You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
SRSO is a vulnerability for AMD processor from Zen 1-4 (basically all modern AMD processor). And there are several kargs that can mitigate this vulnerablity: spec_rstack_overflow=microcode, spec_rstack_overflow=safe-ret, spec_rstack_overflow=ibpb, or spec_rstack_overflow=ibpb-vmexit
On my framework AMD, which uses current gen AMD cpu, with all the kargs_hardening applied, the output of lscpu shows Spec rstack overflow: Vulnerable: Safe RET, no microcode and
$ cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow
Vulnerable: Safe RET, no microcode
The discussion on kicksecure actually indicates that no change should be made. The string you posted indicates that safe-ret (the kernel default) is already being applied. however, it's not a full mitigation. From the document you linked:
'Vulnerable: Safe RET, no microcode':
The "Safe RET" mitigation (see below) has been applied to protect the kernel, but the IBPB-extending microcode has not been applied. User space tasks may still be vulnerable.
If you have evidence that there's a better configuration than this, please reopen the ticket.
SRSO is a vulnerability for AMD processor from Zen 1-4 (basically all modern AMD processor). And there are several kargs that can mitigate this vulnerablity:
spec_rstack_overflow=microcode
,spec_rstack_overflow=safe-ret
,spec_rstack_overflow=ibpb
, orspec_rstack_overflow=ibpb-vmexit
On my framework AMD, which uses current gen AMD cpu, with all the
kargs_hardening
applied, the output oflscpu
showsSpec rstack overflow: Vulnerable: Safe RET, no microcode
andKernel Doc: https://kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html
Discussion On KickSecure: Kicksecure/security-misc#177
The text was updated successfully, but these errors were encountered: