Chapter 3. Important Changes to External Kernel Parameters
This chapter provides system administrators with a summary of significant changes in the kernel shipped with Red Hat Enterprise Linux 7.7. These changes include added or updated proc
entries, sysctl
, and sysfs
default values, boot parameters, kernel configuration options, or any noticeable behavior changes.
New kernel parameters
- usbcore.quirks = [USB]
This parameter provides a list of quirk entries to augment the built-in usb core quirk list.
The entries are separated by commas. Each entry has the form
VendorID:ProductID:Flags
.The
IDs
are 4-digit hex numbers andFlags
is a set of letters. Each letter will change the built-in quirk; setting it if it is clear and clearing it if it is set. The letters have the following meanings:-
a =
USB_QUIRK_STRING_FETCH_255
(string descriptors must not be fetched using a 255-byte read); -
b =
USB_QUIRK_RESET_RESUME
(device cannot resume correctly so reset it instead); -
c =
USB_QUIRK_NO_SET_INTF
(device cannot handle Set-Interface requests); -
d =
USB_QUIRK_CONFIG_INTF_STRINGS
(device cannot handle its Configuration or Interface strings); -
e =
USB_QUIRK_RESET
(device cannot be reset (e.g morph devices), do not use reset); -
f =
USB_QUIRK_HONOR_BNUMINTERFACES
(device has more interface descriptions than thebNumInterfaces
count, and cannot handle talking to these interfaces); -
g =
USB_QUIRK_DELAY_INIT
(device needs a pause during initialization, after we read the device descriptor); -
h =
USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL
(For high speed and super speed interrupt endpoints, the USB 2.0 and USB 3.0 spec require the interval in microframes (1 microframe = 125 microseconds) to be calculated as interval = 2 ^ (bInterval
-1). Devices with this quirk report theirbInterval
as the result of this calculation instead of the exponent variable used in the calculation); -
i =
USB_QUIRK_DEVICE_QUALIFIER
(device cannot handle device_qualifier descriptor requests); -
j =
USB_QUIRK_IGNORE_REMOTE_WAKEUP
(device generates spurious wakeup, ignore remote wakeup capability); -
k =
USB_QUIRK_NO_LPM
(device cannot handle Link Power Management); -
l =
USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL
(Device reports itsbInterval
as linear frames instead of the USB 2.0 calculation); -
m =
USB_QUIRK_DISCONNECT_SUSPEND
(Device needs to be disconnected before suspend to prevent spurious wakeup); n =
USB_QUIRK_DELAY_CTRL_MSG
(Device needs a pause after every control message);The example entry:
quirks=0781:5580:bk,0a5c:5834:gij
-
a =
- ppc_tm = [PPC]
Disables Hardware Transactional Memory.
Format: {"off"}
- cgroup.memory = [KNL]
Passes options to the cgroup memory controller.
Format: <string>
nokmem
— This option disables kernel memory accounting.- mds = [X86,INTEL]
Controls mitigation for the Micro-architectural Data Sampling (MDS) vulnerability.
Certain CPUs are vulnerable to an exploit against CPU internal buffers which can forward information to a disclosure gadget under certain conditions.
In vulnerable processors, the speculatively forwarded data can be used in a cache side channel attack, to access data to which the attacker does not have direct access.
The options are:
-
full
- Enable MDS mitigation on vulnerable CPUs. -
full,nosmt
- Enable MDS mitigation and disable Simultaneous multithreading (SMT) on vulnerable CPUs. off
- Unconditionally disable MDS mitigation.Not specifying this option is equivalent to
mds=full
.
-
- mitigations = [X86,PPC,S390]
Controls optional mitigations for CPU vulnerabilities. This is a set of curated, arch-independent options, each of which is an aggregation of existing arch-specific options.
The options are:
off
- Disable all optional CPU mitigations. This improves system performance, but it may also expose users to several CPU vulnerabilities.Equivalent to:
-
nopti [X86,PPC]
-
nospectre_v1 [PPC]
-
nobp=0 [S390]
-
nospectre_v2 [X86,PPC,S390]
-
spec_store_bypass_disable=off [X86,PPC]
-
l1tf=off [X86]
-
mds=off [X86]
-
auto
(default) - Mitigate all CPU vulnerabilities, but leave Simultaneous multithreading (SMT) enabled, even if it’s vulnerable. This is for users who do not want to be surprised by SMT getting disabled across kernel upgrades, or who have other ways of avoiding SMT-based attacks.Equivalent to:
- (default behavior)
auto,nosmt
- Mitigate all CPU vulnerabilities, disabling Simultaneous multithreading (SMT) if needed. This is for users who always want to be fully mitigated, even if it means losing SMT.Equivalent to:
-
l1tf=flush,nosmt [X86]
-
mds=full,nosmt [X86]
-
- watchdog_thresh = [KNL]
Sets the hard lockup detector stall duration threshold in seconds.
The soft lockup detector threshold is set to twice the value.
A value of 0 disables both lockup detectors. Default is 10 seconds.
- novmcoredd [KNL,KDUMP]
Disables device dump. The device dump allows drivers to append dump data to vmcore so you can collect driver specified debug info.
Drivers can append the data without any limit and this data is stored in memory, so this may cause significant memory stress.
Disabling device dump can help save memory but the driver debug data will be no longer available.
This parameter is only available when
CONFIG_PROC_VMCORE_DEVICE_DUMP
is set.
Updated kernel parameters
- resource_alignment
Specifies alignment and device to reassign aligned memory resources.
Format:
-
[<order of align>@][<domain>:]<bus>:<slot>.<func>[; …]
-
[<order of align>@]pci:<vendor>:<device>\[:<subvendor>:<subdevice>][; …]
-
If <order of align>
is not specified, PAGE_SIZE is used as alignment. PCI-PCI bridge can be specified, if resource windows need to be expanded.
- irqaffinity = [SMP]
Sets the default irq affinity mask.
Format:
-
<cpu number>,…,<cpu number>
-
<cpu number>-<cpu number>
- drivers (must be a positive range in ascending order)
mixture
<cpu number>,…,<cpu number>-<cpu number>
Drivers will use drivers' affinity masks for default interrupt assignment instead of placing them all on CPU0.
-
The options are:
auto
(default) - Mitigate all CPU vulnerabilities, but leave Simultaneous multithreading (SMT) enabled, even if it is vulnerable. This is for users who do not want to be surprised by SMT getting disabled across kernel upgrades, or who have other ways of avoiding SMT-based attacks.Equivalent to: (default behavior)
auto,nosmt
- Mitigate all CPU vulnerabilities, disabling Simultaneous multithreading (SMT) if needed. This is for users who always want to be fully mitigated, even if it means losing SMT.Equivalent to:
-
l1tf=flush,nosmt [X86]
-
mds=full,nosmt [X86]
-
New /proc/sys/net/core parameters
- bpf_jit_kallsyms
If Berkeley Packet Filter Just in Time compiler is enabled, the compiled images are unknown addresses to the kernel. It means they neither show up in traces nor in the
/proc/kallsyms
file. This enables export of these addresses, which can be used for debugging/tracing. If thebpf_jit_harden
parameter is enabled, this feature is disabled.Possible values are:
0
– Disable Just in Time (JIT)kallsyms
export (default value).1
– Enable Just in Time (JIT)kallsyms
export for privileged users only.
Updated /proc/sys/fs parameters
- dentry-state
Dentries are dynamically allocated and deallocated.
From
linux/include/linux/dcache.h
:struct dentry_stat_t dentry_stat { int nr_dentry; int nr_unused; int age_limit; (age in seconds) int want_pages; (pages requested by system) int nr_negative; (# of unused negative dentries) int dummy; (Reserved for future use) };
The
nr_dentry
number shows the total number of dentries allocated (active + unused).The
nr_unused
number shows the number of dentries that are not actively used, but are saved in the least recently used (LRU) list for future reuse.The
age_limit
number is the age in seconds after whichdcache
entries can be reclaimed when memory is short and thewant_pages
number is nonzero when theshrink_dcache_pages()
function has been called and thedcache
is not pruned yet.The
nr_negative
number shows the number of unused dentries that are also negative dentries which do not map to any files. Instead, they help speeding up rejection of non-existing files provided by the users.