Chapter 3. Important Changes to External Kernel Parameters

This chapter provides system administrators with a summary of significant changes in the kernel shipped with Red Hat Enterprise Linux 7.5. These changes include added or updated proc entries, sysctl, and sysfs default values, boot parameters, kernel configuration options, or any noticeable behavior changes.

Kernel parameters

amd_iommu_intr = [HW,X86-64]
Specifies one of the following AMD IOMMU interrupt remapping modes.
legacy - Use legacy interrupt remapping mode.
vapic - Use virtual APIC mode, which allows IOMMU to inject interrupts directly into guest. This mode requires kvm-amd.avic=1, which is default when IOMMU HW support is present.
debug_pagealloc = [KNL]
When CONFIG_DEBUG_PAGEALLOC is set, this parameter enables the feature at boot time. It is disabled by default. To avoid allocating huge chunk of memory for debug pagealloc do not enable it at boot time, and the operating system will work similarly as with the kernel built without CONFIG_DEBUG_PAGEALLOC.
Use debug_pagealloc = on to enable the feature.
ftrace_graph_max_depth = uint[FTRACE]
This parameter is used with the function graph tracer. It defines the maximum depth it will trace into a function. Its value can be changed at run time by the max_graph_depth file file in the tracefs tracing directory.
The default values is 0, which means that no limit is set.
init_pkru = [x86]
Specifies the default memory protection keys rights register contents for all processes.
The default value is 0x55555554, which disallows access to all but pkey 0. You can override the value in the debugfs file system after boot.
nopku = [x86]
Disables the Memory Protection Keys CPU feature found in some Intel CPUs.
mem_encrypt = [X86-64]
Provides AMD Secure Memory Encryption (SME) control. The valid arguments are: on, off.
The default setting depends on kernel configuration option:
mem_encrypt=on: Activate SME
mem_encrypt=off: Do not activate SME

Kernel parameters to mitigate Spectre and Meltdown issues

kpti = [X86-64]
Enables kernel page table isolation.
nopti = [X86-64]
Disables kernel page table isolation.
nospectre_v2 = [X86]
Disables all mitigations for the Spectre variant 2 (indirect branch speculation) vulnerability. The operating system may allow data leaks with this option, which is equivalent to spectre_v2=off.
spectre_v2 = [X86]
Controls mitigation of Spectre variant 2 (indirect branch speculation) vulnerability.
The valid arguments are: on, off, auto.
on: unconditionally enable
off: unconditionally disable
auto: kernel detects whether your CPU model is vulnerable
Selecting on will, and auto may, choose a mitigation method at run time according to the CPU, the available microcode, the setting of the CONFIG_RETPOLINE configuration option, and the compiler with which the kernel was built.
You can also select specific mitigations manually:
retpoline: replaces indirect branches
ibrs: Intel: Indirect Branch Restricted Speculation (kernel)
ibrs_always: Intel: Indirect Branch Restricted Speculation (kernel and user space)
Not specifying this option is equivalent to spectre_v2=auto.

Updated /proc/sys/net/core entries

The RPS processing, for example RFS and aRFS, is competing with the registered NAPI poll function of the driver for the per softirq cycle netdev_budget.
This parameter influences the proportion of the configured netdev_budget that is spent on RPS based packet processing during RX softirq cycles. It also makes current dev_weight adaptable for asymmetric CPU needs on receiving on transmitting side of the network stack.
This parameter is effective on a per CPU basis. Determination is based on dev_weight, and it is calculated in multiplicative way (dev_weight * dev_weight_rx_bias). The default value is 1.
This parameter scales the maximum number of packets that can be processed during a TX softirq cycle.
It is effective on a per CPU basis, and allows scaling of current dev_weight for asymmetric net stack processing needs. Make sure to avoid making TX softirq processing a CPU hog.
Determination is based on dev_weight, and it is calculated in multiplicative way (dev_weight * dev_weight_rx_bias). The default value is 1.