Chapter 3. Important Changes to External Kernel Parameters

This chapter provides system administrators with a summary of significant changes in the kernel shipped with Red Hat Enterprise Linux 7. These changes include added or updated proc entries, sysctl, and sysfs default values, boot parameters, kernel configuration options, or any noticeable behavior changes.

New kernel parameters

audit = [KNL]

This parameter enables the audit sub-system.

The value is either 1 = enabled or 0 = disabled. The default value is unset, which is not a new option, but it was previously undocumented.

Format: { "0" | "1" }

audit_backlog_limit = [KNL]

This parameter sets the audit queue size limit.

The default value is 64.

Format: <int> (must be >=0)

ipcmni_extend [KNL]
This parameter extends the maximum number of unique System V IPC identifiers from 32 768 to 16 777 216.
nospectre_v1 [X86,PPC]

This parameter disables mitigations for Spectre Variant 1 (bounds check bypass).

With this option data leaks are possible in the system.

tsx = [X86]

This parameter controls Transactional Synchronization Extensions (TSX) feature in Intel processors that support TSX control.

The options are:

  • on - Enable TSX on the system. Although there are mitigations for all known security vulnerabilities, TSX has been known to be an accelerator for several previous speculation-related CVEs, and so there may be unknown security risks associated with leaving it enabled.
  • off - Disable TSX on the system. Note that this option takes effect only on newer CPUs which are not vulnerable to Microarchitectural Data Sampling (MDS). In other words, they have MSR_IA32_ARCH_CAPABILITIES.MDS_NO=1 and get the new IA32_TSX_CTRL Model-specific register (MSR) through a microcode update. This new MSR allows for a reliable deactivation of the TSX functionality.
  • auto - Disable TSX if X86_BUG_TAA is present, otherwise enable TSX on the system.

    Not specifying this option is equivalent to tsx=on as Red Hat has implicitly made TSX enabled.

    For more details, see documentation of TAA - TSX Asynchronous Abort.

tsx_async_abort = [X86,INTEL]

This parameter controls mitigation for the TSX Async Abort (TAA) vulnerability.

Similar to Micro-architectural Data Sampling (MDS), certain CPUs that support Transactional Synchronization Extensions (TSX) are vulnerable to an exploit against CPU internal buffers. The exploit can forward information to a disclosure gadget under certain conditions.

In vulnerable processors, the speculatively forwarded data can be used in a cache side channel attack, to access data to which the attacker does not have direct access.

The options are:

  • full - Enable TAA mitigation on vulnerable CPUs if TSX is enabled.
  • full,nosmt - Enable TAA mitigation and disable Simultaneous Multi Threading (SMT) on vulnerable CPUs. If TSX is disabled, SMT is not disabled because CPU is not vulnerable to cross-thread TAA attacks.
  • off - Unconditionally disable TAA mitigation.

    On MDS-affected machines, the tsx_async_abort=off parameter can be prevented by an active MDS mitigation as both vulnerabilities are mitigated with the same mechanism. Therefore, to disable this mitigation, you need to specify the mds=off parameter as well.

    Not specifying this option is equivalent to tsx_async_abort=full. On CPUs which are MDS affected and deploy MDS mitigation, TAA mitigation is not required and does not provide any additional mitigation.

    For more details, see documentation of TAA - TSX Asynchronous Abort.

Updated kernel parameters

mitigations = [X86,PPC,S390]

Controls optional mitigations for CPU vulnerabilities. This is a set of curated, arch-independent options, each of which is an aggregation of existing arch-specific options.

The options are:

  • off - Disable all optional CPU mitigations. This improves system performance, but it may also expose users to several CPU vulnerabilities.

    Equivalent to:

    • nopti [X86,PPC]
    • nospectre_v1 [X86,PPC]
    • nobp=0 [S390]
    • nospectre_v2 [X86,PPC,S390]
    • spec_store_bypass_disable=off [X86,PPC]
    • l1tf=off [X86]
    • mds=off [X86]
    • tsx_async_abort=off [X86]
    • kvm.nx_huge_pages=off [X86]

      Exceptions:

      mitigations=off does not have any effect on the kvm.nx_huge_pages parameter if kvm.nx_huge_pages=force.

  • auto (default) - Mitigate all CPU vulnerabilities, but leave Simultaneous multithreading (SMT) enabled, even if it is vulnerable. This is for users who do not want to be surprised by SMT getting disabled across kernel upgrades, or who have other ways of avoiding SMT-based attacks.

    Equivalent to:

    • (default behavior)
  • auto,nosmt - Mitigate all CPU vulnerabilities, disabling Simultaneous multithreading (SMT) if needed. This is for users who always want to be fully mitigated, even if it means losing SMT.

    Equivalent to:

    • l1tf=flush,nosmt [X86]
    • mds=full,nosmt [X86]
    • tsx_async_abort=full,nosmt [X86]

New /proc/sys/fs parameters

negative-dentry-limit

The integer value of this parameter specifies a soft limit on the total number of negative dentries allowed in a system as a percentage of the total system memory available. The allowable range for this value is 0-100. A value of 0 means there is no limit. Each unit represents 0.1% of the total system memory. So 10% is the maximum that can be specified.

On an AMD64 or Intel 64 system with 32GB of memory, a 1% limit translates to about 1.7 million dentries or about 53 thousand dentries per GB of memory.