Kernel Hardening - security-misc

1 Like

Overall, a very interesting set of discussions and suggestions!

I am also trying to catch up on the all details to see whether I can offer any feedback.

2 Likes
1 Like
1 Like
1 Like

This was merged.


1 Like

How about Speculative Return Stack Overflow (SRSO) — The Linux Kernel documentation?

Quote https://www.kernel.org/doc/Documentation/admin-guide/kernel-parameters.txt

	spec_rstack_overflow=
			[X86] Control RAS overflow mitigation on AMD Zen CPUs

			off		- Disable mitigation
			microcode	- Enable microcode mitigation only
			safe-ret	- Enable sw-only safe RET mitigation (default)
			ibpb		- Enable mitigation by issuing IBPB on
					  kernel entry
			ibpb-vmexit	- Issue IBPB only on VMEXIT
					  (cloud-specific mitigation)

See also:

cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow
1 Like

TODO: Need to check if secureblue has hardening settings that we lack that would be applicable here too.

1 Like
2 Likes
1 Like

Thank you! Merged.