f125a8b892
This change addresses a long-standing issue in rST documentation imported from XML.
That import process added backslash escapes in front of various characters. The three
most common being '(', ')', and '_'.
These instances are removed.
Signed-off-by: Ron Stone <ronald.stone@windriver.com>
Change-Id: Id43a9337ffcd505ccbdf072d7b29afdb5d2c997e
107 lines
4.8 KiB
ReStructuredText
107 lines
4.8 KiB
ReStructuredText
|
|
.. myy1552681345265
|
|
.. _security-feature-configuration-for-spectre-and-meltdown:
|
|
|
|
=======================================================
|
|
Security Feature Configuration for Spectre and Meltdown
|
|
=======================================================
|
|
|
|
The system allows for the security features of the Linux kernel to be
|
|
configured to mitigate the variants of Meltdown and Spectre side-channel
|
|
vulnerabilities (CVE-2017-5754, CVE-2017-5753, CVE-2017-5715).
|
|
|
|
|
|
.. _security-feature-configuration-for-spectre-and-meltdown-section-N1001F-N1001C-N10001:
|
|
|
|
--------
|
|
Overview
|
|
--------
|
|
|
|
By default, mitigation is provided against Spectre v1 type attacks.
|
|
Additional mitigation can be enabled to cover Spectre v2 attacks and
|
|
Meltdown attacks. Enabling this mitigation may affect system performance.
|
|
The spectre_v2 may also require firmware or BIOS updates from your
|
|
motherboard manufacturer to be effective.
|
|
|
|
|
|
|
|
|
|
.. _security-feature-configuration-for-spectre-and-meltdown-table-hpl-gqx-vdb:
|
|
|
|
|
|
.. table::
|
|
:widths: auto
|
|
|
|
+-----------------------------------+---------------------------------------------------------+
|
|
| **Option name** | **Description** |
|
|
+-----------------------------------+---------------------------------------------------------+
|
|
| spectre_meltdown_v1 (default) | Protect against Spectre v1 attacks, highest performance |
|
|
+-----------------------------------+---------------------------------------------------------+
|
|
| spectre_meltdown_all | Protect against Spectre v1, v2 and Meltdown attacks |
|
|
+-----------------------------------+---------------------------------------------------------+
|
|
|
|
.. note::
|
|
Applying these mitigations may result in some performance degradation
|
|
for certain workloads. As the actual performance impacts are expected
|
|
to vary considerably based on the customer workload, |org| recommends
|
|
all our customers to test the performance impact of CVE mitigations on
|
|
their actual workload in a sandbox environment before rolling out the
|
|
mitigations to production.
|
|
|
|
|
|
.. _security-feature-configuration-for-spectre-and-meltdown-section-N1009C-N1001C-N10001:
|
|
|
|
.. rubric:: |proc|
|
|
|
|
|
|
.. _security-feature-configuration-for-spectre-and-meltdown-ol-i4m-byx-vdb:
|
|
|
|
#. To view the existing kernel security configuration, use the following
|
|
command to check the current value of security_feature:
|
|
|
|
.. code-block:: none
|
|
|
|
$ system show
|
|
+----------------------+--------------------------------------+
|
|
| Property | Value |
|
|
--------------------------------------------------------------+
|
|
| contact | None |
|
|
| created_at | 2020-02-27T15:47:23.102735+00:00 |
|
|
| description | None |
|
|
| https_enabled | False |
|
|
| location | None |
|
|
| name | 468f57ef-34c1-4e00-bba0-fa1b3f134b2b |
|
|
| region_name | RegionOne |
|
|
| sdn_enabled | False |
|
|
| security_feature | spectre_meltdown_v1 |
|
|
| service_project_name | services |
|
|
| software_version | 20.06 |
|
|
| system_mode | duplex |
|
|
| system_type | Standard |
|
|
| timezone | Canada/Eastern |
|
|
| updated_at | 2020-02-28T10:56:24.297774+00:00 |
|
|
| uuid | c0e35924-e139-4dfc-945d-47f9a663d710 |
|
|
| vswitch_type | none |
|
|
+----------------------+--------------------------------------+
|
|
|
|
#. To change the kernel security feature, use the following command syntax:
|
|
|
|
.. code-block:: none
|
|
|
|
system modify --security_feature [either spectre_meltdown_v1 or spectre_meltdown_all]
|
|
|
|
After this command is executed, the kernel arguments will be updated on
|
|
all hosts and on subsequently installed hosts. Rebooting the hosts by
|
|
locking and unlocking each host is required to have the new kernel
|
|
arguments take effect.
|
|
|
|
#. Analysis of a system may be performed by using the open source
|
|
spectre-meltdown-checker.sh script, which ships as
|
|
/usr/sbin/spectre-meltdown-checker.sh. This tool requires root access to
|
|
run. The tool will attempt to analyze your system to see if it is
|
|
susceptible to Spectre or Meltdown attacks. Documentation for the tool can
|
|
be found at `https://github.com/speed47/spectre-meltdown-checker
|
|
<https://github.com/speed47/spectre-meltdown-checker>`__.
|
|
|
|
|