From 576ebf49912f40cf62c216c4fa888360431ec562 Mon Sep 17 00:00:00 2001
From: Andrew Boie <andrew.p.boie@intel.com>
Date: Thu, 7 Mar 2019 15:56:55 -0800
Subject: [PATCH] kernel: add config for Spectre V1 mitigation

This is off by default, but may be selected by the arch
configuration.

Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
---
 kernel/Kconfig | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/kernel/Kconfig b/kernel/Kconfig
index a5fc86558f6..bcecfe735a0 100644
--- a/kernel/Kconfig
+++ b/kernel/Kconfig
@@ -651,6 +651,17 @@ config STACK_POINTER_RANDOM
 	  This is currently only implemented for systems whose stack pointers
 	  grow towards lower memory addresses.
 
+config BOUNDS_CHECK_BYPASS_MITIGATION
+	bool "Enable bounds check bypass mitigations for speculative execution"
+	depends on USERSPACE
+	help
+	  Untrusted parameters from user mode may be used in system calls to
+	  index arrays during speculative execution, also known as the Spectre
+	  V1 vulnerability. When enabled, various macros defined in
+	  misc/speculation.h will insert fence instructions or other appropriate
+	  mitigations after bounds checking any array index parameters passed
+	  in from untrusted sources (user mode threads). When disabled, these
+	  macros do nothing.
 endmenu
 
 config MAX_DOMAIN_PARTITIONS