Add KERNEL_NR_CPUS option in Global build settings → Kernel build
options, allowing users to set maximum CPU count (2-512) for the image.
Defaults:
- x86_64: 512 CPUs (backward compatible)
- x86: 8 CPUs (fix broken single-CPU default)
Per-CPU data structures consume ~100-200KB each.
On a 4-core system configured to NR_CPUS=4, this frees approx 76 MB
of RAM: (512 - 4) × 150 KB = ~76 MB
Note: CONFIG_NR_CPUS_RANGE_{BEGIN,END}= and CONFIG_NR_CPUS_DEFAULT= are
set by the build system and will default to 2/512/64 per arch/x86/Kconfig
These are harmless metadata and don't affect memory allocation.
Note pending https://github.com/openwrt/openwrt/pull/21407
Signed-off-by: John Audia <therealgraysky@proton.me>
Link: https://github.com/openwrt/openwrt/pull/21078
Signed-off-by: Robert Marko <robimarko@gmail.com>
These mitigations are low-overhead, upstream-supported hardening options
that only activate on CPUs affected by their respective vulnerabilities.
Enabling them provides consistent, defense-in-depth coverage across Intel
and AMD systems without impacting unaffected hardware.
Detailed list:
- CONFIG_MITIGATION_SRSO to guard against known a vulnerability found on
AMD processors (Zen generations 1-4) for sure, maybe others. This is
tracked under CVE-2023-20569.
- CONFIG_MITIGATION_ITS to guard against a bug in BPU on some Intel CPUs
that may allow Spectre V2 style attacks. We never enabled this option
(and its dependencies).
- CONFIG_MITIGATION_SRBDS to guard against Special Register Buffer Data
Sampling on affected Intel CPUs (CVE-2020-0543), preventing cross-core
leakage of RDRAND/RDSEED/EGETKEY values.
- CONFIG_MITIGATION_SLS to guard against Spectre-v4 gadgets on x86 by
inserting speculation barriers around RET/JMP/CALL sites when required
by CPU/microcode state.
- CONFIG_MITIGATION_CALL_DEPTH_TRACKING to guard against speculative
call-stack underflow on x86 by enabling hardware-assisted depth
tracking where supported, reducing exposure to RET-based misprediction
attacks.
- CONFIG_MITIGATION_UNRET_ENTRY to guard against RET-based speculation
attacks on x86 by replacing vulnerable function returns in kernel
entry paths with UNRET sequences when required by CPU/microcode state.
Signed-off-by: John Audia <therealgraysky@proton.me>
Link: https://github.com/openwrt/openwrt/pull/21078
Signed-off-by: Robert Marko <robimarko@gmail.com>
Some options here were identified by running:
make kernel_oldconfig while others were manually added from a list
curated by hand at build time.
Signed-off-by: John Audia <therealgraysky@proton.me>
Link: https://github.com/openwrt/openwrt/pull/21078
Signed-off-by: Robert Marko <robimarko@gmail.com>
This is an automatically generated commit.
When doing `git bisect`, consider `git bisect --skip`.
Signed-off-by: John Audia <therealgraysky@proton.me>
Link: https://github.com/openwrt/openwrt/pull/21078
Signed-off-by: Robert Marko <robimarko@gmail.com>
