summaryrefslogtreecommitdiffstats
path: root/wiki/src
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2019-05-18 16:38:49 +0000
committerintrigeri <intrigeri@boum.org>2019-05-18 16:38:49 +0000
commit4c54166bd5a468c2e9e521aad61ade635322c9f1 (patch)
treede5c3941ce1bf34b1fbf28c3f4229c3794fddee4 /wiki/src
parent2b5f2880c4304805dc0b5a13592949c5c77a44ff (diff)
parentfbc4e94f9e7a993c3447d07dd3eee501b144a937 (diff)
Merge branch 'bugfix/16720-linux-4.19.37-nosmt+force-all-tests' into stable (Fix-committed: #16720, #16708)
Diffstat (limited to 'wiki/src')
-rw-r--r--wiki/src/contribute/design/kernel_hardening.mdwn11
1 files changed, 11 insertions, 0 deletions
diff --git a/wiki/src/contribute/design/kernel_hardening.mdwn b/wiki/src/contribute/design/kernel_hardening.mdwn
index 38132a9..c683a3b 100644
--- a/wiki/src/contribute/design/kernel_hardening.mdwn
+++ b/wiki/src/contribute/design/kernel_hardening.mdwn
@@ -108,3 +108,14 @@ increased address-space fragmentation.
### `kernel.kexec_load_disabled = 1`
kexec is dangerous: it enables replacement of the running kernel.
+
+### `mds=full,nosmt`
+
+As per
+<https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html>,
+if the CPU is vulnerable, this:
+
+1. enables "all available mitigations for the MDS vulnerability, CPU
+ buffer clearing on exit to userspace";
+2. disables SMT which is another avenue for exploiting this class
+ of attacks.