kernel/amd64: conf: Add CPU_UMIP config option

This commit adds the CPU_UMIP kconf(9) option to allow the user to configure whether or not the kernel should enable the CR4.UMIP bit. It is recommended to keep this to "yes" as user applications should not be able to execute the SGDT, SIDT, SLDT, SMSW or STR instructions at all for security reasons. Signed-off-by: Ian Moffett <ian@osmora.org>
author: Ian Moffett <ian@osmora.org> 2025-08-12 23:46:11 -0400
committer: Ian Moffett <ian@osmora.org> 2025-08-12 23:52:47 -0400
commit: 83372e621621cd8509adc164599b212406970576 (patch)
tree: b2d52c685b0e084e191a3b64a9e4283f2f3e8c91 /sys/arch/amd64/conf/GENERIC
parent: eb4ec8d4b0d5d596c67dc2baf935df30e27fbb71 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/sys/arch/amd64/conf/GENERIC b/sys/arch/amd64/conf/GENERIC
index 9411999..6bf3af5 100644
--- a/sys/arch/amd64/conf/GENERIC
+++ b/sys/arch/amd64/conf/GENERIC
@@ -7,6 +7,7 @@
 //
 option SPECTRE_IBRS no   // Enable the IBRS CPU feature
 option SERIAL_DEBUG yes  // Enable kmsg serial logging
+option CPU_UMIP     yes  // Enable User-mode Instruction Prevention
 option USER_KMSG    no   // Show kmsg in user consoles
 option USER_TSC     no   // Enable 'rdtsc' in user mode
 option CPU_SMEP     yes  // Supervisor Memory Exec Protection
author	Ian Moffett <ian@osmora.org>	2025-08-12 23:46:11 -0400
committer	Ian Moffett <ian@osmora.org>	2025-08-12 23:52:47 -0400
commit	83372e621621cd8509adc164599b212406970576 (patch)
tree	b2d52c685b0e084e191a3b64a9e4283f2f3e8c91 /sys/arch/amd64/conf/GENERIC
parent	eb4ec8d4b0d5d596c67dc2baf935df30e27fbb71 (diff)