Commit fbc4e94f authored by intrigeri's avatar intrigeri
Browse files

Enable all available mitigations for the MDS vulnerability and disable SMT on...

Enable all available mitigations for the MDS vulnerability and disable SMT on vulnerable CPUs (refs: #16720)
parent 575ee712
......@@ -17,7 +17,7 @@ export SOURCE_DATE_FAKETIME="$(date --utc --date="$(dpkg-parsechangelog --show-f
# Base for the string that will be passed to "lb config --bootappend-live"
# FIXME: see [[bugs/sdmem_on_eject_broken_for_CD]] for explanation why we
# need to set block.events_dfl_poll_msecs
AMNESIA_APPEND="live-media=removable nopersistence noprompt timezone=Etc/UTC block.events_dfl_poll_msecs=1000 splash noautologin module=Tails slab_nomerge slub_debug=FZP mce=0 vsyscall=none page_poison=1 union=aufs"
AMNESIA_APPEND="live-media=removable nopersistence noprompt timezone=Etc/UTC block.events_dfl_poll_msecs=1000 splash noautologin module=Tails slab_nomerge slub_debug=FZP mce=0 vsyscall=none page_poison=1 mds=full,nosmt union=aufs"
# Options passed to isohybrid
AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63 --id 42 --verbose"
......
......@@ -108,3 +108,14 @@ increased address-space fragmentation.
### `kernel.kexec_load_disabled = 1`
kexec is dangerous: it enables replacement of the running kernel.
### `mds=full,nosmt`
As per
<https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html>,
if the CPU is vulnerable, this:
1. enables "all available mitigations for the MDS vulnerability, CPU
buffer clearing on exit to userspace";
2. disables SMT which is another avenue for exploiting this class
of attacks.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment