From: Alexander Popov Date: Thu, 13 Oct 2022 13:17:58 +0000 (+0300) Subject: Update the KSPP recommendations X-Git-Tag: v0.6.1~70 X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=86ca20532410ee24ff332b158a50aea99ee007d3;p=kconfig-hardened-check.git Update the KSPP recommendations --- diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config index 57ff9d7..349cf61 100644 --- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config +++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm.config @@ -1,5 +1,5 @@ # CONFIGs -# Linux/arm 5.14.0 Kernel Configuration +# Linux/arm 5.17.0 Kernel Configuration # Report BUG() conditions and kill the offending process. CONFIG_BUG=y @@ -38,9 +38,24 @@ CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. +# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y +# Provide userspace with Landlock MAC interface. +# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. +CONFIG_SECURITY_LANDLOCK=y + +# Make sure SELinux cannot be disabled trivially. +# SECURITY_SELINUX_BOOTPARAM is not set +# SECURITY_SELINUX_DEVELOP is not set +# CONFIG_SECURITY_WRITABLE_HOOKS is not set + +# Enable "lockdown" LSM for bright line between the root user and kernel memory. +CONFIG_SECURITY_LOCKDOWN_LSM=y +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y + # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set @@ -83,24 +98,54 @@ CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y +# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. +CONFIG_UBSAN=y +CONFIG_UBSAN_TRAP=y +CONFIG_UBSAN_BOUNDS=y +CONFIG_UBSAN_SANITIZE_ALL=y +# CONFIG_UBSAN_SHIFT is not set +# CONFIG_UBSAN_DIV_ZERO is not set +# CONFIG_UBSAN_UNREACHABLE is not set +# CONFIG_UBSAN_BOOL is not set +# CONFIG_UBSAN_ENUM is not set +# CONFIG_UBSAN_ALIGNMENT is not set +# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: +CONFIG_UBSAN_LOCAL_BOUNDS=y + +# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. +CONFIG_KFENCE=y + # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y -# Enable sampling-based overflow detection. This is similar to KASAN coverage, but with almost zero runtime overhead. -CONFIG_KFENCE=y - # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y +# Disable DMA between EFI hand-off and the kernel's IOMMU setup. +CONFIG_EFI_DISABLE_PCI_DMA=y + # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) +CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y +# Enable feeding RNG entropy from TPM, if available. +CONFIG_HW_RANDOM_TPM=y + +# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even +# malicious sources should not cause problems. +CONFIG_RANDOM_TRUST_BOOTLOADER=y +CONFIG_RANDOM_TRUST_CPU=y + # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y -# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers) +# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and +# minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y +# Wipe RAM at reboot via EFI. +CONFIG_RESET_ATTACK_MITIGATION=y + # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set @@ -165,10 +210,13 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y +# CONFIG_STACKLEAK_METRICS is not set +# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y +# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set # arm diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config index c166290..91e6189 100644 --- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config +++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-arm64.config @@ -1,5 +1,5 @@ # CONFIGs -# Linux/arm64 5.14.0 Kernel Configuration +# Linux/arm64 5.17.0 Kernel Configuration # Report BUG() conditions and kill the offending process. CONFIG_BUG=y @@ -38,9 +38,24 @@ CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. +# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y +# Provide userspace with Landlock MAC interface. +# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. +CONFIG_SECURITY_LANDLOCK=y + +# Make sure SELinux cannot be disabled trivially. +# SECURITY_SELINUX_BOOTPARAM is not set +# SECURITY_SELINUX_DEVELOP is not set +# CONFIG_SECURITY_WRITABLE_HOOKS is not set + +# Enable "lockdown" LSM for bright line between the root user and kernel memory. +CONFIG_SECURITY_LOCKDOWN_LSM=y +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y + # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set @@ -83,24 +98,54 @@ CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y +# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. +CONFIG_UBSAN=y +CONFIG_UBSAN_TRAP=y +CONFIG_UBSAN_BOUNDS=y +CONFIG_UBSAN_SANITIZE_ALL=y +# CONFIG_UBSAN_SHIFT is not set +# CONFIG_UBSAN_DIV_ZERO is not set +# CONFIG_UBSAN_UNREACHABLE is not set +# CONFIG_UBSAN_BOOL is not set +# CONFIG_UBSAN_ENUM is not set +# CONFIG_UBSAN_ALIGNMENT is not set +# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: +CONFIG_UBSAN_LOCAL_BOUNDS=y + +# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. +CONFIG_KFENCE=y + # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y -# Enable sampling-based overflow detection. This is similar to KASAN coverage, but with almost zero runtime overhead. -CONFIG_KFENCE=y - # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y +# Disable DMA between EFI hand-off and the kernel's IOMMU setup. +CONFIG_EFI_DISABLE_PCI_DMA=y + # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) +CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y +# Enable feeding RNG entropy from TPM, if available. +CONFIG_HW_RANDOM_TPM=y + +# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even +# malicious sources should not cause problems. +CONFIG_RANDOM_TRUST_BOOTLOADER=y +CONFIG_RANDOM_TRUST_CPU=y + # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y -# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers) +# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and +# minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y +# Wipe RAM at reboot via EFI. +CONFIG_RESET_ATTACK_MITIGATION=y + # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set @@ -165,10 +210,13 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y +# CONFIG_STACKLEAK_METRICS is not set +# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y +# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set # arm64 @@ -186,4 +234,24 @@ CONFIG_ARM64_SW_TTBR0_PAN=y # Enable Kernel Page Table Isolation to remove an entire class of cache timing side-channels. CONFIG_UNMAP_KERNEL_AT_EL0=y +# Software Shadow Stack or PAC +CONFIG_SHADOW_CALL_STACK=y + +# Pointer authentication (ARMv8.3 and later). If hardware actually supports it, one can +# turn off CONFIG_STACKPROTECTOR_STRONG with this enabled. +CONFIG_ARM64_PTR_AUTH=y +CONFIG_ARM64_PTR_AUTH_KERNEL=y + +# Available in ARMv8.5 and later. +CONFIG_ARM64_BTI=y +CONFIG_ARM64_BTI_KERNEL=y +CONFIG_ARM64_MTE=y +CONFIG_KASAN_HW_TAGS=y +CONFIG_ARM64_E0PD=y + +# Available in ARMv8.7 and later. +CONFIG_ARM64_EPAN=y +# Enable Control Flow Integrity +CONFIG_CFI_CLANG=y +# CONFIG_CFI_PERMISSIVE is not set diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config index ca92998..32c1dad 100644 --- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config +++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-32.config @@ -1,5 +1,5 @@ # CONFIGs -# Linux/i386 5.14.0 Kernel Configuration +# Linux/i386 5.17.0 Kernel Configuration # Report BUG() conditions and kill the offending process. CONFIG_BUG=y @@ -38,9 +38,24 @@ CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. +# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y +# Provide userspace with Landlock MAC interface. +# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. +CONFIG_SECURITY_LANDLOCK=y + +# Make sure SELinux cannot be disabled trivially. +# SECURITY_SELINUX_BOOTPARAM is not set +# SECURITY_SELINUX_DEVELOP is not set +# CONFIG_SECURITY_WRITABLE_HOOKS is not set + +# Enable "lockdown" LSM for bright line between the root user and kernel memory. +CONFIG_SECURITY_LOCKDOWN_LSM=y +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y + # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set @@ -83,24 +98,54 @@ CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y +# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. +CONFIG_UBSAN=y +CONFIG_UBSAN_TRAP=y +CONFIG_UBSAN_BOUNDS=y +CONFIG_UBSAN_SANITIZE_ALL=y +# CONFIG_UBSAN_SHIFT is not set +# CONFIG_UBSAN_DIV_ZERO is not set +# CONFIG_UBSAN_UNREACHABLE is not set +# CONFIG_UBSAN_BOOL is not set +# CONFIG_UBSAN_ENUM is not set +# CONFIG_UBSAN_ALIGNMENT is not set +# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: +CONFIG_UBSAN_LOCAL_BOUNDS=y + +# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. +CONFIG_KFENCE=y + # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y -# Enable sampling-based overflow detection. This is similar to KASAN coverage, but with almost zero runtime overhead. -CONFIG_KFENCE=y - # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y +# Disable DMA between EFI hand-off and the kernel's IOMMU setup. +CONFIG_EFI_DISABLE_PCI_DMA=y + # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) +CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y +# Enable feeding RNG entropy from TPM, if available. +CONFIG_HW_RANDOM_TPM=y + +# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even +# malicious sources should not cause problems. +CONFIG_RANDOM_TRUST_BOOTLOADER=y +CONFIG_RANDOM_TRUST_CPU=y + # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y -# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers) +# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and +# minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y +# Wipe RAM at reboot via EFI. +CONFIG_RESET_ATTACK_MITIGATION=y + # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set @@ -165,10 +210,13 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y +# CONFIG_STACKLEAK_METRICS is not set +# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y +# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set # x86_32 diff --git a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config index b8097c6..560f682 100644 --- a/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config +++ b/kconfig_hardened_check/config_files/kspp-recommendations/kspp-recommendations-x86-64.config @@ -1,5 +1,5 @@ # CONFIGs -# Linux/x86_64 5.14.0 Kernel Configuration +# Linux/x86_64 5.17.0 Kernel Configuration # Report BUG() conditions and kill the offending process. CONFIG_BUG=y @@ -38,9 +38,24 @@ CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y # Provide userspace with ptrace ancestry protections. +# Make sure that "yama" is also present in the "CONFIG_LSM=yama,..." list. CONFIG_SECURITY=y CONFIG_SECURITY_YAMA=y +# Provide userspace with Landlock MAC interface. +# Make sure that "landlock" is also present in the "CONFIG_LSM=landlock,..." list. +CONFIG_SECURITY_LANDLOCK=y + +# Make sure SELinux cannot be disabled trivially. +# SECURITY_SELINUX_BOOTPARAM is not set +# SECURITY_SELINUX_DEVELOP is not set +# CONFIG_SECURITY_WRITABLE_HOOKS is not set + +# Enable "lockdown" LSM for bright line between the root user and kernel memory. +CONFIG_SECURITY_LOCKDOWN_LSM=y +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y + # Perform usercopy bounds checking. (And disable fallback to gain full whitelist enforcement.) CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set @@ -83,24 +98,54 @@ CONFIG_FORTIFY_SOURCE=y # Avoid kernel memory address exposures via dmesg (sets sysctl kernel.dmesg_restrict initial value to 1) CONFIG_SECURITY_DMESG_RESTRICT=y +# Enable trapping bounds checking of array indexes (since v5.11). All the other UBSAN checks should be disabled. +CONFIG_UBSAN=y +CONFIG_UBSAN_TRAP=y +CONFIG_UBSAN_BOUNDS=y +CONFIG_UBSAN_SANITIZE_ALL=y +# CONFIG_UBSAN_SHIFT is not set +# CONFIG_UBSAN_DIV_ZERO is not set +# CONFIG_UBSAN_UNREACHABLE is not set +# CONFIG_UBSAN_BOOL is not set +# CONFIG_UBSAN_ENUM is not set +# CONFIG_UBSAN_ALIGNMENT is not set +# This is only available on Clang builds, and is likely already enabled if CONFIG_UBSAN_BOUNDS=y is set: +CONFIG_UBSAN_LOCAL_BOUNDS=y + +# Enable sampling-based overflow detection (since v5.12). This is similar to KASAN coverage, but with almost zero runtime overhead. +CONFIG_KFENCE=y + # Randomize kernel stack offset on syscall entry (since v5.13). CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y -# Enable sampling-based overflow detection. This is similar to KASAN coverage, but with almost zero runtime overhead. -CONFIG_KFENCE=y - # Do not ignore compile-time warnings (since v5.15) CONFIG_WERROR=y +# Disable DMA between EFI hand-off and the kernel's IOMMU setup. +CONFIG_EFI_DISABLE_PCI_DMA=y + # Force IOMMU TLB invalidation so devices will never be able to access stale data contents (or set "iommu.passthrough=0 iommu.strict=1" at boot) +CONFIG_IOMMU_SUPPORT=y CONFIG_IOMMU_DEFAULT_DMA_STRICT=y +# Enable feeding RNG entropy from TPM, if available. +CONFIG_HW_RANDOM_TPM=y + +# Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even +# malicious sources should not cause problems. +CONFIG_RANDOM_TRUST_BOOTLOADER=y +CONFIG_RANDOM_TRUST_CPU=y + # Make scheduler aware of SMT Cores. Program needs to opt-in to using this feature with prctl(PR_SCHED_CORE). CONFIG_SCHED_CORE=y -# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and minimizes stale data in registers) +# Wipe all caller-used registers on exit from the function (reduces available ROP gadgets and +# minimizes stale data in registers). (Since v5.15) CONFIG_ZERO_CALL_USED_REGS=y +# Wipe RAM at reboot via EFI. +CONFIG_RESET_ATTACK_MITIGATION=y + # Dangerous; enabling this allows direct physical memory writing. # CONFIG_ACPI_CUSTOM_METHOD is not set @@ -165,10 +210,13 @@ CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y # Wipe stack contents on syscall exit (reduces stale data lifetime in stack) CONFIG_GCC_PLUGIN_STACKLEAK=y +# CONFIG_STACKLEAK_METRICS is not set +# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set # Randomize the layout of system structures. This may have dramatic performance impact, so # use with caution or also use CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y CONFIG_GCC_PLUGIN_RANDSTRUCT=y +# CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE is not set # x86_64 @@ -196,4 +244,12 @@ CONFIG_PAGE_TABLE_ISOLATION=y # CONFIG_X86_X32 is not set # CONFIG_MODIFY_LDT_SYSCALL is not set +# Enable chip-specific IOMMU support. +CONFIG_INTEL_IOMMU=y +CONFIG_INTEL_IOMMU_DEFAULT_ON=y +CONFIG_INTEL_IOMMU_SVM=y +CONFIG_AMD_IOMMU=y +CONFIG_AMD_IOMMU_V2=y +# Straight-Line-Speculation +CONFIG_SLS=y