| View previous topic :: View next topic |
| Author |
Message |
Gentoopc
Guru
Joined: 25 Dec 2017
Posts: 413
|
 Posted: Mon Jan 08, 2024 10:27 am Post subject: Mitigations for speculative execution vulnerabilities |
 |
|
| Code: |
Mitigations for speculative execution vulnerabilities
[ ] Remove the kernel mapping in user mode
[ ] Avoid speculative indirect branches in kernel
[ ] Enable return-thunks
[ ] Enable UNRET on kernel entry
[ ] Mitigate RSB underflow with call depth tracking
[ ] Enable call thunks and call depth tracking debugging
[ ] Enable IBPB on kernel entry
[ ] Enable IBRS on kernel entry
[ ] Force GDS Mitigation
|
hello forum. I want to ask the guru of kernel builds, tell me which of these parameters must be enabled to start the kernel? without which parameters will the kernel not start? |
|
| Back to top |
|
 |
logrusx
Advocate
Joined: 22 Feb 2018
Posts: 2729
|
| Posted: Mon Jan 08, 2024 11:32 am Post subject: |
|
|
The kernel will boot the PC regardless of all those options being enabled or not.
p.s. I'm not a guru. If you want an answer from a guru, you should wait for a guru to answer.
Best Regards,
Georgi |
|
| Back to top |
|
|
Gentoopc
Guru
Joined: 25 Dec 2017
Posts: 413
|
| Posted: Mon Jan 08, 2024 11:55 am Post subject: |
|
|
| logrusx wrote: | The kernel will boot the PC regardless of all those options being enabled or not.
|
thanks for answering.... the fact is that the kernels of versions 5.5 _ did not give me the opportunity to turn off Mitigations for speculative.... the kernel panicked |
|
| Back to top |
|
|
logrusx
Advocate
Joined: 22 Feb 2018
Posts: 2729
|
| Posted: Mon Jan 08, 2024 12:59 pm Post subject: |
|
|
| Gentoopc wrote: | | logrusx wrote: | The kernel will boot the PC regardless of all those options being enabled or not.
|
thanks for answering.... the fact is that the kernels of versions 5.5 _ did not give me the opportunity to turn off Mitigations for speculative.... the kernel panicked |
Did it explicitly state it was because of that? Are you sure it wasn't because of something else? Again, I'm not a kernel guru, but those mitigations are not essential to the functioning of the system. They mitigate hardware security issues. Some of them may already have been fixed in microcode updates, depending on the particular CPU.
Best Regards,
Georgi |
|
| Back to top |
|
|
Gentoopc
Guru
Joined: 25 Dec 2017
Posts: 413
|
| Posted: Mon Jan 08, 2024 1:11 pm Post subject: |
|
|
| logrusx wrote: |
Did it explicitly state it was because of that? Are you sure it wasn't because of something else? |
I have disabled only this option. the core panicked. I enabled this option and the kernel started. |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5401
Location: Bavaria
|
| Posted: Mon Jan 08, 2024 4:04 pm Post subject: |
|
|
| Gentoopc wrote: | | I have disabled only this option. the core panicked. I enabled this option and the kernel started. |
How did you changed this option ? With an edit of .config OR in "make menuconfig" ?
As @logrusx correctly said, none of these options have any effect on whether the kernel boots ... but some of them enable (== selects) another option(s) (e.g. CONFIG_CALL_DEPTH_TRACKING and CONFIG_CALL_THUNKS_DEBUG; just look into the <Help>text) and if you have a mismatch (because of not changing it in "make menuconfig") between primary option and dependent option everything can happen ... 
If you did the change in "make menuconfig" I would like to see the Panic text (maybe take a photo).
_________________
https://wiki.gentoo.org/wiki/User:Pietinger |
|
| Back to top |
|
|
Gentoopc
Guru
Joined: 25 Dec 2017
Posts: 413
|
| Posted: Mon Jan 08, 2024 11:09 pm Post subject: |
|
|
| you are right, this is disabled in new kernel versions) I have rebuilt |
|
| Back to top |
|
|
Gentoopc
Guru
Joined: 25 Dec 2017
Posts: 413
|
| Posted: Mon Jan 08, 2024 11:12 pm Post subject: |
|
|
menuconfig |
|
| Back to top |
|
|
freke
Veteran
Joined: 23 Jan 2003
Posts: 1051
Location: Somewhere in Denmark
|
| Posted: Tue Jan 09, 2024 9:32 pm Post subject: |
|
|
| Gentoopc wrote: | | logrusx wrote: | The kernel will boot the PC regardless of all those options being enabled or not.
|
thanks for answering.... the fact is that the kernels of versions 5.5 _ did not give me the opportunity to turn off Mitigations for speculative.... the kernel panicked |
You got the panic after upgrading from 5.5 to 6.x? Any of the mitigations turned on/off shouldn't cause that, might want to compare other settings. |
|
| Back to top |
|
|
Gentoopc
Guru
Joined: 25 Dec 2017
Posts: 413
|
| Posted: Tue Jan 09, 2024 11:49 pm Post subject: |
|
|
[quote="freke"][/quote
when building the kernel version 5 _ _, I tried to turn off Mitigations for speculative.... this option was slightly positioned differently there. the bottom line is that I was getting a kernel panic. everything is fine now on kernel version 6 . 6 _. even the productivity of the system as a whole has increased by 2-3 % |
|
| Back to top |
|
|
|
Kernel & Hardware
