From 838428152efd325b731eea43fb2dea8f8e94b797 Mon Sep 17 00:00:00 2001 From: inference Date: Fri, 16 Sep 2022 23:10:16 +0100 Subject: [PATCH] Disable kvm.nx_huge_pages mitigation. Disable L1 Terminal Fault mitigation due to current CPU not being vulnerable. Disable Microarchitectural Data Sampling mitigation due to current CPU not being vulnerable. Disable MMIO stale data mitigation due to current CPU not being vulnerable. Disable Page Table Isolation mitigation due to current CPU not being vulnerable. Disable Retbleed mitigation due to current CPU not being vulnerable. Enable Spectre V2 mitigation due to current CPU being vulnerable. Enable Speculative Store Bypass mitigation due to current CPU being vulnerable. Disable Special Register Buffer Data Sampling mitigation due to current CPU not being vulnerable. Disable Transactional Synchronization Extensions mitigation async abort due to current CPU not being vulnerable. Disable debugfs. Enable initialize-on-allocation to ensure memory is zeroed on allocation. Enable initialize-on-free to ensure memory is zeroed on free. Enable page allocation shuffle. Enable randomize kstack offset. Disable SLAB merging. Disable vsyscall. Disable SMT for protection against potential security issues. Remove CPU mitigations not applicable to current CPU. Remove wireless support. Build system firmware into kernel. --- linux/.config | 39 +++++++++------------------------------ 1 file changed, 9 insertions(+), 30 deletions(-) diff --git a/linux/.config b/linux/.config index 9845127..a5b0603 100644 --- a/linux/.config +++ b/linux/.config @@ -28,7 +28,7 @@ CONFIG_THREAD_INFO_IN_TASK=y CONFIG_INIT_ENV_ARG_LIMIT=32 # CONFIG_COMPILE_TEST is not set # CONFIG_WERROR is not set -CONFIG_LOCALVERSION="-inferencium-AA000-0-0.2.0.4" +CONFIG_LOCALVERSION="-inferencium-AA000-0-0.4.0.6" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_BUILD_SALT="" CONFIG_HAVE_KERNEL_GZIP=y @@ -434,8 +434,8 @@ CONFIG_HOTPLUG_CPU=y CONFIG_LEGACY_VSYSCALL_XONLY=y # CONFIG_LEGACY_VSYSCALL_NONE is not set CONFIG_CMDLINE_BOOL=y -CONFIG_CMDLINE="\"root=UUID=2c866bb8-3352-4240-b849-775cebfb6d7b rd.luks.uuid=c6453dde-a22f-4b2f-b6b4-eb82b89c1105 rd.luks.allow-discards\"" -# CONFIG_CMDLINE_OVERRIDE is not set +CONFIG_CMDLINE="kvm.nx_huge_pages=off l1tf=off mds=off mmio_stale_data=off pti=off retbleed=off spectre_v2=on spec_store_bypass_disable=on srbds=off tsx_async_abort=off debugfs=off init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 randomize_kstack_offset=on slab_nomerge vsyscall=none nosmt=force root=UUID=[REDACTED] rd.luks.uuid=[REDACTED]" +CONFIG_CMDLINE_OVERRIDE=y CONFIG_MODIFY_LDT_SYSCALL=y CONFIG_HAVE_LIVEPATCH=y # end of Processor type and features @@ -443,12 +443,12 @@ CONFIG_HAVE_LIVEPATCH=y CONFIG_CC_HAS_SLS=y CONFIG_CC_HAS_RETURN_THUNK=y CONFIG_SPECULATION_MITIGATIONS=y -CONFIG_PAGE_TABLE_ISOLATION=y +# CONFIG_PAGE_TABLE_ISOLATION is not set CONFIG_RETPOLINE=y CONFIG_RETHUNK=y -CONFIG_CPU_UNRET_ENTRY=y -CONFIG_CPU_IBPB_ENTRY=y -CONFIG_CPU_IBRS_ENTRY=y +# CONFIG_CPU_UNRET_ENTRY is not set +# CONFIG_CPU_IBPB_ENTRY is not set +# CONFIG_CPU_IBRS_ENTRY is not set CONFIG_SLS=y CONFIG_ARCH_HAS_ADD_PAGES=y CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y @@ -1195,27 +1195,7 @@ CONFIG_NET_FLOW_LIMIT=y # CONFIG_AF_KCM is not set # CONFIG_MCTP is not set CONFIG_FIB_RULES=y -CONFIG_WIRELESS=y -CONFIG_CFG80211=y -# CONFIG_NL80211_TESTMODE is not set -# CONFIG_CFG80211_DEVELOPER_WARNINGS is not set -CONFIG_CFG80211_REQUIRE_SIGNED_REGDB=y -CONFIG_CFG80211_USE_KERNEL_REGDB_KEYS=y -CONFIG_CFG80211_DEFAULT_PS=y -# CONFIG_CFG80211_DEBUGFS is not set -CONFIG_CFG80211_CRDA_SUPPORT=y -# CONFIG_CFG80211_WEXT is not set -CONFIG_MAC80211=y -CONFIG_MAC80211_HAS_RC=y -CONFIG_MAC80211_RC_MINSTREL=y -CONFIG_MAC80211_RC_DEFAULT_MINSTREL=y -CONFIG_MAC80211_RC_DEFAULT="minstrel_ht" -# CONFIG_MAC80211_MESH is not set -CONFIG_MAC80211_LEDS=y -# CONFIG_MAC80211_DEBUGFS is not set -# CONFIG_MAC80211_MESSAGE_TRACING is not set -# CONFIG_MAC80211_DEBUG_MENU is not set -CONFIG_MAC80211_STA_HASH_MAX_SIZE=0 +# CONFIG_WIRELESS is not set CONFIG_RFKILL=y CONFIG_RFKILL_LEDS=y CONFIG_RFKILL_INPUT=y @@ -1313,7 +1293,7 @@ CONFIG_PREVENT_FIRMWARE_BUILD=y # Firmware loader # CONFIG_FW_LOADER=y -CONFIG_EXTRA_FIRMWARE="amd-ucode/microcode_amd_fam17h.bin amd-ucode/microcode_amd_fam19h.bin" +CONFIG_EXTRA_FIRMWARE="amd-ucode/microcode_amd_fam19h.bin amdgpu/green_sardine_asd.bin amdgpu/green_sardine_ce.bin amdgpu/green_sardine_dmcub.bin amdgpu/green_sardine_me.bin amdgpu/green_sardine_mec2.bin amdgpu/green_sardine_mec.bin amdgpu/green_sardine_pfp.bin amdgpu/green_sardine_rlc.bin amdgpu/green_sardine_sdma.bin amdgpu/green_sardine_ta.bin amdgpu/green_sardine_vcn.bin amdgpu/gc_10_3_7_mec2.bin amdgpu/gc_10_3_7_pfp.bin amdgpu/gc_10_3_7_rlc.bin amdgpu/dcn_3_1_6_dmcub.bin amdgpu/psp_13_0_8_asd.bin amdgpu/psp_13_0_8_ta.bin amdgpu/psp_13_0_8_toc.bin amdgpu/sdma_5_2_7.bin rtl_nic/rtl8168h-2.fw" CONFIG_EXTRA_FIRMWARE_DIR="/lib/firmware" # CONFIG_FW_LOADER_USER_HELPER is not set # CONFIG_FW_LOADER_COMPRESS is not set @@ -4110,7 +4090,6 @@ CONFIG_ARCH_USE_SYM_ANNOTATIONS=y # Crypto library routines # CONFIG_CRYPTO_LIB_AES=y -CONFIG_CRYPTO_LIB_ARC4=y CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S=y CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y CONFIG_CRYPTO_LIB_CHACHA_GENERIC=y