|
 |
07cb6b |
From 32ecdb4e8ccccf07acd8c6c82a3676ec15647b4a Mon Sep 17 00:00:00 2001
|
|
|
07cb6b |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
07cb6b |
Date: Wed, 16 Feb 2022 14:02:45 +0100
|
|
|
07cb6b |
Subject: [PATCH 1/3] add grub2 variant
|
|
|
07cb6b |
|
|
|
07cb6b |
---
|
|
|
07cb6b |
.../rule.yml | 40 +++++++++++++++++++
|
|
|
07cb6b |
2 files changed, 40 insertions(+), 1 deletion(-)
|
|
|
07cb6b |
create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml
|
|
|
07cb6b |
|
|
|
07cb6b |
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml
|
|
|
07cb6b |
new file mode 100644
|
|
|
07cb6b |
index 00000000000..3d0c8b95d8a
|
|
|
07cb6b |
--- /dev/null
|
|
|
07cb6b |
+++ b/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml
|
|
|
07cb6b |
@@ -0,0 +1,40 @@
|
|
|
07cb6b |
+documentation_complete: true
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+prodtype: rhel9
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+title: 'Enable randomization of the page allocator'
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+description: |-
|
|
|
07cb6b |
+ To enable randomization of the page allocator in the kernel, add the
|
|
|
07cb6b |
+ <tt>page_alloc.shuffle=1</tt> argument to the default GRUB 2 command line.
|
|
|
07cb6b |
+ {{{ describe_grub2_argument("page_alloc.shuffle=1") | indent(4) }}}
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+rationale: |-
|
|
|
07cb6b |
+ The <tt>CONFIG_SHUFFLE_PAGE_ALLOCATOR</tt> config option is primarily
|
|
|
07cb6b |
+ focused on improving the average utilization of a direct-mapped
|
|
|
07cb6b |
+ memory-side-cache. Aside of this performance effect, it also reduces
|
|
|
07cb6b |
+ predictability of page allocations in situations when the bad actor can
|
|
|
07cb6b |
+ crash the system and somehow leverage knowledge of (page) allocation order
|
|
|
07cb6b |
+ right after a fresh reboot, or can control the timing between a
|
|
|
07cb6b |
+ hot-pluggable memory node (as in NUMA node) and applications allocating
|
|
|
07cb6b |
+ memory ouf of that node. The <tt>page_alloc.shuffle=1</tt> kernel command
|
|
|
07cb6b |
+ line parameter then forces this functionality irrespectively of memory cache
|
|
|
07cb6b |
+ architecture.
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+severity: medium
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+identifiers:
|
|
|
07cb6b |
+ cce@rhel9: CCE-85879-5
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+ocil_clause: 'randomization of the page allocator is not enabled in the kernel'
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+ocil: |-
|
|
|
07cb6b |
+ {{{ ocil_grub2_argument("page_alloc.shuffle=1") | indent(4) }}}
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+platform: machine
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+template:
|
|
|
07cb6b |
+ name: grub2_bootloader_argument
|
|
|
07cb6b |
+ vars:
|
|
|
07cb6b |
+ arg_name: page_alloc.shuffle
|
|
|
07cb6b |
+ arg_value: '1'
|
|
|
07cb6b |
|
|
|
07cb6b |
From ccd4bee3bec201cdee883c662056fc408b2d88ad Mon Sep 17 00:00:00 2001
|
|
|
07cb6b |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
07cb6b |
Date: Wed, 16 Feb 2022 14:20:59 +0100
|
|
|
07cb6b |
Subject: [PATCH 2/3] add zipl variant
|
|
|
07cb6b |
|
|
|
07cb6b |
---
|
|
|
07cb6b |
.../zipl_page_alloc_shuffle_argument/rule.yml | 46 +++++++++++++++++++
|
|
|
07cb6b |
2 files changed, 46 insertions(+), 1 deletion(-)
|
|
|
07cb6b |
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml
|
|
|
07cb6b |
|
|
|
07cb6b |
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml
|
|
|
07cb6b |
new file mode 100644
|
|
|
07cb6b |
index 00000000000..5179b19fcc0
|
|
|
07cb6b |
--- /dev/null
|
|
|
07cb6b |
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml
|
|
|
07cb6b |
@@ -0,0 +1,46 @@
|
|
|
07cb6b |
+documentation_complete: true
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+prodtype: rhel9
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+title: 'Enable randomization of the page allocator in zIPL'
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+description: |-
|
|
|
07cb6b |
+ To enable the randomization of the page allocator in the kernel, check that
|
|
|
07cb6b |
+ all boot entries in <tt>/boot/loader/entries/*.conf</tt> have
|
|
|
07cb6b |
+ <tt>page_alloc.shuffle=1</tt> included in its options.
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+ To enable randomization of the page allocator also for newly installed
|
|
|
07cb6b |
+ kernels, add <tt>page_alloc.shuffle=1</tt> to <tt>/etc/kernel/cmdline</tt>.
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+rationale: |-
|
|
|
07cb6b |
+ The <tt>CONFIG_SHUFFLE_PAGE_ALLOCATOR</tt> config option is primarily
|
|
|
07cb6b |
+ focused on improving the average utilization of a direct-mapped
|
|
|
07cb6b |
+ memory-side-cache. Aside of this performance effect, it also reduces
|
|
|
07cb6b |
+ predictability of page allocations in situations when the bad actor can
|
|
|
07cb6b |
+ crash the system and somehow leverage knowledge of (page) allocation order
|
|
|
07cb6b |
+ right after a fresh reboot, or can control the timing between a
|
|
|
07cb6b |
+ hot-pluggable memory node (as in NUMA node) and applications allocating
|
|
|
07cb6b |
+ memory ouf of that node. The <tt>page_alloc.shuffle=1</tt> kernel command
|
|
|
07cb6b |
+ line parameter then forces this functionality irrespectively of memory cache
|
|
|
07cb6b |
+ architecture.
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+severity: medium
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+identifiers:
|
|
|
07cb6b |
+ cce@rhel9: CCE-85880-3
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+ocil_clause: 'randomization of the page allocator is not enabled in the kernel'
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+ocil: |-
|
|
|
07cb6b |
+ To check that the randomization of the page allocator in the kernel is
|
|
|
07cb6b |
+ enabled, check all boot entries with following command:
|
|
|
07cb6b |
+ sudo grep -L"^options\s+.*\bpage_alloc\.shuffle=1\b" /boot/loader/entries/*.conf
|
|
|
07cb6b |
+ No line should be returned, each line returned is a boot entry that doesn't enable audit.
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+platform: machine
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+template:
|
|
|
07cb6b |
+ name: zipl_bls_entries_option
|
|
|
07cb6b |
+ vars:
|
|
|
07cb6b |
+ arg_name: page_alloc.shuffle
|
|
|
07cb6b |
+ arg_value: '1'
|
|
|
07cb6b |
|
|
|
07cb6b |
From 89671b0a5a69ccaf0a46ff1fc86db82fc822dda0 Mon Sep 17 00:00:00 2001
|
|
|
07cb6b |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
07cb6b |
Date: Wed, 16 Feb 2022 14:24:32 +0100
|
|
|
07cb6b |
Subject: [PATCH 3/3] add rules to rhel9 ospp profile
|
|
|
07cb6b |
|
|
|
07cb6b |
---
|
|
|
07cb6b |
products/rhel9/profiles/ospp.profile | 2 ++
|
|
|
07cb6b |
1 file changed, 2 insertions(+)
|
|
|
07cb6b |
|
|
|
07cb6b |
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
|
|
07cb6b |
index f25abd7e4c4..4bdf8d98b97 100644
|
|
|
07cb6b |
--- a/products/rhel9/profiles/ospp.profile
|
|
|
07cb6b |
+++ b/products/rhel9/profiles/ospp.profile
|
|
|
07cb6b |
@@ -126,6 +126,7 @@ selections:
|
|
|
07cb6b |
- grub2_audit_backlog_limit_argument
|
|
|
07cb6b |
- grub2_vsyscall_argument
|
|
|
07cb6b |
- grub2_init_on_alloc_argument
|
|
|
07cb6b |
+ - grub2_page_alloc_shuffle_argument
|
|
|
07cb6b |
|
|
|
07cb6b |
## Security Settings
|
|
|
07cb6b |
- sysctl_kernel_kptr_restrict
|
|
|
07cb6b |
@@ -409,3 +410,4 @@ selections:
|
|
|
07cb6b |
- zipl_audit_backlog_limit_argument
|
|
|
07cb6b |
- zipl_vsyscall_argument
|
|
|
07cb6b |
- zipl_init_on_alloc_argument
|
|
|
07cb6b |
+ - zipl_page_alloc_shuffle_argument
|