xref: /linux/arch/x86/Kconfig (revision 608323bf7bb85bbb647eca4373acef247f105e67)

# SPDX-License-Identifier: GPL-2.0
# Select 32 or 64 bit
config 64BIT
	bool "64-bit kernel" if "$(ARCH)" = "x86"
	default "$(ARCH)" != "i386"
	help
	  Say yes to build a 64-bit kernel - formerly known as x86_64
	  Say no to build a 32-bit kernel - formerly known as i386

config X86_32
	def_bool y
	depends on !64BIT
	# Options that are inherently 32-bit kernel only:
	select ARCH_WANT_IPC_PARSE_VERSION
	select CLKSRC_I8253
	select CLONE_BACKWARDS
	select HAVE_DEBUG_STACKOVERFLOW
	select KMAP_LOCAL
	select MODULES_USE_ELF_REL
	select OLD_SIGACTION
	select ARCH_SPLIT_ARG64

config X86_64
	def_bool y
	depends on 64BIT
	# Options that are inherently 64-bit kernel only:
	select ARCH_HAS_GIGANTIC_PAGE
	select ARCH_SUPPORTS_MSEAL_SYSTEM_MAPPINGS
	select ARCH_SUPPORTS_INT128 if CC_HAS_INT128
	select ARCH_SUPPORTS_PER_VMA_LOCK
	select ARCH_SUPPORTS_HUGE_PFNMAP if TRANSPARENT_HUGEPAGE
	select HAVE_ARCH_SOFT_DIRTY
	select MODULES_USE_ELF_RELA
	select NEED_DMA_MAP_STATE
	select SWIOTLB
	select ARCH_HAS_ELFCORE_COMPAT
	select ZONE_DMA32
	select EXECMEM if DYNAMIC_FTRACE
	select ACPI_MRRM if ACPI

config FORCE_DYNAMIC_FTRACE
	def_bool y
	depends on X86_32
	depends on FUNCTION_TRACER
	select DYNAMIC_FTRACE
	help
	  We keep the static function tracing (!DYNAMIC_FTRACE) around
	  in order to test the non static function tracing in the
	  generic code, as other architectures still use it. But we
	  only need to keep it around for x86_64. No need to keep it
	  for x86_32. For x86_32, force DYNAMIC_FTRACE.
#
# Arch settings
#
# ( Note that options that are marked 'if X86_64' could in principle be
#   ported to 32-bit as well. )
#
config X86
	def_bool y
	#
	# Note: keep this list sorted alphabetically
	#
	select ACPI_LEGACY_TABLES_LOOKUP	if ACPI
	select ACPI_SYSTEM_POWER_STATES_SUPPORT	if ACPI
	select ACPI_HOTPLUG_CPU			if ACPI_PROCESSOR && HOTPLUG_CPU
	select ARCH_32BIT_OFF_T			if X86_32
	select ARCH_CLOCKSOURCE_INIT
	select ARCH_CONFIGURES_CPU_MITIGATIONS
	select ARCH_CORRECT_STACKTRACE_ON_KRETPROBE
	select ARCH_ENABLE_HUGEPAGE_MIGRATION if X86_64 && HUGETLB_PAGE && MIGRATION
	select ARCH_ENABLE_MEMORY_HOTPLUG if X86_64
	select ARCH_ENABLE_SPLIT_PMD_PTLOCK if (PGTABLE_LEVELS > 2) && (X86_64 || X86_PAE)
	select ARCH_ENABLE_THP_MIGRATION if X86_64 && TRANSPARENT_HUGEPAGE
	select ARCH_HAS_ACPI_TABLE_UPGRADE	if ACPI
	select ARCH_HAS_CPU_ATTACK_VECTORS	if CPU_MITIGATIONS
	select ARCH_HAS_CACHE_LINE_SIZE
	select ARCH_HAS_CPU_CACHE_INVALIDATE_MEMREGION
	select ARCH_HAS_CPU_FINALIZE_INIT
	select ARCH_HAS_CPU_PASID		if IOMMU_SVA
	select ARCH_HAS_CURRENT_STACK_POINTER
	select ARCH_HAS_DEBUG_VIRTUAL
	select ARCH_HAS_DEBUG_VM_PGTABLE	if !X86_PAE
	select ARCH_HAS_DEVMEM_IS_ALLOWED
	select ARCH_HAS_DMA_OPS			if GART_IOMMU || XEN
	select ARCH_HAS_EARLY_DEBUG		if KGDB
	select ARCH_HAS_ELF_RANDOMIZE
	select ARCH_HAS_EXECMEM_ROX		if X86_64 && STRICT_MODULE_RWX
	select ARCH_HAS_FAST_MULTIPLIER
	select ARCH_HAS_FORTIFY_SOURCE
	select ARCH_HAS_GCOV_PROFILE_ALL
	select ARCH_HAS_KCOV			if X86_64
	select ARCH_HAS_KERNEL_FPU_SUPPORT
	select ARCH_HAS_MEM_ENCRYPT
	select ARCH_HAS_MEMBARRIER_SYNC_CORE
	select ARCH_HAS_NMI_SAFE_THIS_CPU_OPS
	select ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE
	select ARCH_HAS_PMEM_API		if X86_64
	select ARCH_HAS_PREEMPT_LAZY
	select ARCH_HAS_PTDUMP
	select ARCH_HAS_PTE_SPECIAL
	select ARCH_HAS_HW_PTE_YOUNG
	select ARCH_HAS_NONLEAF_PMD_YOUNG	if PGTABLE_LEVELS > 2
	select ARCH_HAS_UACCESS_FLUSHCACHE	if X86_64
	select ARCH_HAS_COPY_MC			if X86_64
	select ARCH_HAS_SET_MEMORY
	select ARCH_HAS_SET_DIRECT_MAP
	select ARCH_HAS_STRICT_KERNEL_RWX
	select ARCH_HAS_STRICT_MODULE_RWX
	select ARCH_HAS_SYNC_CORE_BEFORE_USERMODE
	select ARCH_HAS_SYSCALL_WRAPPER
	select ARCH_HAS_UBSAN
	select ARCH_HAS_DEBUG_WX
	select ARCH_HAS_ZONE_DMA_SET if EXPERT
	select ARCH_HAVE_NMI_SAFE_CMPXCHG
	select ARCH_HAVE_EXTRA_ELF_NOTES
	select ARCH_MEMORY_ORDER_TSO
	select ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE
	select ARCH_MIGHT_HAVE_ACPI_PDC		if ACPI
	select ARCH_MIGHT_HAVE_PC_PARPORT
	select ARCH_MIGHT_HAVE_PC_SERIO
	select ARCH_STACKWALK
	select ARCH_SUPPORTS_ACPI
	select ARCH_SUPPORTS_ATOMIC_RMW
	select ARCH_SUPPORTS_DEBUG_PAGEALLOC
	select ARCH_SUPPORTS_HUGETLBFS
	select ARCH_SUPPORTS_PAGE_TABLE_CHECK	if X86_64
	select ARCH_SUPPORTS_NUMA_BALANCING	if X86_64
	select ARCH_SUPPORTS_KMAP_LOCAL_FORCE_MAP	if NR_CPUS <= 4096
	select ARCH_SUPPORTS_CFI		if X86_64
	select ARCH_USES_CFI_TRAPS		if X86_64 && CFI
	select ARCH_SUPPORTS_LTO_CLANG
	select ARCH_SUPPORTS_LTO_CLANG_THIN
	select ARCH_SUPPORTS_RT
	select ARCH_SUPPORTS_AUTOFDO_CLANG
	select ARCH_SUPPORTS_PROPELLER_CLANG    if X86_64
	select ARCH_USE_BUILTIN_BSWAP
	select ARCH_USE_CMPXCHG_LOCKREF		if X86_CX8
	select ARCH_USE_MEMTEST
	select ARCH_USE_QUEUED_RWLOCKS
	select ARCH_USE_QUEUED_SPINLOCKS
	select ARCH_USE_SYM_ANNOTATIONS
	select ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH
	select ARCH_WANT_DEFAULT_BPF_JIT	if X86_64
	select ARCH_WANTS_CLOCKSOURCE_READ_INLINE	if X86_64
	select ARCH_WANTS_DYNAMIC_TASK_STRUCT
	select ARCH_WANTS_NO_INSTR
	select ARCH_WANT_GENERAL_HUGETLB
	select ARCH_WANT_HUGE_PMD_SHARE		if X86_64
	select ARCH_WANT_LD_ORPHAN_WARN
	select ARCH_WANT_OPTIMIZE_DAX_VMEMMAP	if X86_64
	select ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP	if X86_64
	select ARCH_WANT_HUGETLB_VMEMMAP_PREINIT if X86_64
	select ARCH_WANTS_THP_SWAP		if X86_64
	select ARCH_HAS_PARANOID_L1D_FLUSH
	select ARCH_WANT_IRQS_OFF_ACTIVATE_MM
	select BUILDTIME_TABLE_SORT
	select CLKEVT_I8253
	select CLOCKSOURCE_WATCHDOG
	# Word-size accesses may read uninitialized data past the trailing \0
	# in strings and cause false KMSAN reports.
	select DCACHE_WORD_ACCESS		if !KMSAN
	select DYNAMIC_SIGFRAME
	select EDAC_ATOMIC_SCRUB
	select EDAC_SUPPORT
	select GENERIC_CLOCKEVENTS_BROADCAST	if X86_64 || (X86_32 && X86_LOCAL_APIC)
	select GENERIC_CLOCKEVENTS_BROADCAST_IDLE	if GENERIC_CLOCKEVENTS_BROADCAST
	select GENERIC_CLOCKEVENTS_COUPLED_INLINE	if X86_64
	select GENERIC_CLOCKEVENTS_MIN_ADJUST
	select GENERIC_CMOS_UPDATE
	select GENERIC_CPU_AUTOPROBE
	select GENERIC_CPU_DEVICES
	select GENERIC_CPU_VULNERABILITIES
	select GENERIC_EARLY_IOREMAP
	select GENERIC_ENTRY
	select GENERIC_IOMAP
	select GENERIC_IRQ_EFFECTIVE_AFF_MASK	if SMP
	select GENERIC_IRQ_MATRIX_ALLOCATOR	if X86_LOCAL_APIC
	select GENERIC_IRQ_MIGRATION		if SMP
	select GENERIC_IRQ_PROBE
	select GENERIC_IRQ_RESERVATION_MODE
	select GENERIC_IRQ_SHOW
	select GENERIC_PENDING_IRQ		if SMP
	select GENERIC_SMP_IDLE_THREAD
	select GENERIC_TIME_VSYSCALL
	select GENERIC_GETTIMEOFDAY
	select GENERIC_VDSO_OVERFLOW_PROTECT
	select GUP_GET_PXX_LOW_HIGH		if X86_PAE
	select HARDIRQS_SW_RESEND
	select HARDLOCKUP_CHECK_TIMESTAMP	if X86_64
	select HAS_IOPORT
	select HAVE_ACPI_APEI			if ACPI
	select HAVE_ACPI_APEI_NMI		if ACPI
	select HAVE_ALIGNED_STRUCT_PAGE
	select HAVE_ARCH_AUDITSYSCALL
	select HAVE_ARCH_HUGE_VMAP		if X86_64 || X86_PAE
	select HAVE_ARCH_HUGE_VMALLOC		if X86_64
	select HAVE_ARCH_JUMP_LABEL
	select HAVE_ARCH_JUMP_LABEL_RELATIVE
	select HAVE_ARCH_KASAN			if X86_64
	select HAVE_ARCH_KASAN_VMALLOC		if X86_64
	select HAVE_ARCH_KFENCE
	select HAVE_ARCH_KMSAN			if X86_64
	select HAVE_ARCH_KGDB
	select HAVE_ARCH_KSTACK_ERASE
	select HAVE_ARCH_MMAP_RND_BITS		if MMU
	select HAVE_ARCH_MMAP_RND_COMPAT_BITS	if MMU && COMPAT
	select HAVE_ARCH_COMPAT_MMAP_BASES	if MMU && COMPAT
	select HAVE_ARCH_PREL32_RELOCATIONS
	select HAVE_ARCH_SECCOMP_FILTER
	select HAVE_ARCH_THREAD_STRUCT_WHITELIST
	select HAVE_ARCH_TRACEHOOK
	select HAVE_ARCH_TRANSPARENT_HUGEPAGE
	select HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD if X86_64
	select HAVE_ARCH_USERFAULTFD_WP         if X86_64 && USERFAULTFD
	select HAVE_ARCH_USERFAULTFD_MINOR	if X86_64 && USERFAULTFD
	select HAVE_ARCH_VMAP_STACK		if X86_64
	select HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET
	select HAVE_ARCH_WITHIN_STACK_FRAMES
	select HAVE_ASM_MODVERSIONS
	select HAVE_CMPXCHG_DOUBLE
	select HAVE_CMPXCHG_LOCAL
	select HAVE_CONTEXT_TRACKING_USER		if X86_64
	select HAVE_CONTEXT_TRACKING_USER_OFFSTACK	if HAVE_CONTEXT_TRACKING_USER
	select HAVE_C_RECORDMCOUNT
	select HAVE_OBJTOOL_MCOUNT		if HAVE_OBJTOOL
	select HAVE_OBJTOOL_NOP_MCOUNT		if HAVE_OBJTOOL_MCOUNT
	select HAVE_BUILDTIME_MCOUNT_SORT
	select HAVE_DEBUG_KMEMLEAK
	select HAVE_DMA_CONTIGUOUS
	select HAVE_DYNAMIC_FTRACE
	select HAVE_DYNAMIC_FTRACE_WITH_REGS
	select HAVE_DYNAMIC_FTRACE_WITH_ARGS	if X86_64
	select HAVE_FTRACE_REGS_HAVING_PT_REGS	if X86_64
	select HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS
	select HAVE_DYNAMIC_FTRACE_WITH_JMP	if X86_64
	select HAVE_SAMPLE_FTRACE_DIRECT	if X86_64
	select HAVE_SAMPLE_FTRACE_DIRECT_MULTI	if X86_64
	select HAVE_EBPF_JIT
	select HAVE_EFFICIENT_UNALIGNED_ACCESS
	select HAVE_EISA			if X86_32
	select HAVE_EXIT_THREAD
	select HAVE_FUTEX_ROBUST_UNLOCK
	select HAVE_GENERIC_TIF_BITS
	select HAVE_GUP_FAST
	select HAVE_FENTRY			if X86_64 || DYNAMIC_FTRACE
	select HAVE_FTRACE_GRAPH_FUNC		if HAVE_FUNCTION_GRAPH_TRACER
	select HAVE_FUNCTION_GRAPH_FREGS	if HAVE_FUNCTION_GRAPH_TRACER
	select HAVE_FUNCTION_GRAPH_TRACER	if X86_32 || (X86_64 && DYNAMIC_FTRACE)
	select HAVE_FUNCTION_TRACER
	select HAVE_GCC_PLUGINS
	select HAVE_HW_BREAKPOINT
	select HAVE_IOREMAP_PROT
	select HAVE_IRQ_EXIT_ON_IRQ_STACK	if X86_64
	select HAVE_IRQ_TIME_ACCOUNTING
	select HAVE_JUMP_LABEL_HACK		if HAVE_OBJTOOL
	select HAVE_KERNEL_BZIP2
	select HAVE_KERNEL_GZIP
	select HAVE_KERNEL_LZ4
	select HAVE_KERNEL_LZMA
	select HAVE_KERNEL_LZO
	select HAVE_KERNEL_XZ
	select HAVE_KERNEL_ZSTD
	select HAVE_KPROBES
	select HAVE_KPROBES_ON_FTRACE
	select HAVE_FUNCTION_ERROR_INJECTION
	select HAVE_KRETPROBES
	select HAVE_RETHOOK
	select HAVE_KLP_BUILD			if X86_64
	select HAVE_LIVEPATCH			if X86_64
	select HAVE_MIXED_BREAKPOINTS_REGS
	select HAVE_MOD_ARCH_SPECIFIC
	select HAVE_MOVE_PMD
	select HAVE_MOVE_PUD
	select HAVE_NOINSTR_HACK		if HAVE_OBJTOOL
	select HAVE_NMI
	select HAVE_NOINSTR_VALIDATION		if HAVE_OBJTOOL
	select HAVE_OBJTOOL			if X86_64
	select HAVE_OPTPROBES
	select HAVE_PAGE_SIZE_4KB
	select HAVE_PCSPKR_PLATFORM
	select HAVE_PERF_EVENTS
	select HAVE_PERF_EVENTS_NMI
	select HAVE_HARDLOCKUP_DETECTOR_PERF	if PERF_EVENTS && HAVE_PERF_EVENTS_NMI
	select HAVE_PCI
	select HAVE_PERF_REGS
	select HAVE_PERF_USER_STACK_DUMP
	select ASYNC_KERNEL_PGTABLE_FREE	if IOMMU_SVA
	select MMU_GATHER_RCU_TABLE_FREE
	select MMU_GATHER_MERGE_VMAS
	select HAVE_POSIX_CPU_TIMERS_TASK_WORK
	select HAVE_REGS_AND_STACK_ACCESS_API
	select HAVE_RELIABLE_STACKTRACE		if UNWINDER_ORC || STACK_VALIDATION
	select HAVE_FUNCTION_ARG_ACCESS_API
	select HAVE_SETUP_PER_CPU_AREA
	select HAVE_SOFTIRQ_ON_OWN_STACK
	select HAVE_STACKPROTECTOR
	select HAVE_STACK_VALIDATION		if HAVE_OBJTOOL
	select HAVE_STATIC_CALL
	select HAVE_STATIC_CALL_INLINE		if HAVE_OBJTOOL
	select HAVE_PREEMPT_DYNAMIC_CALL
	select HAVE_RSEQ
	select HAVE_RUST			if X86_64
	select HAVE_SYSCALL_TRACEPOINTS
	select HAVE_UACCESS_VALIDATION		if HAVE_OBJTOOL
	select HAVE_UNSTABLE_SCHED_CLOCK
	select HAVE_UNWIND_USER_FP		if X86_64
	select HAVE_USER_RETURN_NOTIFIER
	select HAVE_GENERIC_VDSO
	select VDSO_GETRANDOM			if X86_64
	select HOTPLUG_PARALLEL			if SMP && X86_64
	select HOTPLUG_SMT			if SMP
	select HOTPLUG_SPLIT_STARTUP		if SMP && X86_32
	select IRQ_FORCED_THREADING
	select LOCK_MM_AND_FIND_VMA
	select NEED_PER_CPU_EMBED_FIRST_CHUNK
	select NEED_PER_CPU_PAGE_FIRST_CHUNK
	select NEED_SG_DMA_LENGTH
	select NUMA_MEMBLKS			if NUMA
	select PCI_DOMAINS			if PCI
	select PCI_LOCKLESS_CONFIG		if PCI
	select PERF_EVENTS
	select RTC_LIB
	select RTC_MC146818_LIB
	select SPARSE_IRQ
	select SYSCTL_EXCEPTION_TRACE
	select THREAD_INFO_IN_TASK
	select TRACE_IRQFLAGS_SUPPORT
	select TRACE_IRQFLAGS_NMI_SUPPORT
	select USER_STACKTRACE_SUPPORT
	select HAVE_ARCH_KCSAN			if X86_64
	select PROC_PID_ARCH_STATUS		if PROC_FS
	select HAVE_ARCH_NODE_DEV_GROUP		if X86_SGX
	select FUNCTION_ALIGNMENT_16B		if X86_64 || X86_ALIGNMENT_16
	select FUNCTION_ALIGNMENT_4B
	imply IMA_SECURE_AND_OR_TRUSTED_BOOT    if EFI
	select HAVE_DYNAMIC_FTRACE_NO_PATCHABLE
	select ARCH_SUPPORTS_SCHED_SMT		if SMP
	select SCHED_SMT			if SMP
	select ARCH_SUPPORTS_SCHED_CLUSTER	if SMP
	select ARCH_SUPPORTS_SCHED_MC		if SMP
	select HAVE_SINGLE_FTRACE_DIRECT_OPS	if X86_64 && DYNAMIC_FTRACE_WITH_DIRECT_CALLS

config INSTRUCTION_DECODER
	def_bool y
	depends on KPROBES || PERF_EVENTS || UPROBES

config OUTPUT_FORMAT
	string
	default "elf32-i386" if X86_32
	default "elf64-x86-64" if X86_64

config LOCKDEP_SUPPORT
	def_bool y

config STACKTRACE_SUPPORT
	def_bool y

config MMU
	def_bool y

config ARCH_MMAP_RND_BITS_MIN
	default 28 if 64BIT
	default 8

config ARCH_MMAP_RND_BITS_MAX
	default 32 if 64BIT
	default 16

config ARCH_MMAP_RND_COMPAT_BITS_MIN
	default 8

config ARCH_MMAP_RND_COMPAT_BITS_MAX
	default 16

config SBUS
	bool

config GENERIC_ISA_DMA
	def_bool y
	depends on ISA_DMA_API

config GENERIC_CSUM
	bool
	default y if KMSAN || KASAN

config GENERIC_BUG
	def_bool y
	depends on BUG
	select GENERIC_BUG_RELATIVE_POINTERS

config GENERIC_BUG_RELATIVE_POINTERS
	bool

config ARCH_MAY_HAVE_PC_FDC
	def_bool y
	depends on ISA_DMA_API

config GENERIC_CALIBRATE_DELAY
	def_bool y

config ARCH_HAS_CPU_RELAX
	def_bool y

config ARCH_HIBERNATION_POSSIBLE
	def_bool y

config ARCH_SUSPEND_POSSIBLE
	def_bool y

config AUDIT_ARCH
	def_bool y if X86_64

config KASAN_SHADOW_OFFSET
	hex
	depends on KASAN
	default 0xdffffc0000000000

config HAVE_INTEL_TXT
	def_bool y
	depends on INTEL_IOMMU && ACPI

config ARCH_SUPPORTS_UPROBES
	def_bool y

config FIX_EARLYCON_MEM
	def_bool y

config DYNAMIC_PHYSICAL_MASK
	bool

config PGTABLE_LEVELS
	int
	default 5 if X86_64
	default 3 if X86_PAE
	default 2

menu "Processor type and features"

config SMP
	bool "Symmetric multi-processing support"
	help
	  This enables support for systems with more than one CPU. If you have
	  a system with only one CPU, say N. If you have a system with more
	  than one CPU, say Y.

	  If you say N here, the kernel will run on uni- and multiprocessor
	  machines, but will use only one CPU of a multiprocessor machine. If
	  you say Y here, the kernel will run on many, but not all,
	  uniprocessor machines. On a uniprocessor machine, the kernel
	  will run faster if you say N here.

	  People using multiprocessor machines who say Y here should also say
	  Y to "Enhanced Real Time Clock Support", below. The "Advanced Power
	  Management" code will be disabled if you say Y here.

	  See also <file:Documentation/arch/x86/i386/IO-APIC.rst>,
	  <file:Documentation/admin-guide/lockup-watchdogs.rst> and the SMP-HOWTO available at
	  <http://www.tldp.org/docs.html#howto>.

	  If you don't know what to do here, say N.

config X86_X2APIC
	bool "x2APIC interrupt controller architecture support"
	depends on X86_LOCAL_APIC && X86_64 && (IRQ_REMAP || HYPERVISOR_GUEST)
	default y
	help
	  x2APIC is an interrupt controller architecture, a component of which
	  (the local APIC) is present in the CPU. It allows faster access to
	  the local APIC and supports a larger number of CPUs in the system
	  than the predecessors.

	  x2APIC was introduced in Intel CPUs around 2008 and in AMD EPYC CPUs
	  in 2019, but it can be disabled by the BIOS. It is also frequently
	  emulated in virtual machines, even when the host CPU does not support
	  it. Support in the CPU can be checked by executing
		grep x2apic /proc/cpuinfo

	  If this configuration option is disabled, the kernel will boot with
	  very reduced functionality and performance on some platforms that
	  have x2APIC enabled. On the other hand, on hardware that does not
	  support x2APIC, a kernel with this option enabled will just fallback
	  to older APIC implementations.

	  If in doubt, say Y.

config AMD_SECURE_AVIC
	bool "AMD Secure AVIC"
	depends on AMD_MEM_ENCRYPT && X86_X2APIC
	help
	  Enable this to get AMD Secure AVIC support on guests that have this feature.

	  AMD Secure AVIC provides hardware acceleration for performance sensitive
	  APIC accesses and support for managing guest owned APIC state for SEV-SNP
	  guests. Secure AVIC does not support xAPIC mode. It has functional
	  dependency on x2apic being enabled in the guest.

	  If you don't know what to do here, say N.

config X86_POSTED_MSI
	bool "Enable MSI and MSI-x delivery by posted interrupts"
	depends on X86_64 && IRQ_REMAP
	help
	  This enables MSIs that are under interrupt remapping to be delivered as
	  posted interrupts to the host kernel. Interrupt throughput can
	  potentially be improved by coalescing CPU notifications during high
	  frequency bursts.

	  If you don't know what to do here, say N.

config X86_MPPARSE
	bool "Enable MPS table" if ACPI
	default y
	depends on X86_LOCAL_APIC
	help
	  For old smp systems that do not have proper acpi support. Newer systems
	  (esp with 64bit cpus) with acpi support, MADT and DSDT will override it

config X86_CPU_RESCTRL
	bool "x86 CPU resource control support"
	depends on X86 && (CPU_SUP_INTEL || CPU_SUP_AMD)
	depends on MISC_FILESYSTEMS
	select ARCH_HAS_CPU_RESCTRL
	select RESCTRL_FS
	select RESCTRL_FS_PSEUDO_LOCK
	help
	  Enable x86 CPU resource control support.

	  Provide support for the allocation and monitoring of system resources
	  usage by the CPU.

	  Intel calls this Intel Resource Director Technology
	  (Intel(R) RDT). More information about RDT can be found in the
	  Intel x86 Architecture Software Developer Manual.

	  AMD calls this AMD Platform Quality of Service (AMD QoS).
	  More information about AMD QoS can be found in the AMD64 Technology
	  Platform Quality of Service Extensions manual.

	  Say N if unsure.

config X86_CPU_RESCTRL_INTEL_AET
	bool "Intel Application Energy Telemetry"
	depends on X86_64 && X86_CPU_RESCTRL && CPU_SUP_INTEL && INTEL_PMT_TELEMETRY=y && INTEL_TPMI=y
	help
	  Enable per-RMID telemetry events in resctrl.

	  Intel feature that collects per-RMID execution data
	  about energy consumption, measure of frequency independent
	  activity and other performance metrics. Data is aggregated
	  per package.

	  Say N if unsure.

config X86_FRED
	bool "Flexible Return and Event Delivery"
	depends on X86_64
	help
	  When enabled, use Flexible Return and Event Delivery
	  instead of the legacy SYSCALL/SYSENTER/IDT architecture for
	  ring transitions and exception/interrupt handling if the
	  system supports it.

config X86_EXTENDED_PLATFORM
	bool "Support for extended (non-PC) x86 platforms"
	default y
	help
	  If you disable this option then the kernel will only support
	  standard PC platforms. (which covers the vast majority of
	  systems out there.)

	  If you enable this option then you'll be able to select support
	  for the following non-PC x86 platforms, depending on the value of
	  CONFIG_64BIT.

	  32-bit platforms (CONFIG_64BIT=n):
		Goldfish (mostly Android emulator)
		Intel CE media processor (CE4100) SoC
		Intel Quark
		RDC R-321x SoC

	  64-bit platforms (CONFIG_64BIT=y):
		Numascale NumaChip
		ScaleMP vSMP
		SGI Ultraviolet
		Merrifield/Moorefield MID devices
		Goldfish (mostly Android emulator)

	  If you have one of these systems, or if you want to build a
	  generic distribution kernel, say Y here - otherwise say N.

# This is an alphabetically sorted list of 64 bit extended platforms
# Please maintain the alphabetic order if and when there are additions
config X86_NUMACHIP
	bool "Numascale NumaChip"
	depends on X86_64
	depends on X86_EXTENDED_PLATFORM
	depends on NUMA
	depends on SMP
	depends on X86_X2APIC
	depends on PCI_MMCONFIG
	help
	  Adds support for Numascale NumaChip large-SMP systems. Needed to
	  enable more than ~168 cores.
	  If you don't have one of these, you should say N here.

config X86_VSMP
	bool "ScaleMP vSMP"
	select HYPERVISOR_GUEST
	select PARAVIRT
	depends on X86_64 && PCI
	depends on X86_EXTENDED_PLATFORM
	depends on SMP
	help
	  Support for ScaleMP vSMP systems.  Say 'Y' here if this kernel is
	  supposed to run on these EM64T-based machines.  Only choose this option
	  if you have one of these machines.

config X86_UV
	bool "SGI Ultraviolet"
	depends on X86_64
	depends on X86_EXTENDED_PLATFORM
	depends on NUMA
	depends on EFI
	depends on KEXEC_CORE
	depends on X86_X2APIC
	depends on PCI
	help
	  This option is needed in order to support SGI Ultraviolet systems.
	  If you don't have one of these, you should say N here.

config X86_INTEL_MID
	bool "Intel Z34xx/Z35xx MID platform support"
	depends on X86_EXTENDED_PLATFORM
	depends on X86_PLATFORM_DEVICES
	depends on PCI
	depends on X86_64 || (EXPERT && PCI_GOANY)
	depends on X86_IO_APIC
	select I2C
	select DW_APB_TIMER
	select INTEL_SCU_PCI
	help
	  Select to build a kernel capable of supporting 64-bit Intel MID
	  (Mobile Internet Device) platform systems which do not have
	  the PCI legacy interfaces.

	  The only supported devices are the 22nm Merrified (Z34xx)
	  and Moorefield (Z35xx) SoC used in the Intel Edison board and
	  a small number of Android devices such as the Asus Zenfone 2,
	  Asus FonePad 8 and Dell Venue 7.

	  If you are building for a PC class system or non-MID tablet
	  SoCs like Bay Trail (Z36xx/Z37xx), say N here.

	  Intel MID platforms are based on an Intel processor and chipset which
	  consume less power than most of the x86 derivatives.

config X86_GOLDFISH
	bool "Goldfish (Virtual Platform)"
	depends on X86_EXTENDED_PLATFORM
	help
	  Enable support for the Goldfish virtual platform used primarily
	  for Android development. Unless you are building for the Android
	  Goldfish emulator say N here.

# Following is an alphabetically sorted list of 32 bit extended platforms
# Please maintain the alphabetic order if and when there are additions

config X86_INTEL_CE
	bool "CE4100 TV platform"
	depends on PCI
	depends on PCI_GODIRECT
	depends on X86_IO_APIC
	depends on X86_32
	depends on X86_EXTENDED_PLATFORM
	select X86_REBOOTFIXUPS
	select OF
	select OF_EARLY_FLATTREE
	help
	  Select for the Intel CE media processor (CE4100) SOC.
	  This option compiles in support for the CE4100 SOC for settop
	  boxes and media devices.

config X86_INTEL_QUARK
	bool "Intel Quark platform support"
	depends on X86_32
	depends on X86_EXTENDED_PLATFORM
	depends on X86_PLATFORM_DEVICES
	depends on X86_TSC
	depends on PCI
	depends on PCI_GOANY
	depends on X86_IO_APIC
	select IOSF_MBI
	select INTEL_IMR
	select COMMON_CLK
	help
	  Select to include support for Quark X1000 SoC.
	  Say Y here if you have a Quark based system such as the Arduino
	  compatible Intel Galileo.

config X86_RDC321X
	bool "RDC R-321x SoC"
	depends on X86_32
	depends on X86_EXTENDED_PLATFORM
	select M486
	select X86_REBOOTFIXUPS
	help
	  This option is needed for RDC R-321x system-on-chip, also known
	  as R-8610-(G).
	  If you don't have one of these chips, you should say N here.

config X86_INTEL_LPSS
	bool "Intel Low Power Subsystem Support"
	depends on X86 && ACPI && PCI
	select COMMON_CLK
	select PINCTRL
	select IOSF_MBI
	help
	  Select to build support for Intel Low Power Subsystem such as
	  found on Intel Lynxpoint PCH. Selecting this option enables
	  things like clock tree (common clock framework) and pincontrol
	  which are needed by the LPSS peripheral drivers.

config X86_AMD_PLATFORM_DEVICE
	bool "AMD ACPI2Platform devices support"
	depends on ACPI
	select COMMON_CLK
	select PINCTRL
	help
	  Select to interpret AMD specific ACPI device to platform device
	  such as I2C, UART, GPIO found on AMD Carrizo and later chipsets.
	  I2C and UART depend on COMMON_CLK to set clock. GPIO driver is
	  implemented under PINCTRL subsystem.

config IOSF_MBI
	tristate "Intel SoC IOSF Sideband support for SoC platforms"
	depends on PCI
	help
	  This option enables sideband register access support for Intel SoC
	  platforms. On these platforms the IOSF sideband is used in lieu of
	  MSR's for some register accesses, mostly but not limited to thermal
	  and power. Drivers may query the availability of this device to
	  determine if they need the sideband in order to work on these
	  platforms. The sideband is available on the following SoC products.
	  This list is not meant to be exclusive.
	   - BayTrail
	   - Braswell
	   - Quark

	  You should say Y if you are running a kernel on one of these SoC's.

config IOSF_MBI_DEBUG
	bool "Enable IOSF sideband access through debugfs"
	depends on IOSF_MBI && DEBUG_FS
	help
	  Select this option to expose the IOSF sideband access registers (MCR,
	  MDR, MCRX) through debugfs to write and read register information from
	  different units on the SoC. This is most useful for obtaining device
	  state information for debug and analysis. As this is a general access
	  mechanism, users of this option would have specific knowledge of the
	  device they want to access.

	  If you don't require the option or are in doubt, say N.

config X86_SUPPORTS_MEMORY_FAILURE
	def_bool y
	# MCE code calls memory_failure():
	depends on X86_MCE
	# On 32-bit this adds too big of NODES_SHIFT and we run out of page flags:
	# On 32-bit SPARSEMEM adds too big of SECTIONS_WIDTH:
	depends on X86_64 || !SPARSEMEM
	select ARCH_SUPPORTS_MEMORY_FAILURE

config X86_32_IRIS
	tristate "Eurobraille/Iris poweroff module"
	depends on X86_32
	help
	  The Iris machines from EuroBraille do not have APM or ACPI support
	  to shut themselves down properly.  A special I/O sequence is
	  needed to do so, which is what this module does at
	  kernel shutdown.

	  This is only for Iris machines from EuroBraille.

	  If unused, say N.

config SCHED_OMIT_FRAME_POINTER
	def_bool y
	prompt "Single-depth WCHAN output"
	depends on X86
	help
	  Calculate simpler /proc/<PID>/wchan values. If this option
	  is disabled then wchan values will recurse back to the
	  caller function. This provides more accurate wchan values,
	  at the expense of slightly more scheduling overhead.

	  If in doubt, say "Y".

menuconfig HYPERVISOR_GUEST
	bool "Linux guest support"
	help
	  Say Y here to enable options for running Linux under various hyper-
	  visors. This option enables basic hypervisor detection and platform
	  setup.

	  If you say N, all options in this submenu will be skipped and
	  disabled, and Linux guest support won't be built in.

if HYPERVISOR_GUEST

config PARAVIRT
	bool "Enable paravirtualization code"
	depends on HAVE_STATIC_CALL
	select HAVE_PV_STEAL_CLOCK_GEN
	help
	  This changes the kernel so it can modify itself when it is run
	  under a hypervisor, potentially improving performance significantly
	  over full virtualization.  However, when run without a hypervisor
	  the kernel is theoretically slower and slightly larger.

config PARAVIRT_XXL
	bool
	depends on X86_64
	select ARCH_HAS_LAZY_MMU_MODE

config PARAVIRT_SPINLOCKS
	bool "Paravirtualization layer for spinlocks"
	depends on PARAVIRT && SMP
	help
	  Paravirtualized spinlocks allow a pvops backend to replace the
	  spinlock implementation with something virtualization-friendly
	  (for example, block the virtual CPU rather than spinning).

	  It has a minimal impact on native kernels and gives a nice performance
	  benefit on paravirtualized KVM / Xen kernels.

	  If you are unsure how to answer this question, answer Y.

config X86_HV_CALLBACK_VECTOR
	def_bool n

source "arch/x86/xen/Kconfig"

config KVM_GUEST
	bool "KVM Guest support (including kvmclock)"
	depends on PARAVIRT
	select PARAVIRT_CLOCK
	select ARCH_CPUIDLE_HALTPOLL
	select X86_HV_CALLBACK_VECTOR
	default y
	help
	  This option enables various optimizations for running under the KVM
	  hypervisor. It includes a paravirtualized clock, so that instead
	  of relying on a PIT (or probably other) emulation by the
	  underlying device model, the host provides the guest with
	  timing infrastructure such as time of day, and system time

config ARCH_CPUIDLE_HALTPOLL
	def_bool n
	prompt "Disable host haltpoll when loading haltpoll driver"
	help
	  If virtualized under KVM, disable host haltpoll.

config PVH
	bool "Support for running PVH guests"
	help
	  This option enables the PVH entry point for guest virtual machines
	  as specified in the x86/HVM direct boot ABI.

config PARAVIRT_TIME_ACCOUNTING
	bool "Paravirtual steal time accounting"
	depends on PARAVIRT
	help
	  Select this option to enable fine granularity task steal time
	  accounting. Time spent executing other tasks in parallel with
	  the current vCPU is discounted from the vCPU power. To account for
	  that, there can be a small performance impact.

	  If in doubt, say N here.

config PARAVIRT_CLOCK
	bool

config JAILHOUSE_GUEST
	bool "Jailhouse non-root cell support"
	depends on X86_64 && PCI
	select X86_PM_TIMER
	help
	  This option allows to run Linux as guest in a Jailhouse non-root
	  cell. You can leave this option disabled if you only want to start
	  Jailhouse and run Linux afterwards in the root cell.

config ACRN_GUEST
	bool "ACRN Guest support"
	depends on X86_64
	select X86_HV_CALLBACK_VECTOR
	help
	  This option allows to run Linux as guest in the ACRN hypervisor. ACRN is
	  a flexible, lightweight reference open-source hypervisor, built with
	  real-time and safety-criticality in mind. It is built for embedded
	  IOT with small footprint and real-time features. More details can be
	  found in https://projectacrn.org/.

config BHYVE_GUEST
	bool "Bhyve (BSD Hypervisor) Guest support"
	depends on X86_64
	help
	  This option allows to run Linux to recognise when it is running as a
	  guest in the Bhyve hypervisor, and to support more than 255 vCPUs when
	  when doing so. More details about Bhyve can be found at https://bhyve.org
	  and https://wiki.freebsd.org/bhyve/.

config INTEL_TDX_GUEST
	bool "Intel TDX (Trust Domain Extensions) - Guest Support"
	depends on X86_64 && CPU_SUP_INTEL
	depends on X86_X2APIC
	depends on EFI_STUB
	depends on PARAVIRT
	select ARCH_HAS_CC_PLATFORM
	select X86_MEM_ENCRYPT
	select X86_MCE
	select UNACCEPTED_MEMORY
	help
	  Support running as a guest under Intel TDX.  Without this support,
	  the guest kernel can not boot or run under TDX.
	  TDX includes memory encryption and integrity capabilities
	  which protect the confidentiality and integrity of guest
	  memory contents and CPU state. TDX guests are protected from
	  some attacks from the VMM.

endif # HYPERVISOR_GUEST

source "arch/x86/Kconfig.cpu"

config HPET_TIMER
	def_bool X86_64
	prompt "HPET Timer Support" if X86_32
	help
	  Use the IA-PC HPET (High Precision Event Timer) to manage
	  time in preference to the PIT and RTC, if a HPET is
	  present.
	  HPET is the next generation timer replacing legacy 8254s.
	  The HPET provides a stable time base on SMP
	  systems, unlike the TSC, but it is more expensive to access,
	  as it is off-chip.  The interface used is documented
	  in the HPET spec, revision 1.

	  You can safely choose Y here.  However, HPET will only be
	  activated if the platform and the BIOS support this feature.
	  Otherwise the 8254 will be used for timing services.

	  Choose N to continue using the legacy 8254 timer.

config HPET_EMULATE_RTC
	def_bool y
	depends on HPET_TIMER && (RTC_DRV_CMOS=m || RTC_DRV_CMOS=y)

# Mark as expert because too many people got it wrong.
# The code disables itself when not needed.
config DMI
	default y
	select DMI_SCAN_MACHINE_NON_EFI_FALLBACK
	bool "Enable DMI scanning" if EXPERT
	help
	  Enabled scanning of DMI to identify machine quirks. Say Y
	  here unless you have verified that your setup is not
	  affected by entries in the DMI blacklist. Required by PNP
	  BIOS code.

config GART_IOMMU
	bool "Old AMD GART IOMMU support"
	select IOMMU_HELPER
	select SWIOTLB
	depends on X86_64 && PCI && AMD_NB
	help
	  Provides a driver for older AMD Athlon64/Opteron/Turion/Sempron
	  GART based hardware IOMMUs.

	  The GART supports full DMA access for devices with 32-bit access
	  limitations, on systems with more than 3 GB. This is usually needed
	  for USB, sound, many IDE/SATA chipsets and some other devices.

	  Newer systems typically have a modern AMD IOMMU, supported via
	  the CONFIG_AMD_IOMMU=y config option.

	  In normal configurations this driver is only active when needed:
	  there's more than 3 GB of memory and the system contains a
	  32-bit limited device.

	  If unsure, say Y.

config BOOT_VESA_SUPPORT
	bool
	help
	  If true, at least one selected framebuffer driver can take advantage
	  of VESA video modes set at an early boot stage via the vga= parameter.

config MAXSMP
	bool "Enable Maximum number of SMP Processors and NUMA Nodes"
	depends on X86_64 && SMP && DEBUG_KERNEL
	select CPUMASK_OFFSTACK
	help
	  Enable maximum number of CPUS and NUMA Nodes for this architecture.
	  If unsure, say N.

#
# The maximum number of CPUs supported:
#
# The main config value is NR_CPUS, which defaults to NR_CPUS_DEFAULT,
# and which can be configured interactively in the
# [NR_CPUS_RANGE_BEGIN ... NR_CPUS_RANGE_END] range.
#
# The ranges are different on 32-bit and 64-bit kernels, depending on
# hardware capabilities and scalability features of the kernel.
#
# ( If MAXSMP is enabled we just use the highest possible value and disable
#   interactive configuration. )
#

config NR_CPUS_RANGE_BEGIN
	int
	default NR_CPUS_RANGE_END if MAXSMP
	default    1 if !SMP
	default    2

config NR_CPUS_RANGE_END
	int
	depends on X86_32
	default    8 if  SMP
	default    1 if !SMP

config NR_CPUS_RANGE_END
	int
	depends on X86_64
	default 8192 if  SMP && CPUMASK_OFFSTACK
	default  512 if  SMP && !CPUMASK_OFFSTACK
	default    1 if !SMP

config NR_CPUS_DEFAULT
	int
	depends on X86_32
	default    8 if  SMP
	default    1 if !SMP

config NR_CPUS_DEFAULT
	int
	depends on X86_64
	default 8192 if  MAXSMP
	default   64 if  SMP
	default    1 if !SMP

config NR_CPUS
	int "Maximum number of CPUs" if SMP && !MAXSMP
	range NR_CPUS_RANGE_BEGIN NR_CPUS_RANGE_END
	default NR_CPUS_DEFAULT
	help
	  This allows you to specify the maximum number of CPUs which this
	  kernel will support.  If CPUMASK_OFFSTACK is enabled, the maximum
	  supported value is 8192, otherwise the maximum value is 512.  The
	  minimum value which makes sense is 2.

	  This is purely to save memory: each supported CPU adds about 8KB
	  to the kernel image.

config SCHED_MC_PRIO
	bool "CPU core priorities scheduler support"
	depends on SCHED_MC
	select X86_INTEL_PSTATE if CPU_SUP_INTEL
	select X86_AMD_PSTATE if CPU_SUP_AMD && ACPI
	select CPU_FREQ
	default y
	help
	  Intel Turbo Boost Max Technology 3.0 enabled CPUs have a
	  core ordering determined at manufacturing time, which allows
	  certain cores to reach higher turbo frequencies (when running
	  single threaded workloads) than others.

	  Enabling this kernel feature teaches the scheduler about
	  the TBM3 (aka ITMT) priority order of the CPU cores and adjusts the
	  scheduler's CPU selection logic accordingly, so that higher
	  overall system performance can be achieved.

	  This feature will have no effect on CPUs without this feature.

	  If unsure say Y here.

config UP_LATE_INIT
	def_bool y
	depends on !SMP && X86_LOCAL_APIC

config X86_UP_APIC
	bool "Local APIC support on uniprocessors" if !PCI_MSI
	default PCI_MSI
	depends on X86_32 && !SMP
	help
	  A local APIC (Advanced Programmable Interrupt Controller) is an
	  integrated interrupt controller in the CPU. If you have a single-CPU
	  system which has a processor with a local APIC, you can say Y here to
	  enable and use it. If you say Y here even though your machine doesn't
	  have a local APIC, then the kernel will still run with no slowdown at
	  all. The local APIC supports CPU-generated self-interrupts (timer,
	  performance counters), and the NMI watchdog which detects hard
	  lockups.

config X86_UP_IOAPIC
	bool "IO-APIC support on uniprocessors"
	depends on X86_UP_APIC
	help
	  An IO-APIC (I/O Advanced Programmable Interrupt Controller) is an
	  SMP-capable replacement for PC-style interrupt controllers. Most
	  SMP systems and many recent uniprocessor systems have one.

	  If you have a single-CPU system with an IO-APIC, you can say Y here
	  to use it. If you say Y here even though your machine doesn't have
	  an IO-APIC, then the kernel will still run with no slowdown at all.

config X86_LOCAL_APIC
	def_bool y
	depends on X86_64 || SMP || X86_UP_APIC || PCI_MSI
	select IRQ_DOMAIN_HIERARCHY

config ACPI_MADT_WAKEUP
	def_bool y
	depends on X86_64
	depends on ACPI
	depends on SMP
	depends on X86_LOCAL_APIC

config X86_IO_APIC
	def_bool y
	depends on X86_LOCAL_APIC || X86_UP_IOAPIC

config X86_REROUTE_FOR_BROKEN_BOOT_IRQS
	bool "Reroute for broken boot IRQs"
	depends on X86_IO_APIC
	help
	  This option enables a workaround that fixes a source of
	  spurious interrupts. This is recommended when threaded
	  interrupt handling is used on systems where the generation of
	  superfluous "boot interrupts" cannot be disabled.

	  Some chipsets generate a legacy INTx "boot IRQ" when the IRQ
	  entry in the chipset's IO-APIC is masked (as, e.g. the RT
	  kernel does during interrupt handling). On chipsets where this
	  boot IRQ generation cannot be disabled, this workaround keeps
	  the original IRQ line masked so that only the equivalent "boot
	  IRQ" is delivered to the CPUs. The workaround also tells the
	  kernel to set up the IRQ handler on the boot IRQ line. In this
	  way only one interrupt is delivered to the kernel. Otherwise
	  the spurious second interrupt may cause the kernel to bring
	  down (vital) interrupt lines.

	  Only affects "broken" chipsets. Interrupt sharing may be
	  increased on these systems.

config X86_MCE
	bool "Machine Check / overheating reporting"
	select GENERIC_ALLOCATOR
	default y
	help
	  Machine Check support allows the processor to notify the
	  kernel if it detects a problem (e.g. overheating, data corruption).
	  The action the kernel takes depends on the severity of the problem,
	  ranging from warning messages to halting the machine.

config X86_MCELOG_LEGACY
	bool "Support for deprecated /dev/mcelog character device"
	depends on X86_MCE
	help
	  Enable support for /dev/mcelog which is needed by the old mcelog
	  userspace logging daemon. Consider switching to the new generation
	  rasdaemon solution.

config X86_MCE_INTEL
	def_bool y
	prompt "Intel MCE features"
	depends on X86_MCE && X86_LOCAL_APIC
	help
	  Additional support for intel specific MCE features such as
	  the thermal monitor.

config X86_MCE_AMD
	def_bool y
	prompt "AMD MCE features"
	depends on X86_MCE && X86_LOCAL_APIC
	help
	  Additional support for AMD specific MCE features such as
	  the DRAM Error Threshold.

config X86_ANCIENT_MCE
	bool "Support for old Pentium 5 / WinChip machine checks"
	depends on X86_32 && X86_MCE
	help
	  Include support for machine check handling on old Pentium 5 or WinChip
	  systems. These typically need to be enabled explicitly on the command
	  line.

config X86_MCE_THRESHOLD
	depends on X86_MCE_AMD || X86_MCE_INTEL
	def_bool y

config X86_MCE_INJECT
	depends on X86_MCE && X86_LOCAL_APIC && DEBUG_FS
	tristate "Machine check injector support"
	help
	  Provide support for injecting machine checks for testing purposes.
	  If you don't know what a machine check is and you don't do kernel
	  QA it is safe to say n.

source "arch/x86/events/Kconfig"

config X86_LEGACY_VM86
	bool "Legacy VM86 support"
	depends on X86_32
	help
	  This option allows user programs to put the CPU into V8086
	  mode, which is an 80286-era approximation of 16-bit real mode.

	  Some very old versions of X and/or vbetool require this option
	  for user mode setting.  Similarly, DOSEMU will use it if
	  available to accelerate real mode DOS programs.  However, any
	  recent version of DOSEMU, X, or vbetool should be fully
	  functional even without kernel VM86 support, as they will all
	  fall back to software emulation. Nevertheless, if you are using
	  a 16-bit DOS program where 16-bit performance matters, vm86
	  mode might be faster than emulation and you might want to
	  enable this option.

	  Note that any app that works on a 64-bit kernel is unlikely to
	  need this option, as 64-bit kernels don't, and can't, support
	  V8086 mode. This option is also unrelated to 16-bit protected
	  mode and is not needed to run most 16-bit programs under Wine.

	  Enabling this option increases the complexity of the kernel
	  and slows down exception handling a tiny bit.

	  If unsure, say N here.

config VM86
	bool
	default X86_LEGACY_VM86

config X86_16BIT
	bool "Enable support for 16-bit segments" if EXPERT
	default y
	depends on MODIFY_LDT_SYSCALL
	help
	  This option is required by programs like Wine to run 16-bit
	  protected mode legacy code on x86 processors.  Disabling
	  this option saves about 300 bytes on i386, or around 6K text
	  plus 16K runtime memory on x86-64,

config X86_ESPFIX32
	def_bool y
	depends on X86_16BIT && X86_32

config X86_ESPFIX64
	def_bool y
	depends on X86_16BIT && X86_64

config X86_VSYSCALL_EMULATION
	bool "Enable vsyscall emulation" if EXPERT
	default y
	depends on X86_64
	help
	  This enables emulation of the legacy vsyscall page.  Disabling
	  it is roughly equivalent to booting with vsyscall=none, except
	  that it will also disable the helpful warning if a program
	  tries to use a vsyscall.  With this option set to N, offending
	  programs will just segfault, citing addresses of the form
	  0xffffffffff600?00.

	  This option is required by many programs built before 2013, and
	  care should be used even with newer programs if set to N.

	  Disabling this option saves about 7K of kernel size and
	  possibly 4K of additional runtime pagetable memory.

config X86_IOPL_IOPERM
	bool "IOPERM and IOPL Emulation"
	default y
	help
	  This enables the ioperm() and iopl() syscalls which are necessary
	  for legacy applications.

	  Legacy IOPL support is an overbroad mechanism which allows user
	  space aside of accessing all 65536 I/O ports also to disable
	  interrupts. To gain this access the caller needs CAP_SYS_RAWIO
	  capabilities and permission from potentially active security
	  modules.

	  The emulation restricts the functionality of the syscall to
	  only allowing the full range I/O port access, but prevents the
	  ability to disable interrupts from user space which would be
	  granted if the hardware IOPL mechanism would be used.

config TOSHIBA
	tristate "Toshiba Laptop support"
	depends on X86_32
	help
	  This adds a driver to safely access the System Management Mode of
	  the CPU on Toshiba portables with a genuine Toshiba BIOS. It does
	  not work on models with a Phoenix BIOS. The System Management Mode
	  is used to set the BIOS and power saving options on Toshiba portables.

	  For information on utilities to make use of this driver see the
	  Toshiba Linux utilities web site at:
	  <http://www.buzzard.org.uk/toshiba/>.

	  Say Y if you intend to run this kernel on a Toshiba portable.
	  Say N otherwise.

config X86_REBOOTFIXUPS
	bool "Enable X86 board specific fixups for reboot"
	depends on X86_32
	help
	  This enables chipset and/or board specific fixups to be done
	  in order to get reboot to work correctly. This is only needed on
	  some combinations of hardware and BIOS. The symptom, for which
	  this config is intended, is when reboot ends with a stalled/hung
	  system.

	  Currently, the only fixup is for the Geode machines using
	  CS5530A and CS5536 chipsets and the RDC R-321x SoC.

	  Say Y if you want to enable the fixup. Currently, it's safe to
	  enable this option even if you don't need it.
	  Say N otherwise.

config MICROCODE
	def_bool y
	depends on CPU_SUP_AMD || CPU_SUP_INTEL
	select CRYPTO_LIB_SHA256 if CPU_SUP_AMD

config MICROCODE_INITRD32
	def_bool y
	depends on MICROCODE && X86_32 && BLK_DEV_INITRD

config MICROCODE_LATE_LOADING
	bool "Late microcode loading (DANGEROUS)"
	default n
	depends on MICROCODE && SMP
	help
	  Loading microcode late, when the system is up and executing instructions
	  is a tricky business and should be avoided if possible. Just the sequence
	  of synchronizing all cores and SMT threads is one fragile dance which does
	  not guarantee that cores might not softlock after the loading. Therefore,
	  use this at your own risk. Late loading taints the kernel unless the
	  microcode header indicates that it is safe for late loading via the
	  minimal revision check. This minimal revision check can be enforced on
	  the kernel command line with "microcode=force_minrev".

config MICROCODE_LATE_FORCE_MINREV
	bool "Enforce late microcode loading minimal revision check"
	default n
	depends on MICROCODE_LATE_LOADING
	help
	  To prevent that users load microcode late which modifies already
	  in use features, newer microcode patches have a minimum revision field
	  in the microcode header, which tells the kernel which minimum
	  revision must be active in the CPU to safely load that new microcode
	  late into the running system. If disabled the check will not
	  be enforced but the kernel will be tainted when the minimal
	  revision check fails.

	  This minimal revision check can also be controlled via the
	  "microcode=force_minrev" parameter on the kernel command line.

	  If unsure say Y.

config MICROCODE_DBG
	bool "Enable microcode loader debugging"
	default n
	depends on MICROCODE
	help
	  Enable code which allows to debug the microcode loader. When running
	  in a guest the patch loading is simulated but everything else
	  related to patch parsing and handling is done as on baremetal with
	  the purpose of debugging solely the software side of things. On
	  baremetal, it simply dumps additional debugging information during
	  normal operation.

	  You almost certainly want to say n here.

config X86_MSR
	tristate "/dev/cpu/*/msr - Model-specific register support"
	help
	  This device gives privileged processes access to the x86
	  Model-Specific Registers (MSRs).  It is a character device with
	  major 202 and minors 0 to 31 for /dev/cpu/0/msr to /dev/cpu/31/msr.
	  MSR accesses are directed to a specific CPU on multi-processor
	  systems.

config X86_CPUID
	tristate "/dev/cpu/*/cpuid - CPU information support"
	help
	  This device gives processes access to the x86 CPUID instruction to
	  be executed on a specific processor.  It is a character device
	  with major 203 and minors 0 to 31 for /dev/cpu/0/cpuid to
	  /dev/cpu/31/cpuid.

config HIGHMEM4G
	bool "High Memory Support"
	depends on X86_32
	help
	  Linux can use up to 4 Gigabytes of physical memory on x86 systems.
	  However, the address space of 32-bit x86 processors is only 4
	  Gigabytes large. That means that, if you have a large amount of
	  physical memory, not all of it can be "permanently mapped" by the
	  kernel. The physical memory that's not permanently mapped is called
	  "high memory".

	  If you are compiling a kernel which will never run on a machine with
	  more than 1 Gigabyte total physical RAM, answer "off" here (default
	  choice and suitable for most users). This will result in a "3GB/1GB"
	  split: 3GB are mapped so that each process sees a 3GB virtual memory
	  space and the remaining part of the 4GB virtual memory space is used
	  by the kernel to permanently map as much physical memory as
	  possible.

	  If the machine has between 1 and 4 Gigabytes physical RAM, then
	  answer "Y" here.

	  If unsure, say N.

choice
	prompt "Memory split" if EXPERT
	default VMSPLIT_3G
	depends on X86_32
	help
	  Select the desired split between kernel and user memory.

	  If the address range available to the kernel is less than the
	  physical memory installed, the remaining memory will be available
	  as "high memory". Accessing high memory is a little more costly
	  than low memory, as it needs to be mapped into the kernel first.
	  Note that increasing the kernel address space limits the range
	  available to user programs, making the address space there
	  tighter.  Selecting anything other than the default 3G/1G split
	  will also likely make your kernel incompatible with binary-only
	  kernel modules.

	  If you are not absolutely sure what you are doing, leave this
	  option alone!

	config VMSPLIT_3G
		bool "3G/1G user/kernel split"
	config VMSPLIT_3G_OPT
		depends on !X86_PAE
		bool "3G/1G user/kernel split (for full 1G low memory)"
	config VMSPLIT_2G
		bool "2G/2G user/kernel split"
	config VMSPLIT_2G_OPT
		depends on !X86_PAE
		bool "2G/2G user/kernel split (for full 2G low memory)"
	config VMSPLIT_1G
		bool "1G/3G user/kernel split"
endchoice

config PAGE_OFFSET
	hex
	default 0xB0000000 if VMSPLIT_3G_OPT
	default 0x80000000 if VMSPLIT_2G
	default 0x78000000 if VMSPLIT_2G_OPT
	default 0x40000000 if VMSPLIT_1G
	default 0xC0000000
	depends on X86_32

config HIGHMEM
	def_bool HIGHMEM4G

config X86_PAE
	bool "PAE (Physical Address Extension) Support"
	depends on X86_32 && X86_HAVE_PAE
	select PHYS_ADDR_T_64BIT
	help
	  PAE is required for NX support, and furthermore enables
	  larger swapspace support for non-overcommit purposes. It
	  has the cost of more pagetable lookup overhead, and also
	  consumes more pagetable space per process.

config X86_DIRECT_GBPAGES
	def_bool y
	depends on X86_64
	help
	  Certain kernel features effectively disable kernel
	  linear 1 GB mappings (even if the CPU otherwise
	  supports them), so don't confuse the user by printing
	  that we have them enabled.

config X86_CPA_STATISTICS
	bool "Enable statistic for Change Page Attribute"
	depends on DEBUG_FS
	help
	  Expose statistics about the Change Page Attribute mechanism, which
	  helps to determine the effectiveness of preserving large and huge
	  page mappings when mapping protections are changed.

config X86_MEM_ENCRYPT
	select ARCH_HAS_FORCE_DMA_UNENCRYPTED
	select DYNAMIC_PHYSICAL_MASK
	def_bool n

config AMD_MEM_ENCRYPT
	bool "AMD Secure Memory Encryption (SME) support"
	depends on X86_64 && CPU_SUP_AMD
	depends on EFI_STUB
	select DMA_COHERENT_POOL
	select ARCH_USE_MEMREMAP_PROT
	select INSTRUCTION_DECODER
	select ARCH_HAS_CC_PLATFORM
	select X86_MEM_ENCRYPT
	select UNACCEPTED_MEMORY
	select CRYPTO_LIB_AESGCM
	help
	  Say yes to enable support for the encryption of system memory.
	  This requires an AMD processor that supports Secure Memory
	  Encryption (SME).

# Common NUMA Features
config NUMA
	bool "NUMA Memory Allocation and Scheduler Support"
	depends on SMP
	depends on X86_64
	select USE_PERCPU_NUMA_NODE_ID
	select OF_NUMA if OF
	help
	  Enable NUMA (Non-Uniform Memory Access) support.

	  The kernel will try to allocate memory used by a CPU on the
	  local memory controller of the CPU and add some more
	  NUMA awareness to the kernel.

	  For 64-bit this is recommended if the system is Intel Core i7
	  (or later), AMD Opteron, or EM64T NUMA.

	  Otherwise, you should say N.

config AMD_NUMA
	def_bool y
	prompt "Old style AMD Opteron NUMA detection"
	depends on X86_64 && NUMA && PCI
	help
	  Enable AMD NUMA node topology detection.  You should say Y here if
	  you have a multi processor AMD system. This uses an old method to
	  read the NUMA configuration directly from the builtin Northbridge
	  of Opteron. It is recommended to use X86_64_ACPI_NUMA instead,
	  which also takes priority if both are compiled in.

config X86_64_ACPI_NUMA
	def_bool y
	prompt "ACPI NUMA detection"
	depends on X86_64 && NUMA && ACPI && PCI
	select ACPI_NUMA
	help
	  Enable ACPI SRAT based node topology detection.

config NODES_SHIFT
	int "Maximum NUMA Nodes (as a power of 2)" if !MAXSMP
	range 1 10
	default "10" if MAXSMP
	default "6" if X86_64
	default "3"
	depends on NUMA
	help
	  Specify the maximum number of NUMA Nodes available on the target
	  system.  Increases memory reserved to accommodate various tables.

config ARCH_FLATMEM_ENABLE
	def_bool y
	depends on X86_32 && !NUMA

config ARCH_SPARSEMEM_ENABLE
	def_bool y
	select SPARSEMEM_STATIC if X86_32
	select SPARSEMEM_VMEMMAP_ENABLE if X86_64

config ARCH_SPARSEMEM_DEFAULT
	def_bool X86_64 || (NUMA && X86_32)

config ARCH_SELECT_MEMORY_MODEL
	def_bool y
	depends on ARCH_SPARSEMEM_ENABLE && ARCH_FLATMEM_ENABLE

config ARCH_MEMORY_PROBE
	bool "Enable sysfs memory/probe interface"
	depends on MEMORY_HOTPLUG
	help
	  This option enables a sysfs memory/probe interface for testing.
	  See Documentation/admin-guide/mm/memory-hotplug.rst for more information.
	  If you are unsure how to answer this question, answer N.

config ARCH_PROC_KCORE_TEXT
	def_bool y
	depends on X86_64 && PROC_KCORE

config ILLEGAL_POINTER_VALUE
	hex
	default 0 if X86_32
	default 0xdead000000000000 if X86_64

config X86_PMEM_LEGACY_DEVICE
	bool

config X86_PMEM_LEGACY
	tristate "Support non-standard NVDIMMs and ADR protected memory"
	depends on PHYS_ADDR_T_64BIT
	depends on BLK_DEV
	select X86_PMEM_LEGACY_DEVICE
	select NUMA_KEEP_MEMINFO if NUMA
	select LIBNVDIMM
	help
	  Treat memory marked using the non-standard e820 type of 12 as used
	  by the Intel Sandy Bridge-EP reference BIOS as protected memory.
	  The kernel will offer these regions to the 'pmem' driver so
	  they can be used for persistent storage.

	  Say Y if unsure.

config X86_CHECK_BIOS_CORRUPTION
	bool "Check for low memory corruption"
	help
	  Periodically check for memory corruption in low memory, which
	  is suspected to be caused by BIOS.  Even when enabled in the
	  configuration, it is disabled at runtime.  Enable it by
	  setting "memory_corruption_check=1" on the kernel command
	  line.  By default it scans the low 64k of memory every 60
	  seconds; see the memory_corruption_check_size and
	  memory_corruption_check_period parameters in
	  Documentation/admin-guide/kernel-parameters.rst to adjust this.

	  When enabled with the default parameters, this option has
	  almost no overhead, as it reserves a relatively small amount
	  of memory and scans it infrequently.  It both detects corruption
	  and prevents it from affecting the running system.

	  It is, however, intended as a diagnostic tool; if repeatable
	  BIOS-originated corruption always affects the same memory,
	  you can use memmap= to prevent the kernel from using that
	  memory.

config X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK
	bool "Set the default setting of memory_corruption_check"
	depends on X86_CHECK_BIOS_CORRUPTION
	default y
	help
	  Set whether the default state of memory_corruption_check is
	  on or off.

config MATH_EMULATION
	bool
	depends on MODIFY_LDT_SYSCALL
	prompt "Math emulation" if X86_32 && (M486SX || MELAN)
	help
	  Linux can emulate a math coprocessor (used for floating point
	  operations) if you don't have one. 486DX and Pentium processors have
	  a math coprocessor built in, 486SX and 386 do not, unless you added
	  a 487DX or 387, respectively. (The messages during boot time can
	  give you some hints here ["man dmesg"].) Everyone needs either a
	  coprocessor or this emulation.

	  If you don't have a math coprocessor, you need to say Y here; if you
	  say Y here even though you have a coprocessor, the coprocessor will
	  be used nevertheless. (This behavior can be changed with the kernel
	  command line option "no387", which comes handy if your coprocessor
	  is broken. Try "man bootparam" or see the documentation of your boot
	  loader (lilo or loadlin) about how to pass options to the kernel at
	  boot time.) This means that it is a good idea to say Y here if you
	  intend to use this kernel on different machines.

	  More information about the internals of the Linux math coprocessor
	  emulation can be found in <file:arch/x86/math-emu/README>.

	  If you are not sure, say Y; apart from resulting in a 66 KB bigger
	  kernel, it won't hurt.

config MTRR
	def_bool y
	prompt "MTRR (Memory Type Range Register) support" if EXPERT
	help
	  On Intel P6 family processors (Pentium Pro, Pentium II and later)
	  the Memory Type Range Registers (MTRRs) may be used to control
	  processor access to memory ranges. This is most useful if you have
	  a video (VGA) card on a PCI or AGP bus. Enabling write-combining
	  allows bus write transfers to be combined into a larger transfer
	  before bursting over the PCI/AGP bus. This can increase performance
	  of image write operations 2.5 times or more. Saying Y here creates a
	  /proc/mtrr file which may be used to manipulate your processor's
	  MTRRs. Typically the X server should use this.

	  This code has a reasonably generic interface so that similar
	  control registers on other processors can be easily supported
	  as well:

	  The Cyrix 6x86, 6x86MX and M II processors have Address Range
	  Registers (ARRs) which provide a similar functionality to MTRRs. For
	  these, the ARRs are used to emulate the MTRRs.
	  The AMD K6-2 (stepping 8 and above) and K6-3 processors have two
	  MTRRs. The Centaur C6 (WinChip) has 8 MCRs, allowing
	  write-combining. All of these processors are supported by this code
	  and it makes sense to say Y here if you have one of them.

	  Saying Y here also fixes a problem with buggy SMP BIOSes which only
	  set the MTRRs for the boot CPU and not for the secondary CPUs. This
	  can lead to all sorts of problems, so it's good to say Y here.

	  You can safely say Y even if your machine doesn't have MTRRs, you'll
	  just add about 9 KB to your kernel.

	  See <file:Documentation/arch/x86/mtrr.rst> for more information.

config MTRR_SANITIZER
	def_bool y
	prompt "MTRR cleanup support"
	depends on MTRR
	help
	  Convert MTRR layout from continuous to discrete, so X drivers can
	  add writeback entries.

	  Can be disabled with disable_mtrr_cleanup on the kernel command line.
	  The largest mtrr entry size for a continuous block can be set with
	  mtrr_chunk_size.

	  If unsure, say Y.

config MTRR_SANITIZER_ENABLE_DEFAULT
	int "MTRR cleanup enable value (0-1)"
	range 0 1
	default "0"
	depends on MTRR_SANITIZER
	help
	  Enable mtrr cleanup default value

config MTRR_SANITIZER_SPARE_REG_NR_DEFAULT
	int "MTRR cleanup spare reg num (0-7)"
	range 0 7
	default "1"
	depends on MTRR_SANITIZER
	help
	  mtrr cleanup spare entries default, it can be changed via
	  mtrr_spare_reg_nr=N on the kernel command line.

config X86_PAT
	def_bool y
	prompt "x86 PAT support" if EXPERT
	depends on MTRR
	select ARCH_USES_PG_ARCH_2
	help
	  Use PAT attributes to setup page level cache control.

	  PATs are the modern equivalents of MTRRs and are much more
	  flexible than MTRRs.

	  Say N here if you see bootup problems (boot crash, boot hang,
	  spontaneous reboots) or a non-working video driver.

	  If unsure, say Y.

config X86_UMIP
	def_bool y
	prompt "User Mode Instruction Prevention" if EXPERT
	help
	  User Mode Instruction Prevention (UMIP) is a security feature in
	  some x86 processors. If enabled, a general protection fault is
	  issued if the SGDT, SLDT, SIDT, SMSW or STR instructions are
	  executed in user mode. These instructions unnecessarily expose
	  information about the hardware state.

	  The vast majority of applications do not use these instructions.
	  For the very few that do, software emulation is provided in
	  specific cases in protected and virtual-8086 modes. Emulated
	  results are dummy.

config CC_HAS_IBT
	# GCC >= 9 and binutils >= 2.29
	# Retpoline check to work around https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93654
	def_bool ((CC_IS_GCC && $(cc-option, -fcf-protection=branch -mindirect-branch-register)) || CC_IS_CLANG) && \
		  $(as-instr,endbr64)

config X86_CET
	def_bool n
	help
	  CET features configured (Shadow stack or IBT)

config X86_KERNEL_IBT
	prompt "Indirect Branch Tracking"
	def_bool y
	depends on X86_64 && CC_HAS_IBT && HAVE_OBJTOOL
	select OBJTOOL
	select X86_CET
	help
	  Build the kernel with support for Indirect Branch Tracking, a
	  hardware support course-grain forward-edge Control Flow Integrity
	  protection. It enforces that all indirect calls must land on
	  an ENDBR instruction, as such, the compiler will instrument the
	  code with them to make this happen.

	  In addition to building the kernel with IBT, seal all functions that
	  are not indirect call targets, avoiding them ever becoming one.

	  This requires LTO like objtool runs and will slow down the build. It
	  does significantly reduce the number of ENDBR instructions in the
	  kernel image.

config X86_INTEL_MEMORY_PROTECTION_KEYS
	prompt "Memory Protection Keys"
	def_bool y
	# Note: only available in 64-bit mode
	depends on X86_64 && (CPU_SUP_INTEL || CPU_SUP_AMD)
	select ARCH_USES_HIGH_VMA_FLAGS
	select ARCH_HAS_PKEYS
	help
	  Memory Protection Keys provides a mechanism for enforcing
	  page-based protections, but without requiring modification of the
	  page tables when an application changes protection domains.

	  For details, see Documentation/core-api/protection-keys.rst

	  If unsure, say y.

config ARCH_PKEY_BITS
	int
	default 4

choice
	prompt "TSX enable mode"
	depends on CPU_SUP_INTEL
	default X86_INTEL_TSX_MODE_AUTO
	help
	  Intel's TSX (Transactional Synchronization Extensions) feature
	  allows to optimize locking protocols through lock elision which
	  can lead to a noticeable performance boost.

	  On the other hand it has been shown that TSX can be exploited
	  to form side channel attacks (e.g. TAA) and chances are there
	  will be more of those attacks discovered in the future.

	  Therefore TSX is not enabled by default (aka tsx=off). An admin
	  might override this decision by tsx=on the command line parameter.
	  Even with TSX enabled, the kernel will attempt to enable the best
	  possible TAA mitigation setting depending on the microcode available
	  for the particular machine.

	  This option allows to set the default tsx mode between tsx=on, =off
	  and =auto. See Documentation/admin-guide/kernel-parameters.txt for more
	  details.

	  Say off if not sure, auto if TSX is in use but it should be used on safe
	  platforms or on if TSX is in use and the security aspect of tsx is not
	  relevant.

config X86_INTEL_TSX_MODE_OFF
	bool "off"
	help
	  TSX is disabled if possible - equals to tsx=off command line parameter.

config X86_INTEL_TSX_MODE_ON
	bool "on"
	help
	  TSX is always enabled on TSX capable HW - equals the tsx=on command
	  line parameter.

config X86_INTEL_TSX_MODE_AUTO
	bool "auto"
	help
	  TSX is enabled on TSX capable HW that is believed to be safe against
	  side channel attacks- equals the tsx=auto command line parameter.
endchoice

config X86_SGX
	bool "Software Guard eXtensions (SGX)"
	depends on X86_64 && CPU_SUP_INTEL && X86_X2APIC
	select CRYPTO_LIB_SHA256
	select MMU_NOTIFIER
	select NUMA_KEEP_MEMINFO if NUMA
	select XARRAY_MULTI
	help
	  Intel(R) Software Guard eXtensions (SGX) is a set of CPU instructions
	  that can be used by applications to set aside private regions of code
	  and data, referred to as enclaves. An enclave's private memory can
	  only be accessed by code running within the enclave. Accesses from
	  outside the enclave, including other enclaves, are disallowed by
	  hardware.

	  If unsure, say N.

config X86_USER_SHADOW_STACK
	bool "X86 userspace shadow stack"
	depends on AS_WRUSS
	depends on X86_64
	depends on PER_VMA_LOCK
	select ARCH_USES_HIGH_VMA_FLAGS
	select ARCH_HAS_USER_SHADOW_STACK
	select X86_CET
	help
	  Shadow stack protection is a hardware feature that detects function
	  return address corruption.  This helps mitigate ROP attacks.
	  Applications must be enabled to use it, and old userspace does not
	  get protection "for free".

	  CPUs supporting shadow stacks were first released in 2020.

	  See Documentation/arch/x86/shstk.rst for more information.

	  If unsure, say N.

config INTEL_TDX_HOST
	bool "Intel Trust Domain Extensions (TDX) host support"
	depends on CPU_SUP_INTEL
	depends on X86_64
	depends on KVM_INTEL
	depends on X86_X2APIC
	select ARCH_KEEP_MEMBLOCK
	depends on CONTIG_ALLOC
	depends on X86_MCE
	help
	  Intel Trust Domain Extensions (TDX) protects guest VMs from malicious
	  host and certain physical attacks.  This option enables necessary TDX
	  support in the host kernel to run confidential VMs.

	  If unsure, say N.

config EFI
	bool "EFI runtime service support"
	depends on ACPI
	select UCS2_STRING
	select EFI_RUNTIME_WRAPPERS
	select ARCH_USE_MEMREMAP_PROT
	select EFI_RUNTIME_MAP if KEXEC_CORE
	help
	  This enables the kernel to use EFI runtime services that are
	  available (such as the EFI variable services).

	  This option is only useful on systems that have EFI firmware.
	  In addition, you should use the latest ELILO loader available
	  at <http://elilo.sourceforge.net> in order to take advantage
	  of EFI runtime services. However, even with this option, the
	  resultant kernel should continue to boot on existing non-EFI
	  platforms.

config EFI_STUB
	bool "EFI stub support"
	depends on EFI
	select RELOCATABLE
	help
	  This kernel feature allows a bzImage to be loaded directly
	  by EFI firmware without the use of a bootloader.

	  See Documentation/admin-guide/efi-stub.rst for more information.

config EFI_HANDOVER_PROTOCOL
	bool "EFI handover protocol (DEPRECATED)"
	depends on EFI_STUB
	default y
	help
	  Select this in order to include support for the deprecated EFI
	  handover protocol, which defines alternative entry points into the
	  EFI stub.  This is a practice that has no basis in the UEFI
	  specification, and requires a priori knowledge on the part of the
	  bootloader about Linux/x86 specific ways of passing the command line
	  and initrd, and where in memory those assets may be loaded.

	  If in doubt, say Y. Even though the corresponding support is not
	  present in upstream GRUB or other bootloaders, most distros build
	  GRUB with numerous downstream patches applied, and may rely on the
	  handover protocol as as result.

config EFI_MIXED
	bool "EFI mixed-mode support"
	depends on EFI_STUB && X86_64
	help
	  Enabling this feature allows a 64-bit kernel to be booted
	  on a 32-bit firmware, provided that your CPU supports 64-bit
	  mode.

	  Note that it is not possible to boot a mixed-mode enabled
	  kernel via the EFI boot stub - a bootloader that supports
	  the EFI handover protocol must be used.

	  If unsure, say N.

config EFI_RUNTIME_MAP
	bool "Export EFI runtime maps to sysfs" if EXPERT
	depends on EFI
	help
	  Export EFI runtime memory regions to /sys/firmware/efi/runtime-map.
	  That memory map is required by the 2nd kernel to set up EFI virtual
	  mappings after kexec, but can also be used for debugging purposes.

	  See also Documentation/ABI/testing/sysfs-firmware-efi-runtime-map.

source "kernel/Kconfig.hz"

config ARCH_SUPPORTS_KEXEC
	def_bool y

config ARCH_SUPPORTS_KEXEC_FILE
	def_bool X86_64

config ARCH_SELECTS_KEXEC_FILE
	def_bool y
	depends on KEXEC_FILE
	select HAVE_IMA_KEXEC if IMA

config ARCH_SUPPORTS_KEXEC_PURGATORY
	def_bool y

config ARCH_SUPPORTS_KEXEC_SIG
	def_bool y

config ARCH_SUPPORTS_KEXEC_SIG_FORCE
	def_bool y

config ARCH_SUPPORTS_KEXEC_BZIMAGE_VERIFY_SIG
	def_bool y

config ARCH_SUPPORTS_KEXEC_JUMP
	def_bool y

config ARCH_SUPPORTS_KEXEC_HANDOVER
	def_bool X86_64

config ARCH_SUPPORTS_CRASH_DUMP
	def_bool X86_64 || (X86_32 && HIGHMEM)

config ARCH_DEFAULT_CRASH_DUMP
	def_bool y

config ARCH_SUPPORTS_CRASH_HOTPLUG
	def_bool y

config ARCH_HAS_GENERIC_CRASHKERNEL_RESERVATION
	def_bool CRASH_RESERVE

config PHYSICAL_START
	hex "Physical address where the kernel is loaded" if (EXPERT || CRASH_DUMP)
	default "0x1000000"
	help
	  This gives the physical address where the kernel is loaded.

	  If the kernel is not relocatable (CONFIG_RELOCATABLE=n) then bzImage
	  will decompress itself to above physical address and run from there.
	  Otherwise, bzImage will run from the address where it has been loaded
	  by the boot loader. The only exception is if it is loaded below the
	  above physical address, in which case it will relocate itself there.

	  In normal kdump cases one does not have to set/change this option
	  as now bzImage can be compiled as a completely relocatable image
	  (CONFIG_RELOCATABLE=y) and be used to load and run from a different
	  address. This option is mainly useful for the folks who don't want
	  to use a bzImage for capturing the crash dump and want to use a
	  vmlinux instead. vmlinux is not relocatable hence a kernel needs
	  to be specifically compiled to run from a specific memory area
	  (normally a reserved region) and this option comes handy.

	  So if you are using bzImage for capturing the crash dump,
	  leave the value here unchanged to 0x1000000 and set
	  CONFIG_RELOCATABLE=y.  Otherwise if you plan to use vmlinux
	  for capturing the crash dump change this value to start of
	  the reserved region.  In other words, it can be set based on
	  the "X" value as specified in the "crashkernel=YM@XM"
	  command line boot parameter passed to the panic-ed
	  kernel. Please take a look at Documentation/admin-guide/kdump/kdump.rst
	  for more details about crash dumps.

	  Usage of bzImage for capturing the crash dump is recommended as
	  one does not have to build two kernels. Same kernel can be used
	  as production kernel and capture kernel. Above option should have
	  gone away after relocatable bzImage support is introduced. But it
	  is present because there are users out there who continue to use
	  vmlinux for dump capture. This option should go away down the
	  line.

	  Don't change this unless you know what you are doing.

config RELOCATABLE
	bool "Build a relocatable kernel"
	default y
	help
	  This builds a kernel image that retains relocation information
	  so it can be loaded someplace besides the default 1MB.
	  The relocations tend to make the kernel binary about 10% larger,
	  but are discarded at runtime.

	  One use is for the kexec on panic case where the recovery kernel
	  must live at a different physical address than the primary
	  kernel.

	  Note: If CONFIG_RELOCATABLE=y, then the kernel runs from the address
	  it has been loaded at and the compile time physical address
	  (CONFIG_PHYSICAL_START) is used as the minimum location.

config RANDOMIZE_BASE
	bool "Randomize the address of the kernel image (KASLR)"
	depends on RELOCATABLE
	default y
	help
	  In support of Kernel Address Space Layout Randomization (KASLR),
	  this randomizes the physical address at which the kernel image
	  is decompressed and the virtual address where the kernel
	  image is mapped, as a security feature that deters exploit
	  attempts relying on knowledge of the location of kernel
	  code internals.

	  On 64-bit, the kernel physical and virtual addresses are
	  randomized separately. The physical address will be anywhere
	  between 16MB and the top of physical memory (up to 64TB). The
	  virtual address will be randomized from 16MB up to 1GB (9 bits
	  of entropy). Note that this also reduces the memory space
	  available to kernel modules from 1.5GB to 1GB.

	  On 32-bit, the kernel physical and virtual addresses are
	  randomized together. They will be randomized from 16MB up to
	  512MB (8 bits of entropy).

	  Entropy is generated using the RDRAND instruction if it is
	  supported. If RDTSC is supported, its value is mixed into
	  the entropy pool as well. If neither RDRAND nor RDTSC are
	  supported, then entropy is read from the i8254 timer. The
	  usable entropy is limited by the kernel being built using
	  2GB addressing, and that PHYSICAL_ALIGN must be at a
	  minimum of 2MB. As a result, only 10 bits of entropy are
	  theoretically possible, but the implementations are further
	  limited due to memory layouts.

	  If unsure, say Y.

# Relocation on x86 needs some additional build support
config X86_NEED_RELOCS
	def_bool y
	depends on RANDOMIZE_BASE || (X86_32 && RELOCATABLE)
	select ARCH_VMLINUX_NEEDS_RELOCS

config PHYSICAL_ALIGN
	hex "Alignment value to which kernel should be aligned"
	default "0x200000"
	range 0x2000 0x1000000 if X86_32
	range 0x200000 0x1000000 if X86_64
	help
	  This value puts the alignment restrictions on physical address
	  where kernel is loaded and run from. Kernel is compiled for an
	  address which meets above alignment restriction.

	  If bootloader loads the kernel at a non-aligned address and
	  CONFIG_RELOCATABLE is set, kernel will move itself to nearest
	  address aligned to above value and run from there.

	  If bootloader loads the kernel at a non-aligned address and
	  CONFIG_RELOCATABLE is not set, kernel will ignore the run time
	  load address and decompress itself to the address it has been
	  compiled for and run from there. The address for which kernel is
	  compiled already meets above alignment restrictions. Hence the
	  end result is that kernel runs from a physical address meeting
	  above alignment restrictions.

	  On 32-bit this value must be a multiple of 0x2000. On 64-bit
	  this value must be a multiple of 0x200000.

	  Don't change this unless you know what you are doing.

config RANDOMIZE_MEMORY
	bool "Randomize the kernel memory sections"
	depends on X86_64
	depends on RANDOMIZE_BASE
	default RANDOMIZE_BASE
	help
	  Randomizes the base virtual address of kernel memory sections
	  (physical memory mapping, vmalloc & vmemmap). This security feature
	  makes exploits relying on predictable memory locations less reliable.

	  The order of allocations remains unchanged. Entropy is generated in
	  the same way as RANDOMIZE_BASE. Current implementation in the optimal
	  configuration have in average 30,000 different possible virtual
	  addresses for each memory section.

	  If unsure, say Y.

config RANDOMIZE_MEMORY_PHYSICAL_PADDING
	hex "Physical memory mapping padding" if EXPERT
	depends on RANDOMIZE_MEMORY
	default "0xa" if MEMORY_HOTPLUG
	default "0x0"
	range 0x1 0x40 if MEMORY_HOTPLUG
	range 0x0 0x40
	help
	  Define the padding in terabytes added to the existing physical
	  memory size during kernel memory randomization. It is useful
	  for memory hotplug support but reduces the entropy available for
	  address randomization.

	  If unsure, leave at the default value.

config ADDRESS_MASKING
	bool "Linear Address Masking support"
	depends on X86_64
	depends on COMPILE_TEST || !CPU_MITIGATIONS # wait for LASS
	help
	  Linear Address Masking (LAM) modifies the checking that is applied
	  to 64-bit linear addresses, allowing software to use of the
	  untranslated address bits for metadata.

	  The capability can be used for efficient address sanitizers (ASAN)
	  implementation and for optimizations in JITs.

config HOTPLUG_CPU
	def_bool y
	depends on SMP

config COMPAT_VDSO
	def_bool n
	prompt "Workaround for glibc 2.3.2 / 2.3.3 (released in year 2003/2004)"
	depends on COMPAT_32
	help
	  Certain buggy versions of glibc will crash if they are
	  presented with a 32-bit vDSO that is not mapped at the address
	  indicated in its segment table.

	  The bug was introduced by f866314b89d56845f55e6f365e18b31ec978ec3a
	  and fixed by 3b3ddb4f7db98ec9e912ccdf54d35df4aa30e04a and
	  49ad572a70b8aeb91e57483a11dd1b77e31c4468.  Glibc 2.3.3 is
	  the only released version with the bug, but OpenSUSE 9
	  contains a buggy "glibc 2.3.2".

	  The symptom of the bug is that everything crashes on startup, saying:
	  dl_main: Assertion `(void *) ph->p_vaddr == _rtld_local._dl_sysinfo_dso' failed!

	  Saying Y here changes the default value of the vdso32 boot
	  option from 1 to 0, which turns off the 32-bit vDSO entirely.
	  This works around the glibc bug but hurts performance.

	  If unsure, say N: if you are compiling your own kernel, you
	  are unlikely to be using a buggy version of glibc.

choice
	prompt "vsyscall table for legacy applications"
	depends on X86_64
	default LEGACY_VSYSCALL_XONLY
	help
	  Legacy user code that does not know how to find the vDSO expects
	  to be able to issue three syscalls by calling fixed addresses in
	  kernel space. Since this location is not randomized with ASLR,
	  it can be used to assist security vulnerability exploitation.

	  This setting can be changed at boot time via the kernel command
	  line parameter vsyscall=[emulate|xonly|none].  Emulate mode
	  is deprecated and can only be enabled using the kernel command
	  line.

	  On a system with recent enough glibc (2.14 or newer) and no
	  static binaries, you can say None without a performance penalty
	  to improve security.

	  If unsure, select "Emulate execution only".

	config LEGACY_VSYSCALL_XONLY
		bool "Emulate execution only"
		help
		  The kernel traps and emulates calls into the fixed vsyscall
		  address mapping and does not allow reads.  This
		  configuration is recommended when userspace might use the
		  legacy vsyscall area but support for legacy binary
		  instrumentation of legacy code is not needed.  It mitigates
		  certain uses of the vsyscall area as an ASLR-bypassing
		  buffer.

	config LEGACY_VSYSCALL_NONE
		bool "None"
		help
		  There will be no vsyscall mapping at all. This will
		  eliminate any risk of ASLR bypass due to the vsyscall
		  fixed address mapping. Attempts to use the vsyscalls
		  will be reported to dmesg, so that either old or
		  malicious userspace programs can be identified.

endchoice

config CMDLINE_BOOL
	bool "Built-in kernel command line"
	help
	  Allow for specifying boot arguments to the kernel at
	  build time.  On some systems (e.g. embedded ones), it is
	  necessary or convenient to provide some or all of the
	  kernel boot arguments with the kernel itself (that is,
	  to not rely on the boot loader to provide them.)

	  To compile command line arguments into the kernel,
	  set this option to 'Y', then fill in the
	  boot arguments in CONFIG_CMDLINE.

	  Systems with fully functional boot loaders (i.e. non-embedded)
	  should leave this option set to 'N'.

config CMDLINE
	string "Built-in kernel command string"
	depends on CMDLINE_BOOL
	default ""
	help
	  Enter arguments here that should be compiled into the kernel
	  image and used at boot time.  If the boot loader provides a
	  command line at boot time, it is appended to this string to
	  form the full kernel command line, when the system boots.

	  However, you can use the CONFIG_CMDLINE_OVERRIDE option to
	  change this behavior.

	  In most cases, the command line (whether built-in or provided
	  by the boot loader) should specify the device for the root
	  file system.

config CMDLINE_OVERRIDE
	bool "Built-in command line overrides boot loader arguments"
	depends on CMDLINE_BOOL && CMDLINE != ""
	help
	  Set this option to 'Y' to have the kernel ignore the boot loader
	  command line, and use ONLY the built-in command line.

	  This is used to work around broken boot loaders.  This should
	  be set to 'N' under normal conditions.

config MODIFY_LDT_SYSCALL
	bool "Enable the LDT (local descriptor table)" if EXPERT
	default y
	help
	  Linux can allow user programs to install a per-process x86
	  Local Descriptor Table (LDT) using the modify_ldt(2) system
	  call.  This is required to run 16-bit or segmented code such as
	  DOSEMU or some Wine programs.  It is also used by some very old
	  threading libraries.

	  Enabling this feature adds a small amount of overhead to
	  context switches and increases the low-level kernel attack
	  surface.  Disabling it removes the modify_ldt(2) system call.

	  Saying 'N' here may make sense for embedded or server kernels.

config STRICT_SIGALTSTACK_SIZE
	bool "Enforce strict size checking for sigaltstack"
	depends on DYNAMIC_SIGFRAME
	help
	  For historical reasons MINSIGSTKSZ is a constant which became
	  already too small with AVX512 support. Add a mechanism to
	  enforce strict checking of the sigaltstack size against the
	  real size of the FPU frame. This option enables the check
	  by default. It can also be controlled via the kernel command
	  line option 'strict_sas_size' independent of this config
	  switch. Enabling it might break existing applications which
	  allocate a too small sigaltstack but 'work' because they
	  never get a signal delivered.

	  Say 'N' unless you want to really enforce this check.

config CFI_AUTO_DEFAULT
	bool "Attempt to use FineIBT by default at boot time"
	depends on FINEIBT
	depends on !RUST || RUSTC_VERSION >= 108800
	default y
	help
	  Attempt to use FineIBT by default at boot time. If enabled,
	  this is the same as booting with "cfi=auto". If disabled,
	  this is the same as booting with "cfi=kcfi".

source "kernel/livepatch/Kconfig"

config X86_BUS_LOCK_DETECT
	bool "Split Lock Detect and Bus Lock Detect support"
	depends on CPU_SUP_INTEL || CPU_SUP_AMD
	default y
	help
	  Enable Split Lock Detect and Bus Lock Detect functionalities.
	  See <file:Documentation/arch/x86/buslock.rst> for more information.

endmenu

config CC_HAS_NAMED_AS
	def_bool $(success,echo 'int __seg_fs fs; int __seg_gs gs;' | $(CC) -x c - -S -o /dev/null)
	depends on CC_IS_GCC

#
# -fsanitize=kernel-address (KASAN) and -fsanitize=thread (KCSAN)
# are incompatible with named address spaces with GCC < 13.3
# (see GCC PR sanitizer/111736 and also PR sanitizer/115172).
#

config CC_HAS_NAMED_AS_FIXED_SANITIZERS
	def_bool y
	depends on !(KASAN || KCSAN) || GCC_VERSION >= 130300
	depends on !(UBSAN_BOOL && KASAN) || GCC_VERSION >= 140200

config USE_X86_SEG_SUPPORT
	def_bool CC_HAS_NAMED_AS
	depends on CC_HAS_NAMED_AS_FIXED_SANITIZERS

config CC_HAS_SLS
	def_bool $(cc-option,-mharden-sls=all)

config CC_HAS_RETURN_THUNK
	def_bool $(cc-option,-mfunction-return=thunk-extern)

config CC_HAS_ENTRY_PADDING
	def_bool $(cc-option,-fpatchable-function-entry=16,16)

config CC_HAS_KCFI_ARITY
	def_bool $(cc-option,-fsanitize=kcfi -fsanitize-kcfi-arity)
	depends on CC_IS_CLANG && !RUST

config FUNCTION_PADDING_CFI
	int
	default 59 if FUNCTION_ALIGNMENT_64B
	default 27 if FUNCTION_ALIGNMENT_32B
	default 11 if FUNCTION_ALIGNMENT_16B
	default  3 if FUNCTION_ALIGNMENT_8B
	default  0

# Basically: FUNCTION_ALIGNMENT - 5*CFI
# except Kconfig can't do arithmetic :/
config FUNCTION_PADDING_BYTES
	int
	default FUNCTION_PADDING_CFI if CFI
	default FUNCTION_ALIGNMENT

config CALL_PADDING
	def_bool n
	depends on CC_HAS_ENTRY_PADDING && OBJTOOL
	select FUNCTION_ALIGNMENT_16B

config FINEIBT
	def_bool y
	depends on X86_KERNEL_IBT && CFI && MITIGATION_RETPOLINE
	select CALL_PADDING

config FINEIBT_BHI
	def_bool y
	depends on FINEIBT && CC_HAS_KCFI_ARITY

config HAVE_CALL_THUNKS
	def_bool y
	depends on CC_HAS_ENTRY_PADDING && MITIGATION_RETHUNK && OBJTOOL

config CALL_THUNKS
	def_bool n
	select CALL_PADDING

config PREFIX_SYMBOLS
	def_bool y
	depends on CALL_PADDING && !CFI

menuconfig CPU_MITIGATIONS
	bool "Mitigations for CPU vulnerabilities"
	default y
	help
	  Say Y here to enable options which enable mitigations for hardware
	  vulnerabilities (usually related to speculative execution).
	  Mitigations can be disabled or restricted to SMT systems at runtime
	  via the "mitigations" kernel parameter.

	  If you say N, all mitigations will be disabled.  This CANNOT be
	  overridden at runtime.

	  Say 'Y', unless you really know what you are doing.

if CPU_MITIGATIONS

config MITIGATION_PAGE_TABLE_ISOLATION
	bool "Remove the kernel mapping in user mode"
	default y
	depends on (X86_64 || X86_PAE)
	help
	  This feature reduces the number of hardware side channels by
	  ensuring that the majority of kernel addresses are not mapped
	  into userspace.

	  See Documentation/arch/x86/pti.rst for more details.

config MITIGATION_RETPOLINE
	bool "Avoid speculative indirect branches in kernel"
	select OBJTOOL if HAVE_OBJTOOL
	default y
	help
	  Compile kernel with the retpoline compiler options to guard against
	  kernel-to-user data leaks by avoiding speculative indirect
	  branches. Requires a compiler with -mindirect-branch=thunk-extern
	  support for full protection. The kernel may run slower.

config MITIGATION_RETHUNK
	bool "Enable return-thunks"
	depends on MITIGATION_RETPOLINE && CC_HAS_RETURN_THUNK
	select OBJTOOL if HAVE_OBJTOOL
	default y if X86_64
	help
	  Compile the kernel with the return-thunks compiler option to guard
	  against kernel-to-user data leaks by avoiding return speculation.
	  Requires a compiler with -mfunction-return=thunk-extern
	  support for full protection. The kernel may run slower.

config MITIGATION_UNRET_ENTRY
	bool "Enable UNRET on kernel entry"
	depends on CPU_SUP_AMD && MITIGATION_RETHUNK && X86_64
	default y
	help
	  Compile the kernel with support for the retbleed=unret mitigation.

config MITIGATION_CALL_DEPTH_TRACKING
	bool "Mitigate RSB underflow with call depth tracking"
	depends on CPU_SUP_INTEL && HAVE_CALL_THUNKS
	select HAVE_DYNAMIC_FTRACE_NO_PATCHABLE
	select CALL_THUNKS
	default y
	help
	  Compile the kernel with call depth tracking to mitigate the Intel
	  SKL Return-Stack-Buffer (RSB) underflow issue. The mitigation is off
	  by default and needs to be enabled on the kernel command line via the
	  retbleed=stuff option. For non-affected systems the overhead of this
	  option is marginal as the call depth tracking is using run-time
	  generated call thunks in a compiler generated padding area and call
	  patching. This increases text size by ~5%. For non affected systems
	  this space is unused. On affected SKL systems this results in a
	  significant performance gain over the IBRS mitigation.

config CALL_THUNKS_DEBUG
	bool "Enable call thunks and call depth tracking debugging"
	depends on MITIGATION_CALL_DEPTH_TRACKING
	select FUNCTION_ALIGNMENT_32B
	default n
	help
	  Enable call/ret counters for imbalance detection and build in
	  a noisy dmesg about callthunks generation and call patching for
	  trouble shooting. The debug prints need to be enabled on the
	  kernel command line with 'debug-callthunks'.
	  Only enable this when you are debugging call thunks as this
	  creates a noticeable runtime overhead. If unsure say N.

config MITIGATION_IBPB_ENTRY
	bool "Enable IBPB on kernel entry"
	depends on CPU_SUP_AMD && X86_64
	default y
	help
	  Compile the kernel with support for the retbleed=ibpb and
	  spec_rstack_overflow={ibpb,ibpb-vmexit} mitigations.

config MITIGATION_IBRS_ENTRY
	bool "Enable IBRS on kernel entry"
	depends on CPU_SUP_INTEL && X86_64
	default y
	help
	  Compile the kernel with support for the spectre_v2=ibrs mitigation.
	  This mitigates both spectre_v2 and retbleed at great cost to
	  performance.

config MITIGATION_SRSO
	bool "Mitigate speculative RAS overflow on AMD"
	depends on CPU_SUP_AMD && X86_64 && MITIGATION_RETHUNK
	default y
	help
	  Enable the SRSO mitigation needed on AMD Zen1-4 machines.

config MITIGATION_SLS
	bool "Mitigate Straight-Line-Speculation"
	depends on CC_HAS_SLS && X86_64
	select OBJTOOL if HAVE_OBJTOOL
	default n
	help
	  Compile the kernel with straight-line-speculation options to guard
	  against straight line speculation. The kernel image might be slightly
	  larger.

config MITIGATION_GDS
	bool "Mitigate Gather Data Sampling"
	depends on CPU_SUP_INTEL
	default y
	help
	  Enable mitigation for Gather Data Sampling (GDS). GDS is a hardware
	  vulnerability which allows unprivileged speculative access to data
	  which was previously stored in vector registers. The attacker uses gather
	  instructions to infer the stale vector register data.

config MITIGATION_RFDS
	bool "RFDS Mitigation"
	depends on CPU_SUP_INTEL
	default y
	help
	  Enable mitigation for Register File Data Sampling (RFDS) by default.
	  RFDS is a hardware vulnerability which affects Intel Atom CPUs. It
	  allows unprivileged speculative access to stale data previously
	  stored in floating point, vector and integer registers.
	  See also <file:Documentation/admin-guide/hw-vuln/reg-file-data-sampling.rst>

config MITIGATION_SPECTRE_BHI
	bool "Mitigate Spectre-BHB (Branch History Injection)"
	depends on CPU_SUP_INTEL
	default y
	help
	  Enable BHI mitigations. BHI attacks are a form of Spectre V2 attacks
	  where the branch history buffer is poisoned to speculatively steer
	  indirect branches.
	  See <file:Documentation/admin-guide/hw-vuln/spectre.rst>

config MITIGATION_MDS
	bool "Mitigate Microarchitectural Data Sampling (MDS) hardware bug"
	depends on CPU_SUP_INTEL
	default y
	help
	  Enable mitigation for Microarchitectural Data Sampling (MDS). MDS is
	  a hardware vulnerability which allows unprivileged speculative access
	  to data which is available in various CPU internal buffers.
	  See also <file:Documentation/admin-guide/hw-vuln/mds.rst>

config MITIGATION_TAA
	bool "Mitigate TSX Asynchronous Abort (TAA) hardware bug"
	depends on CPU_SUP_INTEL
	default y
	help
	  Enable mitigation for TSX Asynchronous Abort (TAA). TAA is a hardware
	  vulnerability that allows unprivileged speculative access to data
	  which is available in various CPU internal buffers by using
	  asynchronous aborts within an Intel TSX transactional region.
	  See also <file:Documentation/admin-guide/hw-vuln/tsx_async_abort.rst>

config MITIGATION_MMIO_STALE_DATA
	bool "Mitigate MMIO Stale Data hardware bug"
	depends on CPU_SUP_INTEL
	default y
	help
	  Enable mitigation for MMIO Stale Data hardware bugs.  Processor MMIO
	  Stale Data Vulnerabilities are a class of memory-mapped I/O (MMIO)
	  vulnerabilities that can expose data. The vulnerabilities require the
	  attacker to have access to MMIO.
	  See also
	  <file:Documentation/admin-guide/hw-vuln/processor_mmio_stale_data.rst>

config MITIGATION_L1TF
	bool "Mitigate L1 Terminal Fault (L1TF) hardware bug"
	depends on CPU_SUP_INTEL
	default y
	help
	  Mitigate L1 Terminal Fault (L1TF) hardware bug. L1 Terminal Fault is a
	  hardware vulnerability which allows unprivileged speculative access to data
	  available in the Level 1 Data Cache.
	  See <file:Documentation/admin-guide/hw-vuln/l1tf.rst

config MITIGATION_RETBLEED
	bool "Mitigate RETBleed hardware bug"
	depends on (CPU_SUP_INTEL && MITIGATION_SPECTRE_V2) || MITIGATION_UNRET_ENTRY || MITIGATION_IBPB_ENTRY
	default y
	help
	  Enable mitigation for RETBleed (Arbitrary Speculative Code Execution
	  with Return Instructions) vulnerability.  RETBleed is a speculative
	  execution attack which takes advantage of microarchitectural behavior
	  in many modern microprocessors, similar to Spectre v2. An
	  unprivileged attacker can use these flaws to bypass conventional
	  memory security restrictions to gain read access to privileged memory
	  that would otherwise be inaccessible.

config MITIGATION_SPECTRE_V1
	bool "Mitigate SPECTRE V1 hardware bug"
	default y
	help
	  Enable mitigation for Spectre V1 (Bounds Check Bypass). Spectre V1 is a
	  class of side channel attacks that takes advantage of speculative
	  execution that bypasses conditional branch instructions used for
	  memory access bounds check.
	  See also <file:Documentation/admin-guide/hw-vuln/spectre.rst>

config MITIGATION_SPECTRE_V2
	bool "Mitigate SPECTRE V2 hardware bug"
	default y
	help
	  Enable mitigation for Spectre V2 (Branch Target Injection). Spectre
	  V2 is a class of side channel attacks that takes advantage of
	  indirect branch predictors inside the processor. In Spectre variant 2
	  attacks, the attacker can steer speculative indirect branches in the
	  victim to gadget code by poisoning the branch target buffer of a CPU
	  used for predicting indirect branch addresses.
	  See also <file:Documentation/admin-guide/hw-vuln/spectre.rst>

config MITIGATION_SRBDS
	bool "Mitigate Special Register Buffer Data Sampling (SRBDS) hardware bug"
	depends on CPU_SUP_INTEL
	default y
	help
	  Enable mitigation for Special Register Buffer Data Sampling (SRBDS).
	  SRBDS is a hardware vulnerability that allows Microarchitectural Data
	  Sampling (MDS) techniques to infer values returned from special
	  register accesses. An unprivileged user can extract values returned
	  from RDRAND and RDSEED executed on another core or sibling thread
	  using MDS techniques.
	  See also
	  <file:Documentation/admin-guide/hw-vuln/special-register-buffer-data-sampling.rst>

config MITIGATION_SSB
	bool "Mitigate Speculative Store Bypass (SSB) hardware bug"
	default y
	help
	  Enable mitigation for Speculative Store Bypass (SSB). SSB is a
	  hardware security vulnerability and its exploitation takes advantage
	  of speculative execution in a similar way to the Meltdown and Spectre
	  security vulnerabilities.

config MITIGATION_ITS
	bool "Enable Indirect Target Selection mitigation"
	depends on CPU_SUP_INTEL && X86_64
	depends on MITIGATION_RETPOLINE && MITIGATION_RETHUNK
	select EXECMEM
	default y
	help
	  Enable Indirect Target Selection (ITS) mitigation. ITS is a bug in
	  BPU on some Intel CPUs that may allow Spectre V2 style attacks. If
	  disabled, mitigation cannot be enabled via cmdline.
	  See <file:Documentation/admin-guide/hw-vuln/indirect-target-selection.rst>

config MITIGATION_TSA
	bool "Mitigate Transient Scheduler Attacks"
	depends on CPU_SUP_AMD
	default y
	help
	  Enable mitigation for Transient Scheduler Attacks. TSA is a hardware
	  security vulnerability on AMD CPUs which can lead to forwarding of
	  invalid info to subsequent instructions and thus can affect their
	  timing and thereby cause a leakage.

config MITIGATION_VMSCAPE
	bool "Mitigate VMSCAPE"
	depends on KVM
	default y
	help
	  Enable mitigation for VMSCAPE attacks. VMSCAPE is a hardware security
	  vulnerability on Intel and AMD CPUs that may allow a guest to do
	  Spectre v2 style attacks on userspace hypervisor.
endif

config ARCH_HAS_ADD_PAGES
	def_bool y
	depends on ARCH_ENABLE_MEMORY_HOTPLUG

menu "Power management and ACPI options"

config ARCH_HIBERNATION_HEADER
	def_bool y
	depends on HIBERNATION

source "kernel/power/Kconfig"

source "drivers/acpi/Kconfig"

config X86_APM_BOOT
	def_bool y
	depends on APM

menuconfig APM
	tristate "APM (Advanced Power Management) BIOS support"
	depends on X86_32 && PM_SLEEP
	help
	  APM is a BIOS specification for saving power using several different
	  techniques. This is mostly useful for battery powered laptops with
	  APM compliant BIOSes. If you say Y here, the system time will be
	  reset after a RESUME operation, the /proc/apm device will provide
	  battery status information, and user-space programs will receive
	  notification of APM "events" (e.g. battery status change).

	  If you select "Y" here, you can disable actual use of the APM
	  BIOS by passing the "apm=off" option to the kernel at boot time.

	  Note that the APM support is almost completely disabled for
	  machines with more than one CPU.

	  In order to use APM, you will need supporting software. For location
	  and more information, read <file:Documentation/power/apm-acpi.rst>
	  and the Battery Powered Linux mini-HOWTO, available from
	  <http://www.tldp.org/docs.html#howto>.

	  This driver does not spin down disk drives (see the hdparm(8)
	  manpage ("man 8 hdparm") for that), and it doesn't turn off
	  VESA-compliant "green" monitors.

	  Generally, if you don't have a battery in your machine, there isn't
	  much point in using this driver and you should say N. If you get
	  random kernel OOPSes or reboots that don't seem to be related to
	  anything, try disabling/enabling this option (or disabling/enabling
	  APM in your BIOS).

	  Some other things you should try when experiencing seemingly random,
	  "weird" problems:

	  1) make sure that you have enough swap space and that it is
	  enabled.
	  2) pass the "idle=poll" option to the kernel
	  3) switch on floating point emulation in the kernel and pass
	  the "no387" option to the kernel
	  4) pass the "floppy=nodma" option to the kernel
	  5) pass the "mem=4M" option to the kernel (thereby disabling
	  all but the first 4 MB of RAM)
	  6) make sure that the CPU is not over clocked.
	  7) read the sig11 FAQ at <http://www.bitwizard.nl/sig11/>
	  8) disable the cache from your BIOS settings
	  9) install a fan for the video card or exchange video RAM
	  10) install a better fan for the CPU
	  11) exchange RAM chips
	  12) exchange the motherboard.

	  To compile this driver as a module, choose M here: the
	  module will be called apm.

if APM

config APM_IGNORE_USER_SUSPEND
	bool "Ignore USER SUSPEND"
	help
	  This option will ignore USER SUSPEND requests. On machines with a
	  compliant APM BIOS, you want to say N. However, on the NEC Versa M
	  series notebooks, it is necessary to say Y because of a BIOS bug.

config APM_DO_ENABLE
	bool "Enable PM at boot time"
	help
	  Enable APM features at boot time. From page 36 of the APM BIOS
	  specification: "When disabled, the APM BIOS does not automatically
	  power manage devices, enter the Standby State, enter the Suspend
	  State, or take power saving steps in response to CPU Idle calls."
	  This driver will make CPU Idle calls when Linux is idle (unless this
	  feature is turned off -- see "Do CPU IDLE calls", below). This
	  should always save battery power, but more complicated APM features
	  will be dependent on your BIOS implementation. You may need to turn
	  this option off if your computer hangs at boot time when using APM
	  support, or if it beeps continuously instead of suspending. Turn
	  this off if you have a NEC UltraLite Versa 33/C or a Toshiba
	  T400CDT. This is off by default since most machines do fine without
	  this feature.

config APM_CPU_IDLE
	depends on CPU_IDLE
	bool "Make CPU Idle calls when idle"
	help
	  Enable calls to APM CPU Idle/CPU Busy inside the kernel's idle loop.
	  On some machines, this can activate improved power savings, such as
	  a slowed CPU clock rate, when the machine is idle. These idle calls
	  are made after the idle loop has run for some length of time (e.g.,
	  333 mS). On some machines, this will cause a hang at boot time or
	  whenever the CPU becomes idle. (On machines with more than one CPU,
	  this option does nothing.)

config APM_DISPLAY_BLANK
	bool "Enable console blanking using APM"
	help
	  Enable console blanking using the APM. Some laptops can use this to
	  turn off the LCD backlight when the screen blanker of the Linux
	  virtual console blanks the screen. Note that this is only used by
	  the virtual console screen blanker, and won't turn off the backlight
	  when using the X Window system. This also doesn't have anything to
	  do with your VESA-compliant power-saving monitor. Further, this
	  option doesn't work for all laptops -- it might not turn off your
	  backlight at all, or it might print a lot of errors to the console,
	  especially if you are using gpm.

config APM_ALLOW_INTS
	bool "Allow interrupts during APM BIOS calls"
	help
	  Normally we disable external interrupts while we are making calls to
	  the APM BIOS as a measure to lessen the effects of a badly behaving
	  BIOS implementation.  The BIOS should reenable interrupts if it
	  needs to.  Unfortunately, some BIOSes do not -- especially those in
	  many of the newer IBM Thinkpads.  If you experience hangs when you
	  suspend, try setting this to Y.  Otherwise, say N.

endif # APM

source "drivers/cpufreq/Kconfig"

source "drivers/cpuidle/Kconfig"

source "drivers/idle/Kconfig"

endmenu

menu "Bus options (PCI etc.)"

choice
	prompt "PCI access mode"
	depends on X86_32 && PCI
	default PCI_GOANY
	help
	  On PCI systems, the BIOS can be used to detect the PCI devices and
	  determine their configuration. However, some old PCI motherboards
	  have BIOS bugs and may crash if this is done. Also, some embedded
	  PCI-based systems don't have any BIOS at all. Linux can also try to
	  detect the PCI hardware directly without using the BIOS.

	  With this option, you can specify how Linux should detect the
	  PCI devices. If you choose "BIOS", the BIOS will be used,
	  if you choose "Direct", the BIOS won't be used, and if you
	  choose "MMConfig", then PCI Express MMCONFIG will be used.
	  If you choose "Any", the kernel will try MMCONFIG, then the
	  direct access method and falls back to the BIOS if that doesn't
	  work. If unsure, go with the default, which is "Any".

config PCI_GOBIOS
	bool "BIOS"

config PCI_GOMMCONFIG
	bool "MMConfig"

config PCI_GODIRECT
	bool "Direct"

config PCI_GOOLPC
	bool "OLPC XO-1"
	depends on OLPC

config PCI_GOANY
	bool "Any"

endchoice

config PCI_BIOS
	def_bool y
	depends on X86_32 && PCI && (PCI_GOBIOS || PCI_GOANY)

# x86-64 doesn't support PCI BIOS access from long mode so always go direct.
config PCI_DIRECT
	def_bool y
	depends on PCI && (X86_64 || (PCI_GODIRECT || PCI_GOANY || PCI_GOOLPC || PCI_GOMMCONFIG))

config PCI_MMCONFIG
	bool "Support mmconfig PCI config space access" if X86_64
	default y
	depends on PCI && (ACPI || JAILHOUSE_GUEST)
	depends on X86_64 || (PCI_GOANY || PCI_GOMMCONFIG)
	help
	  Add support for accessing the PCI configuration space as a memory
	  mapped area. It is the recommended method if the system supports
	  this (it must have PCI Express and ACPI for it to be available).

	  In the unlikely case that enabling this configuration option causes
	  problems, the mechanism can be switched off with the 'pci=nommconf'
	  command line parameter.

	  Say N only if you are sure that your platform does not support this
	  access method or you have problems caused by it.

	  Say Y otherwise.

config PCI_OLPC
	def_bool y
	depends on PCI && OLPC && (PCI_GOOLPC || PCI_GOANY)

config PCI_XEN
	def_bool y
	depends on PCI && XEN

config MMCONF_FAM10H
	def_bool y
	depends on X86_64 && PCI_MMCONFIG && ACPI

config PCI_CNB20LE_QUIRK
	bool "Read PCI host bridge windows from the CNB20LE chipset" if EXPERT
	depends on X86_32 && PCI
	help
	  Read the PCI windows out of the CNB20LE host bridge. This allows
	  PCI hotplug to work on systems with the CNB20LE chipset which do
	  not have ACPI.

	  The ServerWorks (later Broadcom) CNB20LE was a chipset designed
	  most probably only for Pentium III.

	  To find out if you have such a chipset, search for a PCI device with
	  1166:0009 PCI IDs, for example by executing
		lspci -nn | grep '1166:0009'
	  The code is inactive if there is none.

	  There's no public spec for this chipset, and this functionality
	  is known to be incomplete.

	  You should say N unless you know you need this.

config ISA_BUS
	bool "ISA bus support on modern systems" if EXPERT
	help
	  Expose ISA bus device drivers and options available for selection and
	  configuration. Enable this option if your target machine has an ISA
	  bus. ISA is an older system, displaced by PCI and newer bus
	  architectures -- if your target machine is modern, it probably does
	  not have an ISA bus.

	  If unsure, say N.

# x86_64 have no ISA slots, but can have ISA-style DMA.
config ISA_DMA_API
	bool "ISA-style DMA support" if (X86_64 && EXPERT)
	default y
	help
	  Enables ISA-style DMA support for devices requiring such controllers.
	  If unsure, say Y.

if X86_32

config ISA
	bool "ISA support"
	help
	  Find out whether you have ISA slots on your motherboard.  ISA is the
	  name of a bus system, i.e. the way the CPU talks to the other stuff
	  inside your box.  Other bus systems are PCI, EISA, MicroChannel
	  (MCA) or VESA.  ISA is an older system, now being displaced by PCI;
	  newer boards don't support it.  If you have ISA, say Y, otherwise N.

config SCx200
	tristate "NatSemi SCx200 support"
	help
	  This provides basic support for National Semiconductor's
	  (now AMD's) Geode processors.  The driver probes for the
	  PCI-IDs of several on-chip devices, so its a good dependency
	  for other scx200_* drivers.

	  If compiled as a module, the driver is named scx200.

config SCx200HR_TIMER
	tristate "NatSemi SCx200 27MHz High-Resolution Timer Support"
	depends on SCx200
	default y
	help
	  This driver provides a clocksource built upon the on-chip
	  27MHz high-resolution timer.  Its also a workaround for
	  NSC Geode SC-1100's buggy TSC, which loses time when the
	  processor goes idle (as is done by the scheduler).  The
	  other workaround is idle=poll boot option.

config OLPC
	bool "One Laptop Per Child support"
	depends on !X86_PAE
	select GPIOLIB
	select OF
	select OF_PROMTREE
	select IRQ_DOMAIN
	select OLPC_EC
	help
	  Add support for detecting the unique features of the OLPC
	  XO hardware.

config OLPC_XO1_PM
	bool "OLPC XO-1 Power Management"
	depends on OLPC && MFD_CS5535=y && PM_SLEEP
	help
	  Add support for poweroff and suspend of the OLPC XO-1 laptop.

config OLPC_XO1_RTC
	bool "OLPC XO-1 Real Time Clock"
	depends on OLPC_XO1_PM && RTC_DRV_CMOS
	help
	  Add support for the XO-1 real time clock, which can be used as a
	  programmable wakeup source.

config OLPC_XO1_SCI
	bool "OLPC XO-1 SCI extras"
	depends on OLPC && OLPC_XO1_PM && GPIO_CS5535=y
	depends on INPUT=y
	select POWER_SUPPLY
	help
	  Add support for SCI-based features of the OLPC XO-1 laptop:
	   - EC-driven system wakeups
	   - Power button
	   - Ebook switch
	   - Lid switch
	   - AC adapter status updates
	   - Battery status updates

config OLPC_XO15_SCI
	bool "OLPC XO-1.5 SCI extras"
	depends on OLPC && ACPI
	select POWER_SUPPLY
	help
	  Add support for SCI-based features of the OLPC XO-1.5 laptop:
	   - EC-driven system wakeups
	   - AC adapter status updates
	   - Battery status updates

config GEODE_COMMON
	bool

config ALIX
	bool "PCEngines ALIX System Support (LED setup)"
	select GPIOLIB
	select GEODE_COMMON
	help
	  This option enables system support for the PCEngines ALIX.
	  At present this just sets up LEDs for GPIO control on
	  ALIX2/3/6 boards.  However, other system specific setup should
	  get added here.

	  Note: You must still enable the drivers for GPIO and LED support
	  (GPIO_CS5535 & LEDS_GPIO) to actually use the LEDs

	  Note: You have to set alix.force=1 for boards with Award BIOS.

config NET5501
	bool "Soekris Engineering net5501 System Support (LEDS, GPIO, etc)"
	select GPIOLIB
	select GEODE_COMMON
	help
	  This option enables system support for the Soekris Engineering net5501.

config GEOS
	bool "Traverse Technologies GEOS System Support (LEDS, GPIO, etc)"
	select GPIOLIB
	select GEODE_COMMON
	depends on DMI
	help
	  This option enables system support for the Traverse Technologies GEOS.

config TS5500
	bool "Technologic Systems TS-5500 platform support"
	depends on MELAN
	select CHECK_SIGNATURE
	select NEW_LEDS
	select LEDS_CLASS
	help
	  This option enables system support for the Technologic Systems TS-5500.

endif # X86_32

config AMD_NB
	def_bool y
	depends on AMD_NODE

config AMD_NODE
	def_bool y
	depends on CPU_SUP_AMD && PCI

endmenu

menu "Binary Emulations"

config IA32_EMULATION
	bool "IA32 Emulation"
	depends on X86_64
	select ARCH_WANT_OLD_COMPAT_IPC
	select BINFMT_ELF
	select COMPAT_OLD_SIGACTION
	help
	  Include code to run legacy 32-bit programs under a
	  64-bit kernel. You should likely turn this on, unless you're
	  100% sure that you don't have any 32-bit programs left.

config IA32_EMULATION_DEFAULT_DISABLED
	bool "IA32 emulation disabled by default"
	default n
	depends on IA32_EMULATION
	help
	  Make IA32 emulation disabled by default. This prevents loading 32-bit
	  processes and access to 32-bit syscalls. If unsure, leave it to its
	  default value.

config X86_X32_ABI
	bool "x32 ABI for 64-bit mode"
	depends on X86_64
	# llvm-objcopy does not convert x86_64 .note.gnu.property or
	# compressed debug sections to x86_x32 properly:
	# https://github.com/ClangBuiltLinux/linux/issues/514
	# https://github.com/ClangBuiltLinux/linux/issues/1141
	depends on $(success,$(OBJCOPY) --version | head -n1 | grep -qv llvm)
	help
	  Include code to run binaries for the x32 native 32-bit ABI
	  for 64-bit processors.  An x32 process gets access to the
	  full 64-bit register file and wide data path while leaving
	  pointers at 32 bits for smaller memory footprint.

config COMPAT_32
	def_bool y
	depends on IA32_EMULATION || X86_32
	select HAVE_UID16
	select OLD_SIGSUSPEND3

config COMPAT
	def_bool y
	depends on IA32_EMULATION || X86_X32_ABI

config COMPAT_FOR_U64_ALIGNMENT
	def_bool y
	depends on COMPAT

endmenu

config HAVE_ATOMIC_IOMAP
	def_bool y
	depends on X86_32

source "arch/x86/kvm/Kconfig"

source "arch/x86/Kconfig.cpufeatures"

source "arch/x86/Kconfig.assembler"