Merge 53d90b1128 into 5b97e7bd27

README.md

@@ -156,6 +156,8 @@ CPU mitigations:
 
 - Spectre Side Channels (BTI and BHI)
 
+- Meltdown
+
 - Speculative Store Bypass (SSB)
 
 - L1 Terminal Fault (L1TF)
@@ -206,8 +208,8 @@ Kernel space:
 - Enable the kernel page allocator to randomize free lists to limit some data
   exfiltration and ROP attacks, especially during the early boot process.
 
-- Enable kernel page table isolation to increase KASLR effectiveness and also
-  mitigate the Meltdown CPU vulnerability.
+- Enable kernel page table isolation on X86_64 CPUs to increase KASLR effectiveness
+  and also mitigate the Meltdown CPU vulnerability.
 
 - Enable randomization of the kernel stack offset on syscall entries to harden
   against memory corruption attacks.

etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared

@@ -71,10 +71,24 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on"
 
+## Meltdown:
+## Mitigate Spectre Variant 3 using kernel page table isolation (PTI).
+## Force enable PTI of user and kernel address spaces on all cores.
+## Mitigations for X86_64 CPUs are done in /etc/default/grub.d/40_kernel_hardening.cfg using "pti=on".
+## Currently affects ARM64 CPUs.
+##
+## https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)
+## https://en.wikipedia.org/wiki/Kernel_page-table_isolation
+##
+## KSPP=yes
+## KSPP sets CONFIG_UNMAP_KERNEL_AT_EL0=y.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kpti=1"
+
 ## Speculative Store Bypass (SSB):
 ## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide.
 ## Unconditionally enable the mitigation for both kernel and userspace.
-## Currently affects both AMD and Intel CPUs.
+## Currently affects AMD, ARM64, and Intel CPUs.
 ##
 ## https://en.wikipedia.org/wiki/Speculative_Store_Bypass
 ## https://www.suse.com/support/kb/doc/?id=000019189

etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared

@@ -83,8 +83,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
 
 ## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses.
-## Mitigates the Meltdown CPU vulnerability.
+## Mitigates the Meltdown (Spectre Variant 3) CPU vulnerability.
+## Mitigations for ARM64 CPUs are done in /etc/default/grub.d/40_cpu_mitigations.cfg using "kpti=1".
 ##
+## https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)
 ## https://en.wikipedia.org/wiki/Kernel_page-table_isolation
 ##
 ## KSPP=yes