summaryrefslogtreecommitdiffstats
path: root/wiki/src
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2019-05-18 09:09:58 +0000
committerintrigeri <intrigeri@boum.org>2019-05-18 10:03:08 +0000
commitfbc4e94f9e7a993c3447d07dd3eee501b144a937 (patch)
treea13741da368b4a6da01a5ce7dce9f9daa6970f9b /wiki/src
parent575ee712cfab9c4863e6c549788b604320fa372b (diff)
Enable all available mitigations for the MDS vulnerability and disable SMT on vulnerable CPUs (refs: #16720)
Diffstat (limited to 'wiki/src')
-rw-r--r--wiki/src/contribute/design/kernel_hardening.mdwn11
1 files changed, 11 insertions, 0 deletions
diff --git a/wiki/src/contribute/design/kernel_hardening.mdwn b/wiki/src/contribute/design/kernel_hardening.mdwn
index 38132a9..c683a3b 100644
--- a/wiki/src/contribute/design/kernel_hardening.mdwn
+++ b/wiki/src/contribute/design/kernel_hardening.mdwn
@@ -108,3 +108,14 @@ increased address-space fragmentation.
### `kernel.kexec_load_disabled = 1`
kexec is dangerous: it enables replacement of the running kernel.
+
+### `mds=full,nosmt`
+
+As per
+<https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html>,
+if the CPU is vulnerable, this:
+
+1. enables "all available mitigations for the MDS vulnerability, CPU
+ buffer clearing on exit to userspace";
+2. disables SMT which is another avenue for exploiting this class
+ of attacks.