Kernel Hardening - security-misc

1 Like
1 Like

A post was merged into an existing topic: IO_uring security / vulnerabilties?

Noted. I’m posting here about more options for reference in case a challenger appears who could and cares to handle such a project.

IO_uring is a new IO subsystem and is a veritable vuln dumpster fire. The Goog has disabled it on its systems and OSs.

A new 6.6 sysctl is developed just to disable it on boot which we should take advantage of ASAP.

1 Like

Overall, a very interesting set of discussions and suggestions!

I am also trying to catch up on the all details to see whether I can offer any feedback.


This was merged.

How about Speculative Return Stack Overflow (SRSO) — The Linux Kernel documentation?


			[X86] Control RAS overflow mitigation on AMD Zen CPUs

			off		- Disable mitigation
			microcode	- Enable microcode mitigation only
			safe-ret	- Enable sw-only safe RET mitigation (default)
			ibpb		- Enable mitigation by issuing IBPB on
					  kernel entry
			ibpb-vmexit	- Issue IBPB only on VMEXIT
					  (cloud-specific mitigation)

See also:

cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow