From defba1f2450b2c8bbc668bf5f6f6f0d101338cc7 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 17 Dec 2024 11:42:03 +0000 Subject: [PATCH] Refactor CPU mitigations --- etc/default/grub.d/40_cpu_mitigations.cfg | 80 ++++++++++++++++------- 1 file changed, 55 insertions(+), 25 deletions(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 1b900c0..c1828dc 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -17,7 +17,7 @@ ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html -## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT. +## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT. ## ## KSPP=yes ## KSPP sets the kernel parameters. @@ -27,7 +27,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## Disable SMT as it has been the cause of and amplified numerous CPU exploits. ## The only full mitigation of cross-HT attacks is to disable SMT. ## Disabling will significantly decrease system performance on multi-threaded tasks. -## To enable SMT, remove this line and all other occurrences of "nosmt" in this file. +## Note, this setting will prevent re-enabling SMT via the sysfs interface. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 @@ -36,95 +36,125 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## KSPP=yes ## KSPP sets the kernel parameter. ## +## To re-enable SMT: +## - Remove "nosmt=force". +## - Remove all occurrences of ",nosmt" in this file (note the comma ","). +## - Downgrade "l1tf=full,force" protection to "l1tf=flush". +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" -## Enable mitigations for both Spectre Variant 2 (indirect branch speculation) -## and Intel branch history injection (BHI) vulnerabilities. +## Spectre Side Channels (BTI and BHI): +## Unconditionally enable mitigation for Spectre Variant 2 (branch target injection). +## Enable mitigation for the Intel branch history injection vulnerability. +## Currently affects both AMD and Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" -## Disable Speculative Store Bypass (Spectre Variant 4). -## Unconditionally enable mitigation for both kernel and userspace. +## Speculative Store Bypass (SSB): +## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide. +## Unconditionally enable the mitigation for both kernel and userspace. +## Currently affects both AMD and Intel CPUs. ## +## https://en.wikipedia.org/wiki/Speculative_Store_Bypass ## https://www.suse.com/support/kb/doc/?id=000019189 ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ssbd=force-on" -## Enable mitigations for the L1TF vulnerability through disabling SMT -## and L1D flush runtime control. +## L1 Terminal Fault (L1TF): +## Mitigate the vulnerability by disabling L1D flush runtime control and SMT. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" -## Enable mitigations for the MDS vulnerability through clearing buffer cache -## and disabling SMT. +## Microarchitectural Data Sampling (MDS): +## Mitigate the vulnerability by clearing the buffer cache and disabling SMT. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" -## Patches the TAA vulnerability by disabling TSX and enables mitigations using -## TSX Async Abort along with disabling SMT. +## TSX Asynchronous Abort (TAA): +## Mitigate the vulnerability by disabling TSX. +## If TSX is enabled, clear CPU buffer rings on transitions and disable SMT. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt" -## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit. +## iTLB Multihit: +## Mitigate the vulnerability by marking all huge pages in the EPT as non-executable. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" -## Mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions -## are only possible through microcode updates from Intel. +## Special Register Buffer Data Sampling (SRBDS): +## Mitigation of the vulnerability is only possible via microcode updates from Intel. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html ## https://access.redhat.com/solutions/5142691 -## Enable the prctl() interface to prevent leaks from L1D on context switches. +## L1D Flushing: +## Mitigate leaks from the L1D cache on context switches by enabling the prctl() interface. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on" -## Mitigate numerous MMIO Stale Data vulnerabilities and disable SMT. +## MMIO Stale Data: +## Mitigate the vulnerability by appropriately clearing the CPU buffer and disabling SMT. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" -## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with -## Return Instructions) vulnerability and disable SMT. +## Arbitrary Speculative Code Execution with Return Instructions (Retbleed): +## Mitigate the vulnerability through CPU-dependent implementation and disable SMT. +## Currently affects both AMD Zen 1-2 and Intel CPUs. ## +## https://en.wikipedia.org/wiki/Retbleed +## https://comsec.ethz.ch/research/microarch/retbleed/ ## https://www.suse.com/support/kb/doc/?id=000020693 +## https://access.redhat.com/solutions/retbleed ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" -## Control RAS overflow mitigation on AMD Zen CPUs. +## Speculative Return Stack Overflow (SRSO): +## Mitigate the vulnerability by ensureing all RET instructions speculate to a controlled location. +## Currently affects AMD Zen 1-4 CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html ## ## The default kernel setting will be utilized until provided sufficient evidence to modify. +## Using "spec_rstack_overflow=ipbp" may provide stronger security at a greater performance impact. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret" -## Enable Gather Data Sampling (GDS) mitigation. -## Note for systems that have not received a suitable microcode update this will -## entirely disable use of the AVX instructions set. +## Gather Data Sampling (GDS): +## Mitigate the vulnerability either via microcode update or by disabling AVX. +## Note, without a suitable microcode update, this will entirely disable use of the AVX instructions set. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force" -## Enable Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which -## encompasses E-cores on hybrid architectures. +## Register File Data Sampling (RFDS): +## Mitigate the vulnerability by appropriately clearing the CPU buffer. +## Currently affects Intel Atom CPUs (which encompasses E-cores on hybrid architectures). ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html ##