Chapter 3. Important Changes to External Kernel Parameters
This chapter provides system administrators with a summary of significant changes in the kernel shipped with Red Hat Enterprise Linux 7.6. These changes include added or updated
proc
entries, sysctl
, and sysfs
default values, boot parameters, kernel configuration options, or any noticeable behavior changes.
Kernel parameters
- hardened_usercopy = [KNL]
- This parameter specifies whether hardening is enabled (default) or not enabled for the boot.Hardened usercopy checking is used to protect the kernel from reading or writing beyond known memory allocation boundaries as a proactive defense against bounds-checking flaws in the kernel's
copy_to_user()
/copy_from_user()
interface.The valid settings are:on
,off
.on
– Perform hardened usercopy checks (default).off
– Disable hardened usercopy checks. - no-vmw-sched-clock [X86,PV_OPS]
- Disables paravirtualized VMware scheduler clock and uses the default one.
- rdt = [HW,X86,RDT]
- Turns on or off individual RDT features.Available features are:
cmt
,mbmtotal
,mbmlocal
,l3cat
,l3cdp
,l2cat
,l2cdp
,mba
.For example, to turn oncmt
and turn offmba
, use:rdt=cmt,!mba
- nospec_store_bypass_disable [HW]
- Disables all mitigations for the Speculative Store Bypass vulnerability.For more in-depth information about the Speculative Store Bypass (SSB) vulnerability, see Kernel Side-Channel Attack using Speculative Store Bypass - CVE-2018-3639.
- spec_store_bypass_disable = [HW]
- Certain CPUs are vulnerable to an exploit against a common industry wide performance optimization known as Speculative Store Bypass.In such cases, recent stores to the same memory location cannot always be observed by later loads during speculative execution. However, such stores are unlikely and thus they can be detected prior to instruction retirement at the end of a particular speculation execution window.In vulnerable processors, the speculatively forwarded store can be used in a cache side channel attack. An example of this is reading memory to which the attacker does not directly have access, for example inside the sandboxed code.This parameter controls whether the Speculative Store Bypass (SSB) optimization to mitigate the SSB vulnerability is used.Possible values are:
on
– Unconditionally disable SSB.off
– Unconditionally enable SSB.auto
– Kernel detects whether the CPU model contains an implementation of SSB and selects the most appropriate mitigation.prctl
– Controls SSB for a thread using prctl. SSB is enabled for a process by default. The state of the control is inherited on fork.Not specifying this option is equivalent tospec_store_bypass_disable=auto
.For more in-depth information about the Speculative Store Bypass (SSB) vulnerability, see Kernel Side-Channel Attack using Speculative Store Bypass - CVE-2018-3639. - nmi_watchdog = [KNL,BUGS=X86]
- These settings can now be accessed at runtime with the use of the
nmi_watchdog
andhardlockup_panic
sysctls.
New and updated /proc/sys/kernel/ entries
- hardlockup_panic
- This parameter controls whether the kernel panics if a hard lockup is detected.Possible values are:
0
– Do not panic on hard lockup.1
– Panic on hard lockup.This can also be set using thenmi_watchdog
kernel parameter. - perf_event_mlock_kb
- Controls size of per-cpu ring buffer not counted against mlock limit.The default value is
512 + 1
page. - perf_event_paranoid
- Controls use of the performance events system by unprivileged users (without
CAP_SYS_ADMIN
).The default value is2
.Possible values are:-1
– Allow use of the majority of events by all users.>=0
– Disallow ftrace function tracepoint and raw tracepoint access by users withoutCAP_SYS_ADMIN
.>=1
– Disallow CPU event access by users withoutCAP_SYS_ADMIN
.>=2
– Disallow kernel profiling by users withoutCAP_SYS_ADMIN
.
New /proc/sys/net/core entries
- bpf_jit_harden
- Enables hardening for the Berkeley Packet Filter (BPF) Just in Time (JIT) compiler.Supported are Extended Berkeley Packet Filter (eBPF) JIT backends. Enabling hardening trades off performance, but can mitigate JIT spraying.Possible values are:
0
– Disable JIT hardening (default value).1
– Enable JIT hardening for unprivileged users only.2
– Enable JIT hardening for all users.