Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 5. Important changes to external kernel parameters
This chapter provides system administrators with a summary of significant changes in the kernel distributed with Red Hat Enterprise Linux 9.8. These changes could include, for example, added or updated proc entries, sysctl, and sysfs default values, boot parameters, kernel configuration options, or any noticeable behavior changes.
New kernel parameters
arm64.nompam=
[ARM64]
Disable Memory Partitioning and Monitoring (MPAM) support on systems that support MPAM but do not enable it in firmware.
cgroup_v1_proc=
[KNL]
Show missing controllers in /proc/cgroups.
Format: { "true" | "false" }
By default, /proc/cgroups lists only cgroup v1 controllers. This compatibility option also lists v2 controllers (whose v1 code is not compiled) so that semi-legacy software can use this file to decide whether to use v2 controllers.
initramfs_options=
[KNL]
Specify mount options for the initramfs mount.
nvme.quirks=
[NVME]
Extend the built-in NVMe quirk list.
Format: VendorID:ProductID:quirk_names[-VendorID:ProductID:quirk_names…]
The IDs are 4-digit hexadecimal numbers. The quirk_names field is a comma-separated list of quirk names. Prefix a quirk name with ^ to disable the specified quirk.
For example:
nvme.quirks=7710:2267:bogus_nid,^identify_cns-9900:7711:broken_msi
rh_waived=
[KNL]
Control waived items in Red Hat Enterprise Linux.
Some features or security mitigations can be waived and toggled on or off on demand. Waive these items only when necessary, because this can make the system insecure or out of support scope.
Format: <item-1>,<item-2>…<item-n>
Use rh_waived to enable all waived features that Documentation/admin-guide/rh-waived-features.rst lists.
vmscape=
[X86]
Control mitigation for VMscape attacks.
VMscape attacks can leak information from a user space hypervisor to a guest by using speculative side channels.
Possible values:
off- Disable the mitigation.
ibpb- Use the Indirect Branch Prediction Barrier (IBPB) mitigation (default).
force- Force vulnerability detection even on processors that are not otherwise affected.
Changed kernel parameters
microcode=
[X86]
Control the behavior of the microcode loader.
You can specify the following options as a comma-separated list:
base_rev=X-
Set the base microcode revision of each thread in debug mode, where
<X>is a 32-bit unsigned integer. dis_ucode_ldr- Disable the microcode loader.
force_minrev- Control minimal microcode revision enforcement for the runtime microcode loader.
mitigations=
[X86,PPC,S390,ARM64]
Control optional mitigations for CPU vulnerabilities.
This kernel parameter is a set of curated, architecture-independent options. Each option aggregates architecture-specific parameters.
The mitigations parameter is available only if the kernel is built with CPU_MITIGATIONS=y.
Possible values:
offDisable all optional CPU mitigations. This setting can improve system performance but can expose users to several CPU vulnerabilities. This setting is equivalent to the following:
If
nokaslris set:-
kpti=0on ARM64
The following settings always apply:
-
gather_data_sampling=offon x86 -
indirect_target_selection=offon x86 -
kvm.nx_huge_pages=offon x86 -
l1tf=offon x86 -
mds=offon x86 -
mmio_stale_data=offon x86 -
no_entry_flushon PowerPC -
no_uaccess_flushon PowerPC -
nobp=0on IBM Z -
noption x86 and PowerPC -
nospectre_bhbon ARM64 -
nospectre_v1on x86 and PowerPC -
nospectre_v2on x86, PowerPC, IBM Z, and ARM64 -
reg_file_data_sampling=offon x86 -
retbleed=offon x86 -
spec_rstack_overflow=offon x86 -
spec_store_bypass_disable=offon x86 and PowerPC -
spectre_bhi=offon x86 -
spectre_v2_user=offon x86 -
srbds=offon x86 and Intel -
ssbd=force-offon ARM64 -
tsx_async_abort=offon x86 -
vmscape=offon x86
-
- Exceptions
-
This setting does not affect
kvm.nx_huge_pageswhenkvm.nx_huge_pages=force. auto(default)- Mitigate all CPU vulnerabilities and keep simultaneous multithreading (SMT) enabled, even if it is vulnerable. Use this option if you do not want SMT to be disabled across kernel updates or you rely on other methods to avoid attacks that target SMT. This setting is the default behavior.
auto,nosmtMitigate all CPU vulnerabilities and disable SMT if needed. Use this option if you always want full mitigation, even if this requires disabling SMT. On x86, this setting is equivalent to the following:
-
l1tf=flush,nosmt -
mds=full,nosmt -
tsx_async_abort=full,nosmt -
mmio_stale_data=full,nosmt -
retbleed=auto,nosmt
-
On x86, after you specify one of the preceding options, you can also use attack-vector-based controls as described in Documentation/admin-guide/hw-vuln/attack_vector_controls.rst.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}