This option will expose a sysctl allowing to adjust PTI per process at run time.
Signed-off-by: Willy Tarreau <[email protected]> Cc: Andy Lutomirski <[email protected]> Cc: Borislav Petkov <[email protected]> Cc: Brian Gerst <[email protected]> Cc: Dave Hansen <[email protected]> Cc: Ingo Molnar <[email protected]> Cc: Linus Torvalds <[email protected]> Cc: Peter Zijlstra <[email protected]> Cc: Thomas Gleixner <[email protected]> Cc: Josh Poimboeuf <[email protected]> Cc: "H. Peter Anvin" <[email protected]> Cc: Kees Cook <[email protected]> --- security/Kconfig | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/security/Kconfig b/security/Kconfig index 3d4debd..64adb48 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -65,6 +65,18 @@ config PAGE_TABLE_ISOLATION See Documentation/x86/pagetable-isolation.txt for more details. +config PER_PROCESS_PTI + bool "Allow page table isolation to be adjusted per process" + default n + depends on PAGE_TABLE_ISOLATION + help + This feature exposes a sysctl permitting administrators to + specifically exempt certain critical tasks from the PTI + protection at the risk of trading security for a marginal + performance increase for I/O intensive applications. + + If you are unsure how to answer this question, answer N. + config SECURITY_INFINIBAND bool "Infiniband Security Hooks" depends on SECURITY && INFINIBAND -- 1.7.12.1
