Additional CPU Mitigations

[raja-grewal]

Hello,

I was browsing through the currently applied CPU mitigations and noticed that there are perhaps a few additions that could be made that are not already enabled using implicit mitigations=auto by default. Note see Kicksecure/security-misc#199 (comment) and Kicksecure/security-misc#320 for some comments on the flawed reliance on this parameter to do maximum hardening by default.

Currently you explicitly enable the follow:

spec_store_bypass_disable=on
ssbd=force-on
spectre_v2=on
spectre_bhi=on
tsx=off

Using the kernel docs as a guide we can find several others that can be tightened. Additionally, you could also refer to the linked Kicksecure configs where you can find more succinct details (but with SMT disabled) and references regarding each parameter.

Given that you have elected to not disable SMT, I still think there are some further hardening you can apply above the default.

The additional proposed settings to include are the following:

kvm-intel.vmentry_l1d_flush=always
kvm.nx_huge_pages=force
l1d_flush=on
kvm.mitigate_smt_rsb=1
gather_data_sampling=force
indirect_target_selection=force
vmscape=force

Despite obvious expected performance reductions across the board, the only one with the potential to cause more serious issues is gather_data_sampling=force as this will entirely disable use of the AVX instruction set if a suitable microcode update is not also applied.

I look forward to any feedback!

[SkewedZeppelin]

• spec_store_bypass_disable=on: necessary to apply to all processes instead of default per process opt-in
• ssbd=on: necessary to apply to kernel+userspace instead of just kernel default
• spectre_v2=on: necessary to apply to kernel+userspace instead of just kernel default
• spectre_bhi=on: this matches the kernel default, but is set regardless
• tsx=off: this feature has limited use and high risk, so it gets disabled even if it isn't vulnerable (but iirc all that got the microcode to support disablement are vulnerable anyway)
• kvm-intel.vmentry_l1d_flush=always: huge impact to performance
• l1d_flush=on: huge impact to performance
• kvm.nx_huge_pages=force: is already enabled if nedded
• gather_data_sampling=force: necessary systems should already be patched by updated microcode, especially by my real-ucode package, I'm not going to disable AVX for those who don't want to load the microcode
• indirect_target_selection=force: it is already default on if impacted
• vmscape=force: it is already default on if impacted

[SkewedZeppelin]

I will enable options that offer additional coverage, provided they:

• don't severely impact performance, unless they are important enough such as the spectre_v2 userspace mitigations
• don't disable valid features such as smt or avx
• aren't already enabled

[SkewedZeppelin]

l1d_flush=on after some reading, this doesn't even do anything on its own, except for allowing processes that opt in to it, and only then gets enabled if they are explicitly assigned to non-smt cores