summaryrefslogtreecommitdiffstats
path: root/wiki/src/contribute/design
diff options
context:
space:
mode:
Diffstat (limited to 'wiki/src/contribute/design')
-rw-r--r--wiki/src/contribute/design/kernel_hardening.mdwn11
1 files changed, 11 insertions, 0 deletions
diff --git a/wiki/src/contribute/design/kernel_hardening.mdwn b/wiki/src/contribute/design/kernel_hardening.mdwn
index 38132a9..c683a3b 100644
--- a/wiki/src/contribute/design/kernel_hardening.mdwn
+++ b/wiki/src/contribute/design/kernel_hardening.mdwn
@@ -108,3 +108,14 @@ increased address-space fragmentation.
### `kernel.kexec_load_disabled = 1`
kexec is dangerous: it enables replacement of the running kernel.
+
+### `mds=full,nosmt`
+
+As per
+<https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html>,
+if the CPU is vulnerable, this:
+
+1. enables "all available mitigations for the MDS vulnerability, CPU
+ buffer clearing on exit to userspace";
+2. disables SMT which is another avenue for exploiting this class
+ of attacks.