
|
|
switch the addressing modes, default is disabled. Enabling this (via
|
|
kernel parameter) on machines earlier than IBM System z9-109 EC/BC
|
|
will reduce system performance.
|
|
|
|
comment "Code generation options"
|
|
|
|
choice
|
|
prompt "Processor type"
|
|
default MARCH_G5
|
|
|
|
config MARCH_G5
|
|
bool "S/390 model G5 and G6"
|
|
depends on !64BIT
|
|
help
|
|
Select this to build a 31 bit kernel that works
|
|
on all S/390 and zSeries machines.
|
|
|
|
config MARCH_Z900
|
|
bool "IBM eServer zSeries model z800 and z900"
|
|
help
|
|
Select this to optimize for zSeries machines. This
|
|
will enable some optimizations that are not available
|
|
on older 31 bit only CPUs.
|
|
|
|
config MARCH_Z990
|
|
bool "IBM eServer zSeries model z890 and z990"
|
|
help
|
|
Select this enable optimizations for model z890/z990.
|
|
This will be slightly faster but does not work on
|
|
older machines such as the z900.
|
|
|
|
config MARCH_Z9_109
|
|
bool "IBM System z9"
|
|
help
|
|
Select this to enable optimizations for IBM System z9-109, IBM
|
|
System z9 Enterprise Class (z9 EC), and IBM System z9 Business
|
|
Class (z9 BC). The kernel will be slightly faster but will not
|
|
work on older machines such as the z990, z890, z900, and z800.
|
|
|
|
endchoice
|
|
|
|
config PACK_STACK
|
|
bool "Pack kernel stack"
|
|
help
|
|
This option enables the compiler option -mkernel-backchain if it
|
|
is available. If the option is available the compiler supports
|
|
the new stack layout which dramatically reduces the minimum stack
|
|
frame size. With an old compiler a non-leaf function needs a
|
|
minimum of 96 bytes on 31 bit and 160 bytes on 64 bit. With
|
|
-mkernel-backchain the minimum size drops to 16 byte on 31 bit
|
|
and 24 byte on 64 bit.
|
|
|
|
Say Y if you are unsure.
|
|
|
|
config SMALL_STACK
|
|
bool "Use 4kb/8kb for kernel stack instead of 8kb/16kb"
|
|
depends on PACK_STACK && !LOCKDEP
|
|
help
|
|
If you say Y here and the compiler supports the -mkernel-backchain
|
|
option the kernel will use a smaller kernel stack size. For 31 bit
|
|
the reduced size is 4kb instead of 8kb and for 64 bit it is 8kb
|
|
instead of 16kb. This allows to run more thread on a system and
|
|
reduces the pressure on the memory management for higher order
|
|
page allocations.
|
|
|
|
Say N if you are unsure.
|
|
|
|
|
|
config CHECK_STACK
|
|
bool "Detect kernel stack overflow"
|
|
help
|
|
This option enables the compiler option -mstack-guard and
|
|
-mstack-size if they are available. If the compiler supports them
|
|
it will emit additional code to each function prolog to trigger
|
|
an illegal operation if the kernel stack is about to overflow.
|
|
|
|
Say N if you are unsure.
|
|
|
|
config STACK_GUARD
|
|
int "Size of the guard area (128-1024)"
|
|
range 128 1024
|
|
depends on CHECK_STACK
|
|
default "256"
|
|
help
|
|
This allows you to specify the size of the guard area at the lower
|
|
end of the kernel stack. If the kernel stack points into the guard
|
|
area on function entry an illegal operation is triggered. The size
|
|
needs to be a power of 2. Please keep in mind that the size of an
|
|
interrupt frame is 184 bytes for 31 bit and 328 bytes on 64 bit.
|
|
The minimum size for the stack guard should be 256 for 31 bit and
|
|
512 for 64 bit.
|
|
|
|
config WARN_STACK
|
|
bool "Emit compiler warnings for function with broken stack usage"
|
|
help
|
|
This option enables the compiler options -mwarn-framesize and
|
|
-mwarn-dynamicstack. If the compiler supports these options it
|
|
will generate warnings for function which either use alloca or
|
|
create a stack frame bigger then CONFIG_WARN_STACK_SIZE.
|
|
|
|
Say N if you are unsure.
|
|
|
|
config WARN_STACK_SIZE
|
|
int "Maximum frame size considered safe (128-2048)"
|
|
range 128 2048
|
|
depends on WARN_STACK
|
|
default "256"
|
|
help
|
|
This allows you to specify the maximum frame size a function may
|
|
have without the compiler complaining about it.
|
|
|
|
config ARCH_POPULATES_NODE_MAP
|
|
def_bool y
|
|
|
|
source "mm/Kconfig"
|
|
|
|
config HOLES_IN_ZONE
|
|
def_bool y
|
|
|
|
comment "I/O subsystem configuration"
|
|
|
|
config MACHCHK_WARNING
|
|
bool "Process warning machine checks"
|
|
help
|
|
Select this option if you want the machine check handler on IBM S/390 or
|
|
zSeries to process warning machine checks (e.g. on power failures).
|
|
If unsure, say "Y".
|
|
|
|
config QDIO
|
|
tristate "QDIO support"
|
|
---help---
|
|
This driver provides the Queued Direct I/O base support for
|
|
IBM mainframes.
|
|
|
|
For details please refer to the documentation provided by IBM at
|
|
<http://www10.software.ibm.com/developerworks/opensource/linux390>
|
|
|
|
To compile this driver as a module, choose M here: the
|
|
module will be called qdio.
|
|
|
|
If unsure, say Y.
|
|
|
|
config QDIO_DEBUG
|
|
bool "Extended debugging information"
|
|
depends on QDIO
|
|
help
|
|
Say Y here to get extended debugging output in
|
|
/sys/kernel/debug/s390dbf/qdio...
|
|
Warning: this option reduces the performance of the QDIO module.
|
|
|
|
If unsure, say N.
|
|
|
|
comment "Misc"
|
|
|
|
config PREEMPT
|
|
bool "Preemptible Kernel"
|
|
help
|
|
This option reduces the latency of the kernel when reacting to
|
|
real-time or interactive events by allowing a low priority process to
|
|
be preempted even if it is in kernel mode executing a system call.
|
|
This allows applications to run more reliably even when the system is
|
|
under load.
|
|
|
|
Say N if you are unsure.
|
|
|
|
config IPL
|
|
bool "Builtin IPL record support"
|
|
help
|
|
If you want to use the produced kernel to IPL directly from a
|
|
device, you have to merge a bootsector specific to the device
|
|
into the first bytes of the kernel. You will have to select the
|
|
IPL device.
|
|
|
|
choice
|
|
prompt "IPL method generated into head.S"
|
|
depends on IPL
|
|
default IPL_TAPE
|
|
help
|
|
Select "tape" if you want to IPL the image from a Tape.
|
|
|
|
Select "vm_reader" if you are running under VM/ESA and want
|
|
to IPL the image from the emulated card reader.
|
|
|
|
config IPL_TAPE
|
|
bool "tape"
|
|
|
|
config IPL_VM
|
|
bool "vm_reader"
|
|
|
|
endchoice
|
|
|
|
source "fs/Kconfig.binfmt"
|
|
|
|
config PROCESS_DEBUG
|
|
bool "Show crashed user process info"
|
|
help
|
|
Say Y to print all process fault locations to the console. This is
|
|
a debugging option; you probably do not want to set it unless you
|
|
are an S390 port maintainer.
|
|
|
|
config PFAULT
|
|
bool "Pseudo page fault support"
|
|
help
|
|
Select this option, if you want to use PFAULT pseudo page fault
|
|
handling under VM. If running native or in LPAR, this option
|
|
has no effect. If your VM does not support PFAULT, PAGEEX
|
|
pseudo page fault handling will be used.
|
|
Note that VM 4.2 supports PFAULT but has a bug in its
|
|
implementation that causes some problems.
|
|
Everybody who wants to run Linux under VM != VM4.2 should select
|
|
this option.
|
|
|
|
config SHARED_KERNEL
|
|
bool "VM shared kernel support"
|
|
help
|
|
Select this option, if you want to share the text segment of the
|
|
Linux kernel between different VM guests. This reduces memory
|
|
usage with lots of guests but greatly increases kernel size.
|
|
You should only select this option if you know what you are
|
|
doing and want to exploit this feature.
|
|
|
|
config CMM
|
|
tristate "Cooperative memory management"
|
|
help
|
|
Select this option, if you want to enable the kernel interface
|
|
to reduce the memory size of the system. This is accomplished
|
|
by allocating pages of memory and put them "on hold". This only
|
|
makes sense for a system running under VM where the unused pages
|
|
will be reused by VM for other guest systems. The interface
|
|
allows an external monitor to balance memory of many systems.
|
|
Everybody who wants to run Linux under VM should select this
|
|
option.
|
|
|
|
config CMM_PROC
|
|
bool "/proc interface to cooperative memory management"
|
|
depends on CMM
|
|
help
|
|
Select this option to enable the /proc interface to the
|
|
cooperative memory management.
|
|
|
|
config CMM_IUCV
|
|
bool "IUCV special message interface to cooperative memory management"
|
|
depends on CMM && (SMSGIUCV=y || CMM=SMSGIUCV)
|
|
help
|
|
Select this option to enable the special message interface to
|
|
the cooperative memory management.
|
|
|
|
config VIRT_TIMER
|
|
bool "Virtual CPU timer support"
|
|
help
|
|
This provides a kernel interface for virtual CPU timers.
|
|
Default is disabled.
|
|
|
|
config VIRT_CPU_ACCOUNTING
|
|
bool "Base user process accounting on virtual cpu timer"
|
|
depends on VIRT_TIMER
|
|
help
|
|
Select this option to use CPU timer deltas to do user
|
|
process accounting.
|
|
|
|
config APPLDATA_BASE
|
|
bool "Linux - VM Monitor Stream, base infrastructure"
|
|
depends on PROC_FS && VIRT_TIMER=y
|
|
help
|
|
This provides a kernel interface for creating and updating z/VM APPLDATA
|
|
monitor records. The monitor records are updated at certain time
|
|
intervals, once the timer is started.
|
|
Writing 1 or 0 to /proc/appldata/timer starts(1) or stops(0) the timer,
|
|
i.e. enables or disables monitoring on the Linux side.
|
|
A custom interval value (in seconds) can be written to
|
|
/proc/appldata/interval.
|
|
|
|
Defaults are 60 seconds interval and timer off.
|
|
The /proc entries can also be read from, showing the current settings.
|
|
|
|
config APPLDATA_MEM
|
|
tristate "Monitor memory management statistics"
|
|
depends on APPLDATA_BASE && VM_EVENT_COUNTERS
|
|
help
|
|
This provides memory management related data to the Linux - VM Monitor
|
|
Stream, like paging/swapping rate, memory utilisation, etc.
|
|
Writing 1 or 0 to /proc/appldata/memory creates(1) or removes(0) a z/VM
|
|
APPLDATA monitor record, i.e. enables or disables monitoring this record
|
|
on the z/VM side.
|
|
|
|
Default is disabled.
|
|
The /proc entry can also be read from, showing the current settings.
|
|
|
|
This can also be compiled as a module, which will be called
|
|
appldata_mem.o.
|
|
|
|
config APPLDATA_OS
|
|
tristate "Monitor OS statistics"
|
|
depends on APPLDATA_BASE
|
|
help
|
|
This provides OS related data to the Linux - VM Monitor Stream, like
|
|
CPU utilisation, etc.
|
|
Writing 1 or 0 to /proc/appldata/os creates(1) or removes(0) a z/VM
|
|
APPLDATA monitor record, i.e. enables or disables monitoring this record
|
|
on the z/VM side.
|
|
|
|
Default is disabled.
|
|
This can also be compiled as a module, which will be called
|
|
appldata_os.o.
|
|
|
|
config APPLDATA_NET_SUM
|
|
tristate "Monitor overall network statistics"
|
|
depends on APPLDATA_BASE
|
|
help
|
|
This provides network related data to the Linux - VM Monitor Stream,
|
|
currently there is only a total sum of network I/O statistics, no
|
|
per-interface data.
|
|
Writing 1 or 0 to /proc/appldata/net_sum creates(1) or removes(0) a z/VM
|
|
APPLDATA monitor record, i.e. enables or disables monitoring this record
|
|
on the z/VM side.
|
|
|
|
Default is disabled.
|
|
This can also be compiled as a module, which will be called
|
|
appldata_net_sum.o.
|
|
|
|
config NO_IDLE_HZ
|
|
bool "No HZ timer ticks in idle"
|
|
help
|
|
Switches the regular HZ timer off when the system is going idle.
|
|
This helps z/VM to detect that the Linux system is idle. VM can
|
|
then "swap-out" this guest which reduces memory usage. It also
|
|
reduces the overhead of idle systems.
|
|
|
|
The HZ timer can be switched on/off via /proc/sys/kernel/hz_timer.
|
|
hz_timer=0 means HZ timer is disabled. hz_timer=1 means HZ
|
|
timer is active.
|
|
|
|
config NO_IDLE_HZ_INIT
|
|
bool "HZ timer in idle off by default"
|
|
depends on NO_IDLE_HZ
|
|
help
|
|
The HZ timer is switched off in idle by default. That means the
|
|
HZ timer is already disabled at boot time.
|
|
|
|
config S390_HYPFS_FS
|
|
bool "s390 hypervisor file system support"
|
|
select SYS_HYPERVISOR
|
|
default y
|
|
help
|
|
This is a virtual file system intended to provide accounting
|
|
information in an s390 hypervisor environment.
|
|
|
|
config KEXEC
|
|
bool "kexec system call"
|
|
help
|
|
kexec is a system call that implements the ability to shutdown your
|
|
current kernel, and to start another kernel. It is like a reboot
|
|
but is independent of hardware/microcode support.
|
|
|
|
endmenu
|
|
|
|
source "net/Kconfig"
|
|
|
|
config PCMCIA
|
|
bool
|
|
default n
|
|
|
|
source "drivers/base/Kconfig"
|
|
|
|
source "drivers/connector/Kconfig"
|
|
|
|
source "drivers/scsi/Kconfig"
|
|
|
|
source "drivers/s390/Kconfig"
|
|
|
|
source "drivers/net/Kconfig"
|
|
|
|
source "fs/Kconfig"
|
|
|
|
menu "Instrumentation Support"
|
|
|
|
source "arch/s390/oprofile/Kconfig"
|
|
|
|
config KPROBES
|
|
bool "Kprobes (EXPERIMENTAL)"
|
|
depends on EXPERIMENTAL && MODULES
|
|
help
|
|
Kprobes allows you to trap at almost any kernel address and
|
|
execute a callback function. register_kprobe() establishes
|
|
a probepoint and specifies the callback. Kprobes is useful
|
|
for kernel debugging, non-intrusive instrumentation and testing.
|
|
If in doubt, say "N".
|
|
|
|
endmenu
|
|
|
|
source "arch/s390/Kconfig.debug"
|
|
|
|
source "security/Kconfig"
|
|
|
|
source "crypto/Kconfig"
|
|
|
|
source "lib/Kconfig"
|