New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
use SRSO spec_rstack_overflow kernel setting? #177
Comments
|
Whenever there is no appropriate microcode applied, setting this parameter will result in:
There might be a better way to achieve the protections when needed and when avaiable. We already set https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html But even if my understanding is wrong and we are better off setting the parameter given the hardware, I would still say that this option is of very little advantage if at all, on debian. Because this is a new thing apparently. The latest microcode updates are needed to enable these mitigations. Also most of the time the latest Kernel. You see, quoting from the link you provided: On a seperate but related topic, I suggest we do the following: Set Default is Now we already get this protection because we set |
The word "only" is concerning? This seems a weaker setting than:
It might obsolete a few of our other settings. |
I think because it is. I'm suggesting this change. What I'm telling here is, when it is on, available mitigations are chosen. It is better than hardcoding. |
Not sure what you're suggesting? Setting To make sure something is enabled rather than nothing? That would be the wrong approach. verification: Better to ask the kernel from within the running system by using the usual API (/proc or /sys) if mitigation are enabled. This kind of testing, confirmation would be a job for systemcheck. We could drop most and use |
No, the opposite. I am just making a point. A point that we don't need to set the thing you suggested manually, because we already have Only suggestion I'm making is the other thing, which is |
but Note,
It's not the same. Both have their own dedicated kernel manual page. |
Comparing to we already have in our configuration, we seem to be explicitly missing:
As you have stated, using Perhaps we should place this kernel parameter at the top of the configuration so it is applied first and then reinforced by our already more fine-grained settings? This way we will inherit any future mitigation from this kernel parameter that are not explicitly specified while also keeping our strict fine-grained settings fixed. Finally , since |
Ok.
If we don't know it, we should ask somewhere. Short of an obvious answer or expert opinion, without being sure, we better keep it as is. The kernel built-in default setting might actually already be the most secure setting.
Ok.
Ok. |
The |
I have left that parameter as the default kernel mitigation: |
If we don't know a more safe setting than the default, we could as well as leave the default? |
I'll leave it in for clarity but remove the hard-coding while providing an explanation. Thoughts? |
I would like to once again recommend otherwise, because I am not clear on a matter. Steps to reproduce:
What this mean now? What I understand here is, when we set Feel free to correct me if I'm missing something or not understanding correctly. |
The updated, linked PR (which no longer touched Keeping that PR a few days longer open to see if there's any other feedback. |
Was merged and seems reflecting consensus. Please re-open or create a new issue should there still be something to cover. |
To test:
https://kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html
Best to use
spec_rstack_overflow=ibpb
?Or not needed because we're already using
spec_store_bypass_disable=on
?The text was updated successfully, but these errors were encountered: