On 11/26/2017 03:14 PM, Thomas Gleixner wrote: > --- a/security/Kconfig > +++ b/security/Kconfig > @@ -56,7 +56,7 @@ config SECURITY_NETWORK > > config KAISER > bool "Remove the kernel mapping in user mode" > - depends on X86_64 && SMP && !PARAVIRT > + depends on X86_64 && SMP && !PARAVIRT && JUMP_LABEL > help > This feature reduces the number of hardware side channels by > ensuring that the majority of kernel addresses are not mapped
One of the reasons for doing the runtime-disable was to get rid of the !PARAVIRT dependency. I can add a follow-on here that will act as if we did "nokaiser" whenever Xen is in play so we can remove this dependency. I just hope Xen is detectable early enough to do the static patching.
