operating-systems: include the supersets instead of just mds #1269
|
|
@ -53,16 +53,17 @@ tor="http://sejnfjrq6szgca7v.onion"
|
|||
|
||||
<ol>
|
||||
<li><code>sudo mkdir /etc/default/grub.d/</code> to create a directory for additional grub configuration</li>
|
||||
<li><code>echo GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT mds=full,nosmt" | sudo tee /etc/default/grub.d/mds.conf</code> to create a new grub config file source with the echoed content</li>
|
||||
<li><code>sudo grub-mkconfig -o /boot/grub/grub.cfg</code> to generate a new grub config file including this new kernel boot flag</li>
|
||||
<li><code>echo GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT l1tf=full,force mds=full,nosmt mitigations=auto,nosmt nosmt=force" | sudo tee /etc/default/grub.d/mitigations.cfg</code> to create a new grub config file source with the echoed content</li>
|
||||
|
|
||||
<li><code>sudo grub-mkconfig -o /boot/grub/grub.cfg</code> to generate a new grub config file including these new kernel boot flags</li>
|
||||
<li><code>sudo reboot</code> to reboot</li>
|
||||
Are these flags enough or too much or should I find the opposites of these? Are these flags enough or too much or should I find the opposites of these?
Equivalent to: nopti [X86,PPC]
kpti=0 [ARM64]
nospectre_v1 [X86,PPC]
nobp=0 [S390]
nospectre_v2 [X86,PPC,S390,ARM64]
spectre_v2_user=off [X86]
spec_store_bypass_disable=off [X86,PPC]
ssbd=force-off [ARM64]
l1tf=off [X86]
mds=off [X86]
Trying to CTRL+F the kernel documentaton, I think these look reasonable, except that I am not sure if Trying to CTRL+F the kernel documentaton, I think these look reasonable, except that I am not sure if `ssbd=force-on` should be included. How common is ARM64?
On user systems not a lot i think. although we could see a rise in arm linux when those new linux phones take off. but i think we can exclude it for now. On user systems not a lot i think. although we could see a rise in arm linux when those new linux phones take off. but i think we can exclude it for now.
|
||||
<li>after the reboot, check <code>tail -n +1 /sys/devices/system/cpu/vulnerabilities/*</code> again to see that MDS now says "SMT disabled."</li>
|
||||
<li>after the reboot, check <code>tail -n +1 /sys/devices/system/cpu/vulnerabilities/*</code> again to see that everything referring to SMT now says "SMT disabled."</li>
|
||||
</ol>
|
||||
|
||||
<h5>Further reading</h5>
|
||||
|
||||
<ul>
|
||||
<li><a href="https://cpu.fail/">CPU.fail</a></li>
|
||||
<li><a href="https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/">Hardware vulnerabilities index on The Linux kernel user's and administrator's guide</a></li>
|
||||
<li><a href="https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html">MDS - Microarchitectural Data Sampling on The Linux kernel user's and administrator's guide</a></li>
|
||||
<li><a href="https://mdsattacks.com/">RIDL and Fallout: MDS attacks on mdsattacks.com</a></li>
|
||||
<li><a href="https://en.wikipedia.org/wiki/Simultaneous_multithreading">Simultaneous multithreading on Wikipedia</a></li>
|
||||
|
|
|
|||
Reference in New Issue
the file must end
.cfgto be read, so our current instructions are broken. I just noticed this while reading through the preview.