MitigationControls
2398
Comment: Add documentation for mitigation controls
|
3434
add spectre_v2 and nospectre_v2 parameters
|
Deletions are marked like this. | Additions are marked like this. |
Line 10: | Line 10: |
|| amd64 || Control mitigation of CVE-2017-5715 (aka Spectre / Variant 2). || spectre_v2=[on|off|auto|retpoline|retpoline,generic|retpoline,amd] || on - unconditionally enable <<BR>><<BR>>off - unconditionally disable<<BR>><<BR>>auto - kernel detects whether your CPU model is vulnerable<<BR>><<BR>>Selecting 'on' will, and 'auto' may, choose a mitigation method at run time according to the CPU, the available microcode, the setting of the CONFIG_RETPOLINE configuration option, and the compiler with which the kernel was built.<<BR>><<BR>>Specific mitigations can also be selected manually:<<BR>><<BR>>retpoline - replace indirect branches<<BR>><<BR>>retpoline,generic - google's original retpoline<<BR>><<BR>>retpoline,amd - AMD-specific minimal thunk<<BR>><<BR>>Not specifying this option is equivalent to spectre_v2=auto. || spectre_v2=auto || || amd64 || Disable all mitigations for the CVE-2017-5715 (aka Spectre / Variant 2). System may allow data leaks with this option. || nospectre_v2 || Equivalent to spectre_v2=off || || |
The Meltdown and Spectre vulnerabilities involve a performance-security tradeoff. The following describes the relevant tunables offered for selectively disabling mitigations in contexts where the tradeoffs have been evaluated and justified.
Arch |
Description |
Kernel Parameter |
Options |
Ubuntu default |
amd64 |
Control Page Table Isolation of user and kernel address spaces. Disabling this feature removes CVE-2017-5754 (aka Meltdown) mitigation on affected processors, but improves performance of system calls and interrupts. |
pti=[on|off|auto] |
on - unconditionally enable |
pti=auto |
amd64 |
Disable Kernel Page Table Isolation (KPTI). |
nopti |
Equivalent to pti=off |
|
ppc64el |
Disable L1-D cache flushing on exit from kernel to user mode that is used as protection against CVE-2017-5754 (aka Meltdown) on powerpc processors. |
no_rfi_flush |
|
|
ppc64el |
On powerpc, nopti is just an alias to no_rfi_flush. |
nopti |
|
|
amd64 |
Disable the PCID cpu feature. |
nopcid |
|
PCID is enabled if CPU supports it. |
amd64 |
Disable indirect branch restricted speculation (IBRS) and/or indirect branch prediction barrier (IBPB) feature when running in secure environment, to avoid performance overhead. Disabling these features removes mitigations for CVE-2017-5715 (aka Spectre / Variant 2). |
noibrs |
At run time: |
By default, the system will enable ibrs and ibpb usage if the CPU supports it |
amd64 |
Control mitigation of CVE-2017-5715 (aka Spectre / Variant 2). |
spectre_v2=[on|off|auto|retpoline|retpoline,generic|retpoline,amd] |
on - unconditionally enable |
spectre_v2=auto |
amd64 |
Disable all mitigations for the CVE-2017-5715 (aka Spectre / Variant 2). System may allow data leaks with this option. |
nospectre_v2 |
Equivalent to spectre_v2=off |
|
s390x |
Run the kernel with a modified branch predictor. |
nobp=[0|1] |
With nobp=1, the kernel will switch to a modified branch prediction mode if the firmware interface is available. |
nobp=1 |
s390x |
Run the kernel in the normal branch prediction mode. |
nospec |
Equivalent to nobp=0 |
|
s390x |
Disable no-spec barriers. |
nogmb |
|
|
SecurityTeam/KnowledgeBase/SpectreAndMeltdown/MitigationControls (last edited 2018-07-11 19:46:22 by tyhicks)