Boot parameters (side channel mitigations)

TUM-DSE / CVM_eval

Evaluation code for confidential virtual machines (AMD SEV-SNP / Intel TDX)

MIT License

3 stars 0 forks source link

Boot parameters (side channel mitigations) #29

Open mmisono opened 11 months ago

mmisono commented 11 months ago

Linux has several side channel mitigations (KPTI, spectre, L1F, ...). We should enable appropriate ones.

TODO

[x] List available mitigation
[x] Check Linux's default configuration
[ ] Determine which one should be enabled for evaluation

mmisono commented 11 months ago

I think the default behavior is

https://docs.kernel.org/admin-guide/kernel-parameters.html


mitigations=
[...]
                    auto (default)
                            Mitigate all CPU vulnerabilities, but leave SMT
                            enabled, even if it's vulnerable.  This is for
                            users who don't want to be surprised by SMT
                            getting disabled across kernel upgrades, or who
                            have other ways of avoiding SMT-based attacks.
                            Equivalent to: (default behavior)


And we disable hyperthreading in the BIOS, so the default parameter should be fine.