|
 |
973b04 |
From fbcd3e42106b95efd8a63914a558c04c76487783 Mon Sep 17 00:00:00 2001
|
|
|
973b04 |
From: Watson Sato <wsato@redhat.com>
|
|
|
973b04 |
Date: Mon, 21 Sep 2020 10:26:53 +0200
|
|
|
973b04 |
Subject: [PATCH] Remove zIPL rule for PTI bootloader option
|
|
|
973b04 |
|
|
|
973b04 |
This setting is to mitigate a problem specific for intel archs.
|
|
|
973b04 |
Also returns the CCE to the pool.
|
|
|
973b04 |
---
|
|
|
973b04 |
.../zipl_pti_argument/rule.yml | 38 -------------------
|
|
|
973b04 |
rhel8/profiles/ospp.profile | 1 -
|
|
|
973b04 |
rhel8/profiles/stig.profile | 1 -
|
|
|
973b04 |
.../data/profile_stability/rhel8/ospp.profile | 1 -
|
|
|
973b04 |
4 files changed, 41 deletions(-)
|
|
|
973b04 |
delete mode 100644 linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
|
|
973b04 |
|
|
|
973b04 |
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
|
|
973b04 |
deleted file mode 100644
|
|
|
973b04 |
index 96170e6d85..0000000000
|
|
|
973b04 |
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
|
|
973b04 |
+++ /dev/null
|
|
|
973b04 |
@@ -1,38 +0,0 @@
|
|
|
973b04 |
-documentation_complete: true
|
|
|
973b04 |
-
|
|
|
973b04 |
-prodtype: rhel8
|
|
|
973b04 |
-
|
|
|
973b04 |
-title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL'
|
|
|
973b04 |
-
|
|
|
973b04 |
-description: |-
|
|
|
973b04 |
- To enable Kernel page-table isolation,
|
|
|
973b04 |
- check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
|
|
|
973b04 |
- included in its options.
|
|
|
973b04 |
- To ensure that new kernels and boot entries continue to enable page-table isolation,
|
|
|
973b04 |
- add <tt>pti=on</tt> to <tt>/etc/kernel/cmdline</tt>.
|
|
|
973b04 |
-
|
|
|
973b04 |
-rationale: |-
|
|
|
973b04 |
- Kernel page-table isolation is a kernel feature that mitigates
|
|
|
973b04 |
- the Meltdown security vulnerability and hardens the kernel
|
|
|
973b04 |
- against attempts to bypass kernel address space layout
|
|
|
973b04 |
- randomization (KASLR).
|
|
|
973b04 |
-
|
|
|
973b04 |
-severity: medium
|
|
|
973b04 |
-
|
|
|
973b04 |
-identifiers:
|
|
|
973b04 |
- cce@rhel8: 83361-6
|
|
|
973b04 |
-
|
|
|
973b04 |
-ocil_clause: 'Kernel page-table isolation is not enabled'
|
|
|
973b04 |
-
|
|
|
973b04 |
-ocil: |-
|
|
|
973b04 |
- To check that page-table isolation is enabled at boot time, check all boot entries with following command:
|
|
|
973b04 |
- sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf
|
|
|
973b04 |
- No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
|
|
|
973b04 |
-
|
|
|
973b04 |
-platform: machine
|
|
|
973b04 |
-
|
|
|
973b04 |
-template:
|
|
|
973b04 |
- name: zipl_bls_entries_option
|
|
|
973b04 |
- vars:
|
|
|
973b04 |
- arg_name: pti
|
|
|
973b04 |
- arg_value: 'on'
|
|
|
973b04 |
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
|
|
|
973b04 |
index 5e81e4a92a..46f00c89f1 100644
|
|
|
973b04 |
--- a/rhel8/profiles/ospp.profile
|
|
|
973b04 |
+++ b/rhel8/profiles/ospp.profile
|
|
|
973b04 |
@@ -426,4 +426,3 @@ selections:
|
|
|
973b04 |
- zipl_vsyscall_argument
|
|
|
973b04 |
- zipl_vsyscall_argument.role=unscored
|
|
|
973b04 |
- zipl_vsyscall_argument.severity=info
|
|
|
973b04 |
- - zipl_pti_argument
|
|
|
973b04 |
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
|
|
|
973b04 |
index 53647475aa..817d5dbadd 100644
|
|
|
973b04 |
--- a/rhel8/profiles/stig.profile
|
|
|
973b04 |
+++ b/rhel8/profiles/stig.profile
|
|
|
973b04 |
@@ -52,7 +52,6 @@ selections:
|
|
|
973b04 |
- "!zipl_audit_argument"
|
|
|
973b04 |
- "!zipl_audit_backlog_limit_argument"
|
|
|
973b04 |
- "!zipl_page_poison_argument"
|
|
|
973b04 |
- - "!zipl_pti_argument"
|
|
|
973b04 |
- "!zipl_slub_debug_argument"
|
|
|
973b04 |
- "!zipl_vsyscall_argument"
|
|
|
973b04 |
- "!zipl_vsyscall_argument.role=unscored"
|
|
|
973b04 |
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
|
|
973b04 |
index 7b7307cba8..223b1423cd 100644
|
|
|
973b04 |
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
|
|
973b04 |
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
|
|
973b04 |
@@ -219,7 +219,6 @@ selections:
|
|
|
973b04 |
- zipl_bls_entries_only
|
|
|
973b04 |
- zipl_bootmap_is_up_to_date
|
|
|
973b04 |
- zipl_page_poison_argument
|
|
|
973b04 |
-- zipl_pti_argument
|
|
|
973b04 |
- zipl_slub_debug_argument
|
|
|
973b04 |
- zipl_vsyscall_argument
|
|
|
973b04 |
- var_sshd_set_keepalive=0
|