operating-systems: include the supersets instead of just mds #1269

jonah · 2019-09-05T22:21:53Z

Mikaela commented

2019-09-05 22:21:53 +00:00

(Migrated from github.com)

TL;DR: This changes mds=full,nosmt to its superset mitigations=auto,nosmt which includes all CPU mitigation support of Linux kernel. I understand that nosmt=force means that the root user cannot restore SMT after boot by running a sysctl command to adjust kernel configuration runtime. While I am unsure whether it's really needed in our scope, I would say better safe than sorry.

To quote the kernel doc https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html

    mitigations=
                    [X86,PPC,S390,ARM64] Control optional mitigations for
                    CPU vulnerabilities.  This is a set of curated,
                    arch-independent options, each of which is an
                    aggregation of existing arch-specific options.

                    off
                            Disable all optional CPU mitigations.  This
                            improves system performance, but it may also
                            expose users to several CPU vulnerabilities.
                            Equivalent to: nopti [X86,PPC]
                                           kpti=0 [ARM64]
                                           nospectre_v1 [X86,PPC]
                                           nobp=0 [S390]
                                           nospectre_v2 [X86,PPC,S390,ARM64]
                                           spectre_v2_user=off [X86]
                                           spec_store_bypass_disable=off [X86,PPC]
                                           ssbd=force-off [ARM64]
                                           l1tf=off [X86]
                                           mds=off [X86]

                    auto (default)
                            Mitigate all CPU vulnerabilities, but leave SMT
                            enabled, even if it's vulnerable.  This is for
                            users who don't want to be surprised by SMT
                            getting disabled across kernel upgrades, or who
                            have other ways of avoiding SMT-based attacks.
                            Equivalent to: (default behavior)

                    auto,nosmt
                            Mitigate all CPU vulnerabilities, disabling SMT
                            if needed.  This is for users who always want to
                            be fully mitigated, even if it means losing SMT.
                            Equivalent to: l1tf=flush,nosmt [X86]
                                           mds=full,nosmt [X86]

...

    nosmt           [KNL,S390] Disable symmetric multithreading (SMT).
                    Equivalent to smt=1.

                    [KNL,x86] Disable symmetric multithreading (SMT).
                    nosmt=force: Force disable SMT, cannot be undone
                                 via the sysfs control file.

Mainly edited page: https://deploy-preview-1269--privacytools-io.netlify.com/operating-systems/#cpuvulns

Resolves: #1272

TL;DR: This changes `mds=full,nosmt` to its superset `mitigations=auto,nosmt` which includes all CPU mitigation support of Linux kernel. I understand that `nosmt=force` means that the root user cannot restore SMT after boot by running a sysctl command to adjust kernel configuration runtime. While I am unsure whether it's really needed in our scope, I would say better safe than sorry. To quote the kernel doc https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html mitigations= [X86,PPC,S390,ARM64] Control optional mitigations for CPU vulnerabilities. This is a set of curated, arch-independent options, each of which is an aggregation of existing arch-specific options. off Disable all optional CPU mitigations. This improves system performance, but it may also expose users to several CPU vulnerabilities. Equivalent to: nopti [X86,PPC] kpti=0 [ARM64] nospectre_v1 [X86,PPC] nobp=0 [S390] nospectre_v2 [X86,PPC,S390,ARM64] spectre_v2_user=off [X86] spec_store_bypass_disable=off [X86,PPC] ssbd=force-off [ARM64] l1tf=off [X86] mds=off [X86] auto (default) Mitigate all CPU vulnerabilities, but leave SMT enabled, even if it's vulnerable. This is for users who don't want to be surprised by SMT getting disabled across kernel upgrades, or who have other ways of avoiding SMT-based attacks. Equivalent to: (default behavior) auto,nosmt Mitigate all CPU vulnerabilities, disabling SMT if needed. This is for users who always want to be fully mitigated, even if it means losing SMT. Equivalent to: l1tf=flush,nosmt [X86] mds=full,nosmt [X86] ... nosmt [KNL,S390] Disable symmetric multithreading (SMT). Equivalent to smt=1. [KNL,x86] Disable symmetric multithreading (SMT). nosmt=force: Force disable SMT, cannot be undone via the sysfs control file. * * * * * Mainly edited page: https://deploy-preview-1269--privacytools-io.netlify.com/operating-systems/#cpuvulns Resolves: #1272

blacklight447 (Migrated from github.com) reviewed 2019-09-05 22:21:53 +00:00

jonah reviewed 2019-09-05 22:21:53 +00:00

netlify[bot] commented

2019-09-05 22:22:38 +00:00

(Migrated from github.com)

Deploy preview for privacytools-io ready!

Built with commit 363d9c1889

https://deploy-preview-1269--privacytools-io.netlify.com

Deploy preview for *privacytools-io* ready! Built with commit 363d9c1889a5378a36c28f76c3a2c6e1cc30649a https://deploy-preview-1269--privacytools-io.netlify.com

Mikaela commented

2019-09-05 22:23:43 +00:00

(Migrated from github.com)

WARNING! It's 01 am and I feel tired, please read it carefully. I also haven't tested it by myself yet, I have the config in place and can see it in grep.

linux /boot/vmlinuz-5.2.0-2-amd64 root=UUID=<censored> ro quiet apparmor=1 security=apparmor mds=full,nosmt mitigations=auto,nosmt nosmt=force acpi_osi=

***WARNING!*** It's 01 am and I feel tired, please read it carefully. I also haven't tested it by myself yet, I have the config in place and can see it in grep. `linux /boot/vmlinuz-5.2.0-2-amd64 root=UUID=<censored> ro quiet apparmor=1 security=apparmor mds=full,nosmt mitigations=auto,nosmt nosmt=force acpi_osi=`

Mikaela (Migrated from github.com) reviewed 2019-09-06 08:32:18 +00:00

_includes/sections/operating-systems.html

						
				@ -55,3 +55,2 @@

				  <li><code>sudo mkdir /etc/default/grub.d/</code> to create a directory for additional grub configuration</li>

				  <li><code>echo GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT mds=full,nosmt" | sudo tee /etc/default/grub.d/mds.conf</code> to create a new grub config file source with the echoed content</li>

				  <li><code>sudo grub-mkconfig -o /boot/grub/grub.cfg</code> to generate a new grub config file including this new kernel boot flag</li>

				  <li><code>echo GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT l1tf=full,force mds=full,nosmt mitigations=auto,nosmt nosmt=force" | sudo tee /etc/default/grub.d/mitigations.cfg</code> to create a new grub config file source with the echoed content</li>

Mikaela (Migrated from github.com) commented

2019-09-06 08:32:17 +00:00

the file must end .cfg to be read, so our current instructions are broken. I just noticed this while reading through the preview.

#1272

the file must end `.cfg` to be read, so our current instructions are broken. I just noticed this while reading through the preview. * #1272

Mikaela commented

2019-09-06 08:50:35 +00:00

(Migrated from github.com)

Apparently the mitigations= has been added in kernel 5.1, so it's too recent and I will be listing the older flags too.

Apparently the `mitigations=` has been added in kernel 5.1, so it's too recent and I will be listing the older flags too.

👍 1

blacklight447 (Migrated from github.com) reviewed 2019-09-06 08:51:03 +00:00

Mikaela (Migrated from github.com) reviewed 2019-09-06 09:29:06 +00:00

_includes/sections/operating-systems.html

						
				@ -57,2 +56,3 @@

				  <li><code>sudo grub-mkconfig -o /boot/grub/grub.cfg</code> to generate a new grub config file including this new kernel boot flag</li>

				  <li><code>echo GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT l1tf=full,force mds=full,nosmt mitigations=auto,nosmt nosmt=force" | sudo tee /etc/default/grub.d/mitigations.cfg</code> to create a new grub config file source with the echoed content</li>

				  <li><code>sudo grub-mkconfig -o /boot/grub/grub.cfg</code> to generate a new grub config file including these new kernel boot flags</li>

				  <li><code>sudo reboot</code> to reboot</li>

Mikaela (Migrated from github.com) commented

2019-09-06 09:29:05 +00:00

Are these flags enough or too much or should I find the opposites of these?

                        Equivalent to: nopti [X86,PPC]
                                       kpti=0 [ARM64]
                                       nospectre_v1 [X86,PPC]
                                       nobp=0 [S390]
                                       nospectre_v2 [X86,PPC,S390,ARM64]
                                       spectre_v2_user=off [X86]
                                       spec_store_bypass_disable=off [X86,PPC]
                                       ssbd=force-off [ARM64]
                                       l1tf=off [X86]
                                       mds=off [X86]

Are these flags enough or too much or should I find the opposites of these? Equivalent to: nopti [X86,PPC] kpti=0 [ARM64] nospectre_v1 [X86,PPC] nobp=0 [S390] nospectre_v2 [X86,PPC,S390,ARM64] spectre_v2_user=off [X86] spec_store_bypass_disable=off [X86,PPC] ssbd=force-off [ARM64] l1tf=off [X86] mds=off [X86]

Mikaela (Migrated from github.com) reviewed 2019-09-06 09:37:00 +00:00

_includes/sections/operating-systems.html

						
				@ -57,2 +56,3 @@

				  <li><code>sudo grub-mkconfig -o /boot/grub/grub.cfg</code> to generate a new grub config file including this new kernel boot flag</li>

				  <li><code>echo GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT l1tf=full,force mds=full,nosmt mitigations=auto,nosmt nosmt=force" | sudo tee /etc/default/grub.d/mitigations.cfg</code> to create a new grub config file source with the echoed content</li>

				  <li><code>sudo grub-mkconfig -o /boot/grub/grub.cfg</code> to generate a new grub config file including these new kernel boot flags</li>

				  <li><code>sudo reboot</code> to reboot</li>

Mikaela (Migrated from github.com) commented

2019-09-06 09:37:00 +00:00

Trying to CTRL+F the kernel documentaton, I think these look reasonable, except that I am not sure if ssbd=force-on should be included. How common is ARM64?

Trying to CTRL+F the kernel documentaton, I think these look reasonable, except that I am not sure if `ssbd=force-on` should be included. How common is ARM64?

nitrohorse (Migrated from github.com) approved these changes 2019-09-13 01:43:13 +00:00

blacklight447 (Migrated from github.com) reviewed 2019-09-13 14:48:48 +00:00

_includes/sections/operating-systems.html

						
				@ -57,2 +56,3 @@

				  <li><code>sudo grub-mkconfig -o /boot/grub/grub.cfg</code> to generate a new grub config file including this new kernel boot flag</li>

				  <li><code>echo GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT l1tf=full,force mds=full,nosmt mitigations=auto,nosmt nosmt=force" | sudo tee /etc/default/grub.d/mitigations.cfg</code> to create a new grub config file source with the echoed content</li>

				  <li><code>sudo grub-mkconfig -o /boot/grub/grub.cfg</code> to generate a new grub config file including these new kernel boot flags</li>

				  <li><code>sudo reboot</code> to reboot</li>

blacklight447 (Migrated from github.com) commented

2019-09-13 14:48:48 +00:00

On user systems not a lot i think. although we could see a rise in arm linux when those new linux phones take off. but i think we can exclude it for now.

Mikaela commented

2019-09-19 13:31:50 +00:00

(Migrated from github.com)

@privacytoolsIO/editorial Reminder that this fixes https://github.com/privacytoolsIO/privacytools.io/issues/1272 and the current site is entirely broken on the topic of hardware vulnerability mitigation due to one letter.

Mikaela commented

2019-09-29 13:15:30 +00:00

(Migrated from github.com)

@privacytoolsIO/editorial Reminder that this fixes #1272 and the current site is entirely broken on the topic of hardware vulnerability mitigation due to one letter.

dawidpotocki (Migrated from github.com) approved these changes 2019-09-29 13:24:10 +00:00

This repo is archived. You cannot comment on pull requests.

No Reviewers

jonah

blacklight447

nitrohorse

dawidpotocki

1 Participants

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: privacyguides/privacytools.io#1269