MitigationControls

Differences between revisions 7 and 8
Revision 7 as of 2018-05-21 23:37:01
Size: 4965
Editor: tyhicks
Comment: Add missing table header
Revision 8 as of 2018-05-21 23:45:17
Size: 4389
Editor: tyhicks
Comment: Remove redundant CVE and vuln name mentions from rows
Deletions are marked like this. Additions are marked like this.
Line 6: Line 6:
|| amd64 || Control Page Table Isolation of user and kernel address spaces. Disabling this feature removes CVE-2017-5754 (aka Meltdown) mitigation on affected processors, but improves performance of system calls and interrupts. || pti=[on|off|auto] || on - unconditionally enable<<BR>><<BR>>off - unconditionally disable<<BR>><<BR>>auto - kernel detects whether your CPU model is vulnerable to CVE-2017-5754 (aka Meltdown)<<BR>><<BR>>Not specifying this option is equivalent to pti=auto. || pti=auto ||
|| amd64 || Disable Kernel Page Table Isolation (KPTI). || nopti || Equivalent to pti=off || ||
|| arm64 || Disable Kernel Page Table Isolation (KPTI). || kpti=[on|off] || on - unconditionally enable<<BR>><<BR>>off - unconditionally disable<<BR>><<BR>>(unspecified) - kernel detects whether your CPU model is vulnerable to CVE-2017-5754 (aka Meltdown)<<BR>><<BR>>Not specifying this option is equivalent to pti=auto. || (unspecified) ||
|| ppc64el || Disable L1-D cache flushing on exit from kernel to user mode that is used as protection against CVE-2017-5754 (aka Meltdown) on powerpc processors. || no_rfi_flush || || ||		 || amd64 || Control Kernel Page Table Isolation || pti=[on|off|auto] || on - unconditionally enable mitigations<<BR>><<BR>>off - unconditionally disable mitigations<<BR>><<BR>>auto - kernel detects whether your CPU model is vulnerable and enables mitigations if needed || pti=auto ||
|| amd64 || Disable Kernel Page Table Isolation || nopti || Equivalent to pti=off || ||
|| arm64 || Control Kernel Page Table Isolation || kpti=[on|off] || on - unconditionally enable mitigations<<BR>><<BR>>off - unconditionally disable mitigations<<BR>><<BR>>(unspecified) - kernel detects whether your CPU model is vulnerable and enables mitigations if needed || (unspecified) ||
|| ppc64el || Disable mitigations by ignoring L1-D cache flushing on exit from kernel to user mode on powerpc processors || no_rfi_flush || || ||
Line 16: Line 16:
|| amd64 || Disable indirect branch restricted speculation (IBRS) and/or indirect branch prediction barrier (IBPB) feature when running in secure environment, to avoid performance overhead. Disabling these features removes mitigations for CVE-2017-5715 (aka Spectre / Variant 2). || noibrs<<BR>><<BR>>noibpb || At run time:<<BR>><<BR>>echo 0 > /proc/sys/kernel/ibrs_enabled will turn off IBRS<<BR>><<BR>>echo 1 > /proc/sys/kernel/ibrs_enabled will turn on IBRS in kernel<<BR>><<BR>>echo 2 > /proc/sys/kernel/ibrs_enabled will turn on IBRS in both userspace and kernel || By default, the system will enable ibrs and ibpb usage if the CPU supports it||
|| amd64 || Control mitigation of CVE-2017-5715 (aka Spectre / Variant 2). || spectre_v2=[on|off|auto|retpoline|retpoline,generic|retpoline,amd] || on - unconditionally enable <<BR>><<BR>>off - unconditionally disable<<BR>><<BR>>auto - kernel detects whether your CPU model is vulnerable<<BR>><<BR>>Selecting 'on' will, and 'auto' may, choose a mitigation method at run time according to the CPU, the available microcode, the setting of the CONFIG_RETPOLINE configuration option, and the compiler with which the kernel was built.<<BR>><<BR>>Specific mitigations can also be selected manually:<<BR>><<BR>>retpoline - replace indirect branches<<BR>><<BR>>retpoline,generic - google's original retpoline<<BR>><<BR>>retpoline,amd - AMD-specific minimal thunk<<BR>><<BR>>Not specifying this option is equivalent to spectre_v2=auto. || spectre_v2=auto ||
|| amd64 || Disable all mitigations for the CVE-2017-5715 (aka Spectre / Variant 2). System may allow data leaks with this option. || nospectre_v2 || Equivalent to spectre_v2=off || ||
|| s390x || Run the kernel with a modified branch predictor. || nobp=[0|1] || With nobp=1, the kernel will switch to a modified branch prediction mode if the firmware interface is available.<<BR>><<BR>>With nobp=0, the kernel will run in the normal branch prediction mode. || nobp=1 ||
|| s390x || Run the kernel in the normal branch prediction mode.|| nospec || Equivalent to nobp=0 || ||
|| s390x || Disable no-spec barriers. || nogmb || || ||		 || amd64 || Disable indirect branch restricted speculation (IBRS) and/or indirect branch prediction barrier (IBPB) feature when running in secure environment, to avoid performance overhead (system may allow data leaks with this option) || noibrs<<BR>><<BR>>noibpb || At run time:<<BR>><<BR>>echo 0 > /proc/sys/kernel/ibrs_enabled will turn off IBRS<<BR>><<BR>>echo 1 > /proc/sys/kernel/ibrs_enabled will turn on IBRS in kernel<<BR>><<BR>>echo 2 > /proc/sys/kernel/ibrs_enabled will turn on IBRS in both userspace and kernel || By default, the system will enable ibrs and ibpb usage if the CPU supports it||
|| amd64 || Mitigation selection || spectre_v2=[on|off|auto|retpoline|retpoline,generic|retpoline,amd] || on - unconditionally enable <<BR>><<BR>>off - unconditionally disable<<BR>><<BR>>auto - kernel detects whether your CPU model is vulnerable<<BR>><<BR>>Selecting 'on' will, and 'auto' may, choose a mitigation method at run time according to the CPU, the available microcode, the setting of the CONFIG_RETPOLINE configuration option, and the compiler with which the kernel was built.<<BR>><<BR>>Specific mitigations can also be selected manually:<<BR>><<BR>>retpoline - replace indirect branches<<BR>><<BR>>retpoline,generic - google's original retpoline<<BR>><<BR>>retpoline,amd - AMD-specific minimal thunk<<BR>><<BR>>Not specifying this option is equivalent to spectre_v2=auto. || spectre_v2=auto ||
|| amd64 || Disable all mitigations (system may allow data leaks with this option) || nospectre_v2 || Equivalent to spectre_v2=off || ||
|| s390x || Run the kernel with a modified branch predictor || nobp=[0|1] || With nobp=1, the kernel will switch to a modified branch prediction mode if the firmware interface is available.<<BR>><<BR>>With nobp=0, the kernel will run in the normal branch prediction mode. || nobp=1 ||
|| s390x || Run the kernel in the normal branch prediction mode || nospec || Equivalent to nobp=0 || ||
|| s390x || Disable no-spec barriers || nogmb || || ||
Line 26: Line 26:
|| amd64 || Configure fine grained mitigations for CVE-2018-3639 (aka Variant 4). || spec_store_bypass_disable=[prctl|seccomp] || prctl - mitigations disable by default with opt-in enablement available via prctl()<<BR>><<BR>>seccomp - same as "prctl" plus all applications with a seccomp filter are implicitly opted-in to mitigations || ||
|| amd64<<BR>>ppc64el || Configure global mitigations for CVE-2018-3639 (aka Variant 4). || spec_store_bypass_disable=[on|off|auto] || on - unconditionally enable mitigations<<BR>><<BR>>off - unconditionally disable mitigations<<BR>><<BR>>auto - On x86, same as "seccomp" above. On ppc64el, the kernel and virtual machines are protected. || auto ||
|| amd64<<BR>>ppc64el || Disable all mitigations for CVE-2018-3639 (aka Variant 4). System may allow data leaks with this option. || nospec_store_bypass_disable || Equivalent to spec_store_bypass_disable=off || ||		 || amd64 || Fine grained mitigations || spec_store_bypass_disable=[prctl|seccomp] || prctl - mitigations disable by default with opt-in enablement available via prctl()<<BR>><<BR>>seccomp - same as "prctl" plus all applications with a seccomp filter are implicitly opted-in to mitigations || ||
|| amd64<<BR>>ppc64el || Global mitigations || spec_store_bypass_disable=[on|off|auto] || on - unconditionally enable mitigations<<BR>><<BR>>off - unconditionally disable mitigations<<BR>><<BR>>auto - On x86, same as "seccomp" above. On ppc64el, the kernel and virtual machines are protected. || auto ||
|| amd64<<BR>>ppc64el || Disable all mitigations (system may allow data leaks with this option) || nospec_store_bypass_disable || Equivalent to spec_store_bypass_disable=off || ||

The Meltdown and Spectre vulnerabilities involve a performance-security tradeoff. The following describes the relevant tunables offered for selectively disabling mitigations in contexts where the tradeoffs have been evaluated and justified.

CVE-2017-5754 (aka Meltdown)

Arch

Description

Kernel Parameter

Options

Ubuntu default

amd64

Control Kernel Page Table Isolation

pti=[on|off|auto]

on - unconditionally enable mitigations

off - unconditionally disable mitigations

auto - kernel detects whether your CPU model is vulnerable and enables mitigations if needed

pti=auto

amd64

Disable Kernel Page Table Isolation

nopti

Equivalent to pti=off

arm64

Control Kernel Page Table Isolation

kpti=[on|off]

on - unconditionally enable mitigations

off - unconditionally disable mitigations

(unspecified) - kernel detects whether your CPU model is vulnerable and enables mitigations if needed

(unspecified)

ppc64el

Disable mitigations by ignoring L1-D cache flushing on exit from kernel to user mode on powerpc processors

no_rfi_flush

ppc64el

On powerpc, nopti is just an alias to no_rfi_flush.

nopti

amd64

Disable the PCID cpu feature.

nopcid

PCID is enabled if CPU supports it.

CVE-2017-5715 (aka Spectre / Variant 2)

Arch

Description

Kernel Parameter

Options

Ubuntu default

amd64

Disable indirect branch restricted speculation (IBRS) and/or indirect branch prediction barrier (IBPB) feature when running in secure environment, to avoid performance overhead (system may allow data leaks with this option)

noibrs

noibpb

At run time:

echo 0 > /proc/sys/kernel/ibrs_enabled will turn off IBRS

echo 1 > /proc/sys/kernel/ibrs_enabled will turn on IBRS in kernel

echo 2 > /proc/sys/kernel/ibrs_enabled will turn on IBRS in both userspace and kernel

By default, the system will enable ibrs and ibpb usage if the CPU supports it

amd64

Mitigation selection

spectre_v2=[on|off|auto|retpoline|retpoline,generic|retpoline,amd]

on - unconditionally enable

off - unconditionally disable

auto - kernel detects whether your CPU model is vulnerable

Selecting 'on' will, and 'auto' may, choose a mitigation method at run time according to the CPU, the available microcode, the setting of the CONFIG_RETPOLINE configuration option, and the compiler with which the kernel was built.

Specific mitigations can also be selected manually:

retpoline - replace indirect branches

retpoline,generic - google's original retpoline

retpoline,amd - AMD-specific minimal thunk

Not specifying this option is equivalent to spectre_v2=auto.

spectre_v2=auto

amd64

Disable all mitigations (system may allow data leaks with this option)

nospectre_v2

Equivalent to spectre_v2=off

s390x

Run the kernel with a modified branch predictor

nobp=[0|1]

With nobp=1, the kernel will switch to a modified branch prediction mode if the firmware interface is available.

With nobp=0, the kernel will run in the normal branch prediction mode.

nobp=1

s390x

Run the kernel in the normal branch prediction mode

nospec

Equivalent to nobp=0

s390x

Disable no-spec barriers

nogmb

CVE-2018-3639 (aka Variant 4)

Arch

Description

Kernel Parameter

Options

Ubuntu default

amd64

Fine grained mitigations

spec_store_bypass_disable=[prctl|seccomp]

prctl - mitigations disable by default with opt-in enablement available via prctl()

seccomp - same as "prctl" plus all applications with a seccomp filter are implicitly opted-in to mitigations

amd64
ppc64el

Global mitigations

spec_store_bypass_disable=[on|off|auto]

on - unconditionally enable mitigations

off - unconditionally disable mitigations

auto - On x86, same as "seccomp" above. On ppc64el, the kernel and virtual machines are protected.

auto

amd64
ppc64el

Disable all mitigations (system may allow data leaks with this option)

nospec_store_bypass_disable

Equivalent to spec_store_bypass_disable=off

SecurityTeam/KnowledgeBase/SpectreAndMeltdown/MitigationControls (last edited 2018-07-11 19:46:22 by tyhicks)