Frequently Asked Questions

How do I...

1 ... check whether a Kconfig option is active?

Kconfig is a build time configuration system, combining inherent knowledge, the capabilities of the toolchain, and explicit user choice to form a configuration of a build of Xen.

A file, by default .config, is produced by the build identifying the configuration used. Kconfig symbols all start with CONFIG_, and come in a variety of types including strings, integers and booleans. Booleans are the most common, and when active are expressed with ...=y. e.g.:

xen.git/xen$ grep CONFIG_FOO .config
CONFIG_FOO_BOOLEAN=y
CONFIG_FOO_STRING="lorem ipsum"
CONFIG_FOO_INTEGER=42

Symbols which are either absent, or expressed as ... is not set are disabled. e.g.:

xen.git/xen$ grep CONFIG_BAR .config
# CONFIG_BAR is not set

Builds of Xen configured with CONFIG_HYPFS_CONFIG=y embed their own .config at build time, and can provide it to the control domain upon requested. e.g.:

[root@host ~]# xenhypfs cat /buildinfo/config | grep -e FOO -e BAR
CONFIG_FOO=y
# CONFIG_BAR is not set

2 ... tell if CET is active?

Control-flow Enforcement Technology support was added to Xen 4.14. It is build time conditional, dependent on both having a new-enough toolchain and an explicit Kconfig option, and also requires capable hardware. See CET.

For CET-SS, Shadow Stacks, the minimum toolchain requirements are binutils >= 2.29 or LLVM >= 6. No specific compiler support is required. Check for CONFIG_XEN_SHSTK being active.

For CET-IBT, Indirect Branch Tracking, the minimum toolchain requirements are GCC >= 9 and binutils >= 2.29. Xen relies on a compiler feature which is specific to GCC at the time of writing. Check for CONFIG_XEN_IBT being active.

If a capable Xen is booted on capable hardware, and CET is not disabled by command line option or errata, Xen will print some details early on boot about which CET facilities have been turned on:

...
(XEN) CPU Vendor: Intel, Family 6 (0x6), Model 143 (0x8f), Stepping 8 (raw 000806f8)
(XEN) Enabling Supervisor Shadow Stacks
(XEN) Enabling Indirect Branch Tracking
(XEN)   - IBT disabled in UEFI Runtime Services
(XEN) EFI RAM map:
...

This can be obtained from the control domain with xl dmesg, but remember to confirm that the console ring hasn't wrapped.