summaryrefslogtreecommitdiffstats
path: root/wiki/src/contribute/design/kernel_hardening.mdwn
diff options
context:
space:
mode:
authorCyril Brulebois <ckb@riseup.net>2019-05-21 18:28:03 +0200
committerCyril Brulebois <ckb@riseup.net>2019-05-21 18:28:03 +0200
commit4e2bafaf1ae16a6318d2d63dd889f648e09b17f8 (patch)
tree5b42a573d3efce818f73f66c0f8ff0131a5f46db /wiki/src/contribute/design/kernel_hardening.mdwn
parent482e31d3104deebd6e6a0e84608d7e322afe958e (diff)
parent432e8a1bb02d38c0eef68a8d64cdb8aaecb31887 (diff)
Merge branch 'web/release-3.14'
Conflicts: wiki/src/inc/stable_amd64_img_gpg_signature_output.html wiki/src/inc/stable_amd64_iso_gpg_signature_output.html Resolve conflicts by picking the signatures from the web/release-3.14 branch, the other ones were just fixups for the previous release.
Diffstat (limited to 'wiki/src/contribute/design/kernel_hardening.mdwn')
-rw-r--r--wiki/src/contribute/design/kernel_hardening.mdwn11
1 files changed, 11 insertions, 0 deletions
diff --git a/wiki/src/contribute/design/kernel_hardening.mdwn b/wiki/src/contribute/design/kernel_hardening.mdwn
index 38132a9..c683a3b 100644
--- a/wiki/src/contribute/design/kernel_hardening.mdwn
+++ b/wiki/src/contribute/design/kernel_hardening.mdwn
@@ -108,3 +108,14 @@ increased address-space fragmentation.
### `kernel.kexec_load_disabled = 1`
kexec is dangerous: it enables replacement of the running kernel.
+
+### `mds=full,nosmt`
+
+As per
+<https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html>,
+if the CPU is vulnerable, this:
+
+1. enables "all available mitigations for the MDS vulnerability, CPU
+ buffer clearing on exit to userspace";
+2. disables SMT which is another avenue for exploiting this class
+ of attacks.