Skip to content

Update configs.tsv #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
coppermanME wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update configs.tsv #1

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions docs/configs.tsv
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,11 +67,11 @@ Locking, debug: RT mutexes CONFIG_WW_MUTEX_SELFTEST Y Wait/wound mutext selfte
Locking, debug: RT mutexes CONFIG_RCU_TORTURE_TEST Y Torture tests for RCU The kernel module may be built after the fact on the running kernel to be tested, if desired. 2.6.15-2.6.39, 3.0-3.19, 4.0–4.20, 5.0–5.17 link
Locking, debug: RT mutexes CONFIG_DEBUG_ATOMIC_SLEEP Y Check sleep inside atomic section. 3.1–3.19, 4.0–4.20, 5.0–5.17 link
Locking, debug: RT mutexes CONFIG_SIGNALFD Y Allows signals to be received on a file descriptor fixes signal race conditions. pidfd_send_signal() enables signaling a process through a pidfd to eliminate the PID wrap resulting in sending signals to a wrong process. 2.6.22–2.6.39, 3.0–3.19, 4.0–4.20, 5.0–5.17 link
Branch Target Buffer: Side Channel Attacks CONFIG_PAGE_TABLE_ISOLATION Y CONFIG_PAGE_TABLE_ISOLATION mode enableds _pgd_alloc() alloc 8kb, two page tables at a time, of not configured, 4kb, one page table is alloced at a time. whether the arch is vulnerable to meltdown alike attacks Anlaysis for attack interfaces and whether they are vulnerable to meltdown attacks to decide whether to enable this configuration. link
Branch Target Buffer: Side Channel Attacks CONFIG_RETPOLINE Y BTB stores some parts of the bits of PC, not the full bits of PC. Using this primitive, an attacker is able to inject an indirect branch target into the BTB, and consequently run some codes in a speculative context. It can leak a sensitive data across some boundaries. (e.g. between VMs, Processes, ...) The attack is called Spectre Variant2. and retpoline has been introducted to stop the attack. Anlaysis for architectures (AMD is not known to this till now, however this situation might change in future) and whether they are vulnerable to Spectre Variant2 attacks to decide whether to enable this configuration. link
Branch Target Buffer: Side Channel Attacks UNMAP_KERNEL_AT_EL0 Supported by ARM only Y Unmap kernel when running in userspace (aka \"KAISER\") Consider this when design and use ARM CPU. link
Branch Target Buffer: Side Channel Attacks HARDEN_BRANCH_PREDICTOR Y Harden the branch predictor against aliasing attacks Anlaysis for architectures (AMD is not known to this till now, however this situation might change in future) and whether they are vulnerable to Spectre Variant2 attacks to decide whether to enable this configuration. link
Branch Target Buffer: Side Channel Attacks HARDEN_EL2_VECTORS Y Harden EL2 vector mapping against system register leak Anlaysis for architectures (AMD is not known to this till now, however this situation might change in future) and whether they are vulnerable to Spectre Variant2 attacks to decide whether to enable this configuration. link
Branch Target Buffer: Side Channel Attacks ARM64_SSBD Supported by ARM only Y Speculative Store Bypass Disable Anlaysis for architectures (AMD is not known to this till now, however this situation might change in future) and whether they are vulnerable to Spectre Variant2 attacks to decide whether to enable this configuration. link
Branch Target Buffer: Side Channel Attacks CONFIG_BPF_UNPRIV_DEFAULT_OFF N Disable unprivileged BPF by default Based on whether the system is locked down, and if there are unprevileged BPF code allowed. link
Live Patch LIVEPATCH DYNAMIC_FTRACE_WITH_REGS || DYNAMIC_FTRACE_WITH_ARGS, MODULES, SYSFS, KALLSYMS_ALL, HAVE_LIVEPATCH, !TRIM_UNUSED_KSYMS N Livepatch is a feature that applies kernel patches without any system reboot For safety concern, N for default, because we don't know if the patch is secure or not, if the patch is from a trusted source, and we need to have full knowlege of the patch to enabled this. If enabled, we need a syslog for what are introduced by the new patch. link
Memory: Branch Target Buffer: Side Channel Attacks CONFIG_PAGE_TABLE_ISOLATION Y CONFIG_PAGE_TABLE_ISOLATION mode enableds _pgd_alloc() alloc 8kb, two page tables at a time, of not configured, 4kb, one page table is alloced at a time. whether the arch is vulnerable to meltdown alike attacks Anlaysis for attack interfaces and whether they are vulnerable to meltdown attacks to decide whether to enable this configuration. link
Memory: Branch Target Buffer: Side Channel Attacks CONFIG_RETPOLINE Y BTB stores some parts of the bits of PC, not the full bits of PC. Using this primitive, an attacker is able to inject an indirect branch target into the BTB, and consequently run some codes in a speculative context. It can leak a sensitive data across some boundaries. (e.g. between VMs, Processes, ...) The attack is called Spectre Variant2. and retpoline has been introducted to stop the attack. Anlaysis for architectures (AMD is not known to this till now, however this situation might change in future) and whether they are vulnerable to Spectre Variant2 attacks to decide whether to enable this configuration. link
Memory: Branch Target Buffer: Side Channel Attacks UNMAP_KERNEL_AT_EL0 Supported by ARM only Y Unmap kernel when running in userspace (aka \"KAISER\") Consider this when design and use ARM CPU. link
Memory: Branch Target Buffer: Side Channel Attacks HARDEN_BRANCH_PREDICTOR Y Harden the branch predictor against aliasing attacks Anlaysis for architectures (AMD is not known to this till now, however this situation might change in future) and whether they are vulnerable to Spectre Variant2 attacks to decide whether to enable this configuration. link
Memory: Branch Target Buffer: Side Channel Attacks HARDEN_EL2_VECTORS Y Harden EL2 vector mapping against system register leak Anlaysis for architectures (AMD is not known to this till now, however this situation might change in future) and whether they are vulnerable to Spectre Variant2 attacks to decide whether to enable this configuration. link
Memory: Branch Target Buffer: Side Channel Attacks ARM64_SSBD Supported by ARM only Y Speculative Store Bypass Disable Anlaysis for architectures (AMD is not known to this till now, however this situation might change in future) and whether they are vulnerable to Spectre Variant2 attacks to decide whether to enable this configuration. link
Memory: Branch Target Buffer: Side Channel Attacks CONFIG_BPF_UNPRIV_DEFAULT_OFF N Disable unprivileged BPF by default Based on whether the system is locked down, and if there are unprevileged BPF code allowed. link
Code integrity: Live Patch LIVEPATCH DYNAMIC_FTRACE_WITH_REGS || DYNAMIC_FTRACE_WITH_ARGS, MODULES, SYSFS, KALLSYMS_ALL, HAVE_LIVEPATCH, !TRIM_UNUSED_KSYMS N Livepatch is a feature that applies kernel patches without any system reboot For safety concern, N for default, because we don't know if the patch is secure or not, if the patch is from a trusted source, and we need to have full knowlege of the patch to enabled this. If enabled, we need a syslog for what are introduced by the new patch. link