operating-systems.html: add a warning for Linux/CPU vulns #1231
No reviewers
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#1231
Loading…
Reference in New Issue
No description provided.
Delete Branch "cpu-vulns"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Ref: #904 where cpu.fail was mentioned
Deploy preview for privacytools-io ready!
Built with commit
4697bf6d6c
https://deploy-preview-1231--privacytools-io.netlify.com
I would request changes here and as there are so many commands, make a different section and explain the commands more in depth there, but this is just a quick draft PR to see if there is interest or do we trust the OS to handle that?I only know that mainline kernel doesn't disable SMT / hyper threading by default while downstream:
I am next going to work on this unless I hear it's out of scope.update-grub
is Ubuntu (or Debian) thing, it does not exist on all distributions.It is pretty much an alias for
grub-mkconfig -o /boot/grub/grub.cfg
.OpenBSD also disables it.
https://marc.info/?l=openbsd-tech&m=153504937925732&w=2
@dawidpotocki How about this wording?
I would remove
update-grub
, it does exactly the same thing, the same way.Also
<li>
is not closed properly.Ok, done
Is it enough to list these links here for thinking whether we want to merge this, or should they be included in the PR somehow?
I wonder if this or at least "disable hyperthreading" should be a link, but I can only find
and should it say instead See also the next topic if it cannot be disabled in your UEFI/BIOS? But disabling it in kernel level may be more difficult to revert accidentally and it only takes effect when the CPU is vulnerable and SMT isn't already disabled in UEFI BIOS.
To increase readability a bit, what about:
Suggestion: lowercase "Simultaneous"
The documentation is pain to find, the closest I find now is this:
and it's not what I was reading before (even if I don't get a head or a tail out of it), previously I saw instructions to add something to registry and it didn't disable SMT.
Okay, how about we remove this warning (moving it down into the section) and also generalize the vulnerability section to:
<h4 id="cpuvulns">Remember to check CPU vulnerability mitigations</h4>
I think this warning is good here and we could hyperlink it too?
Here's an idea, to simply things a bit:
We then could move "https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html" down to the links section.
So remove line 42 and update line 45?
Will test
I thought Simultaneous was a name, but apparently not. I will try
I marked multiple older reviews as resolved after addressing the feedback, but here are new ones to ponder about
Should there be a comma here?
I wonder what is the official spelling of UEFI/BIOS?
I think UEFI has deprecated/replaced BIOS entirely, but everyone calls it as BIOS due to legacy reasons and I think my grub says "Enter setup" and the thing calls itself as UEFI BIOS on my laptop.
or kernel/boot or is it fine?
this must be a typo or losing a train of thought and without noticing it continuing with another train of thought
@ -44,0 +55,4 @@
<li><code>sudo mkdir /etc/default/grub.d/</code> to create a directory for additional grub configuration</li>
<li><code>echo GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT mds=full,nosmt" | sudo tee /etc/default/grub.d/mds.conf</code> to create a new grub config file source with the echoed content</li>
<li><code>sudo grub-mkconfig -o /boot/grub/grub.cfg</code> to generate a new grub config file including this new kernel boot flag</li>
<li><code>sudo reboot</code> to reboot</li>
I think it's more universal than
systemctl reboot
I am not entirely sure if a comma belongs here
(Please mark this as resolved if you accept
ed7edb5c27
)I think technically no, but reads more naturally 😄
I've seen it with a forward slash but I don't think it's "official" spelling.
kernel boot flag sounds fine to me 😄
How about adding quotes:
Yeah I think that works 👍
https://en.wikipedia.org/wiki/UEFI isn't too helpful
@ -44,0 +65,4 @@
<li><a href="https://cpu.fail/">CPU.fail</a></li>
<li><a href="https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html">MDS - Microarchitectural Data Sampling on The Linux kernel user's and administrator's guide</a></li>
<li><a href="https://mdsattacks.com/">RIDL and Fallout: MDS attacks on mdsattacks.com</a></li>
<li><a href="https://en.wikipedia.org/wiki/Simultaneous_multithreading">Simultaneous multithreading on Wikipedia</a></li>
Looks like we link this already, should we remove it here?
@ -44,0 +65,4 @@
<li><a href="https://cpu.fail/">CPU.fail</a></li>
<li><a href="https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html">MDS - Microarchitectural Data Sampling on The Linux kernel user's and administrator's guide</a></li>
<li><a href="https://mdsattacks.com/">RIDL and Fallout: MDS attacks on mdsattacks.com</a></li>
<li><a href="https://en.wikipedia.org/wiki/Simultaneous_multithreading">Simultaneous multithreading on Wikipedia</a></li>
I changed the earlier link
4697bf6d6c
.LGTM