operating-systems: include the supersets instead of just mds #1269
No reviewers
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#1269
Loading…
Reference in New Issue
No description provided.
Delete Branch "os-mitigations"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
TL;DR: This changes
mds=full,nosmt
to its supersetmitigations=auto,nosmt
which includes all CPU mitigation support of Linux kernel. I understand thatnosmt=force
means that the root user cannot restore SMT after boot by running a sysctl command to adjust kernel configuration runtime. While I am unsure whether it's really needed in our scope, I would say better safe than sorry.To quote the kernel doc https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
...
Mainly edited page: https://deploy-preview-1269--privacytools-io.netlify.com/operating-systems/#cpuvulns
Resolves: #1272
Deploy preview for privacytools-io ready!
Built with commit
363d9c1889
https://deploy-preview-1269--privacytools-io.netlify.com
WARNING! It's 01 am and I feel tired, please read it carefully. I also haven't tested it by myself yet, I have the config in place and can see it in grep.
linux /boot/vmlinuz-5.2.0-2-amd64 root=UUID=<censored> ro quiet apparmor=1 security=apparmor mds=full,nosmt mitigations=auto,nosmt nosmt=force acpi_osi=
@ -55,3 +55,2 @@
<li><code>sudo mkdir /etc/default/grub.d/</code> to create a directory for additional grub configuration</li>
<li><code>echo GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT mds=full,nosmt" | sudo tee /etc/default/grub.d/mds.conf</code> to create a new grub config file source with the echoed content</li>
<li><code>sudo grub-mkconfig -o /boot/grub/grub.cfg</code> to generate a new grub config file including this new kernel boot flag</li>
<li><code>echo GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT l1tf=full,force mds=full,nosmt mitigations=auto,nosmt nosmt=force" | sudo tee /etc/default/grub.d/mitigations.cfg</code> to create a new grub config file source with the echoed content</li>
the file must end
.cfg
to be read, so our current instructions are broken. I just noticed this while reading through the preview.Apparently the
mitigations=
has been added in kernel 5.1, so it's too recent and I will be listing the older flags too.@ -57,2 +56,3 @@
<li><code>sudo grub-mkconfig -o /boot/grub/grub.cfg</code> to generate a new grub config file including this new kernel boot flag</li>
<li><code>echo GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT l1tf=full,force mds=full,nosmt mitigations=auto,nosmt nosmt=force" | sudo tee /etc/default/grub.d/mitigations.cfg</code> to create a new grub config file source with the echoed content</li>
<li><code>sudo grub-mkconfig -o /boot/grub/grub.cfg</code> to generate a new grub config file including these new kernel boot flags</li>
<li><code>sudo reboot</code> to reboot</li>
Are these flags enough or too much or should I find the opposites of these?
@ -57,2 +56,3 @@
<li><code>sudo grub-mkconfig -o /boot/grub/grub.cfg</code> to generate a new grub config file including this new kernel boot flag</li>
<li><code>echo GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT l1tf=full,force mds=full,nosmt mitigations=auto,nosmt nosmt=force" | sudo tee /etc/default/grub.d/mitigations.cfg</code> to create a new grub config file source with the echoed content</li>
<li><code>sudo grub-mkconfig -o /boot/grub/grub.cfg</code> to generate a new grub config file including these new kernel boot flags</li>
<li><code>sudo reboot</code> to reboot</li>
Trying to CTRL+F the kernel documentaton, I think these look reasonable, except that I am not sure if
ssbd=force-on
should be included. How common is ARM64?@ -57,2 +56,3 @@
<li><code>sudo grub-mkconfig -o /boot/grub/grub.cfg</code> to generate a new grub config file including this new kernel boot flag</li>
<li><code>echo GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT l1tf=full,force mds=full,nosmt mitigations=auto,nosmt nosmt=force" | sudo tee /etc/default/grub.d/mitigations.cfg</code> to create a new grub config file source with the echoed content</li>
<li><code>sudo grub-mkconfig -o /boot/grub/grub.cfg</code> to generate a new grub config file including these new kernel boot flags</li>
<li><code>sudo reboot</code> to reboot</li>
On user systems not a lot i think. although we could see a rise in arm linux when those new linux phones take off. but i think we can exclude it for now.
@privacytoolsIO/editorial Reminder that this fixes https://github.com/privacytoolsIO/privacytools.io/issues/1272 and the current site is entirely broken on the topic of hardware vulnerability mitigation due to one letter.
@privacytoolsIO/editorial Reminder that this fixes #1272 and the current site is entirely broken on the topic of hardware vulnerability mitigation due to one letter.