Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

Chapter 3. Important Changes to External Kernel Parameters

This chapter provides system administrators with a summary of significant changes in the kernel shipped with Red Hat Enterprise Linux 7.6. These changes include added or updated proc entries, sysctl, and sysfs default values, boot parameters, kernel configuration options, or any noticeable behavior changes.

Kernel parameters

hardened_usercopy = [KNL]
This parameter specifies whether hardening is enabled (default) or not enabled for the boot.
Hardened usercopy checking is used to protect the kernel from reading or writing beyond known memory allocation boundaries as a proactive defense against bounds-checking flaws in the kernel's copy_to_user()/copy_from_user() interface.
The valid settings are: on, off.
on – Perform hardened usercopy checks (default).
off – Disable hardened usercopy checks.
no-vmw-sched-clock [X86,PV_OPS]
Disables paravirtualized VMware scheduler clock and uses the default one.
rdt = [HW,X86,RDT]
Turns on or off individual RDT features.
Available features are: cmt, mbmtotal, mbmlocal, l3cat, l3cdp, l2cat, l2cdp, mba.
For example, to turn on cmt and turn off mba, use:
nospec_store_bypass_disable [HW]
Disables all mitigations for the Speculative Store Bypass vulnerability.
For more in-depth information about the Speculative Store Bypass (SSB) vulnerability, see Kernel Side-Channel Attack using Speculative Store Bypass - CVE-2018-3639.
spec_store_bypass_disable = [HW]
Certain CPUs are vulnerable to an exploit against a common industry wide performance optimization known as Speculative Store Bypass.
In such cases, recent stores to the same memory location cannot always be observed by later loads during speculative execution. However, such stores are unlikely and thus they can be detected prior to instruction retirement at the end of a particular speculation execution window.
In vulnerable processors, the speculatively forwarded store can be used in a cache side channel attack. An example of this is reading memory to which the attacker does not directly have access, for example inside the sandboxed code.
This parameter controls whether the Speculative Store Bypass (SSB) optimization to mitigate the SSB vulnerability is used.
Possible values are:
on – Unconditionally disable SSB.
off – Unconditionally enable SSB.
auto – Kernel detects whether the CPU model contains an implementation of SSB and selects the most appropriate mitigation.
prctl – Controls SSB for a thread using prctl. SSB is enabled for a process by default. The state of the control is inherited on fork.
Not specifying this option is equivalent to spec_store_bypass_disable=auto.
For more in-depth information about the Speculative Store Bypass (SSB) vulnerability, see Kernel Side-Channel Attack using Speculative Store Bypass - CVE-2018-3639.
nmi_watchdog = [KNL,BUGS=X86]
These settings can now be accessed at runtime with the use of the nmi_watchdog and hardlockup_panic sysctls.

New and updated /proc/sys/kernel/ entries

This parameter controls whether the kernel panics if a hard lockup is detected.
Possible values are:
0 – Do not panic on hard lockup.
1 – Panic on hard lockup.
This can also be set using the nmi_watchdog kernel parameter.
Controls size of per-cpu ring buffer not counted against mlock limit.
The default value is 512 + 1 page.
Controls use of the performance events system by unprivileged users (without CAP_SYS_ADMIN).
The default value is 2.
Possible values are:
-1 – Allow use of the majority of events by all users.
>=0 – Disallow ftrace function tracepoint and raw tracepoint access by users without CAP_SYS_ADMIN.
>=1 – Disallow CPU event access by users without CAP_SYS_ADMIN.
>=2 – Disallow kernel profiling by users without CAP_SYS_ADMIN.

New /proc/sys/net/core entries

Enables hardening for the Berkeley Packet Filter (BPF) Just in Time (JIT) compiler.
Supported are Extended Berkeley Packet Filter (eBPF) JIT backends. Enabling hardening trades off performance, but can mitigate JIT spraying.
Possible values are:
0 – Disable JIT hardening (default value).
1 – Enable JIT hardening for unprivileged users only.
2 – Enable JIT hardening for all users.