👾 Как отключить меры по устранению уязвимостей процессора — Information Security Squad
👾 Как отключить меры по устранению уязвимостей процессора
Отключение мер по устранению уязвимостей процессора.
Осторожно, не испольузйте это на работе.

Версия Ubuntu.

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu Focal Fossa (development branch)
Release:        20.04
Codename:       focal

Версия ядра:

$ uname -a 
Linux desktop 5.4.0-14-generic #17-Ubuntu SMP Thu Feb 6 22:47:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Отображение сведений о процессоре для определения активных мер по смягчению угрозы.
$ lscpu 
Architecture:                    x86_64
CPU op-mode(s):                  32-bit, 64-bit
Byte Order:                      Little Endian
Address sizes:                   39 bits physical, 48 bits virtual
CPU(s):                          4
On-line CPU(s) list:             0-3
Thread(s) per core:              1
Core(s) per socket:              4
Socket(s):                       1
NUMA node(s):                    1
Vendor ID:                       GenuineIntel
CPU family:                      6
Model:                           60
Model name:                      Intel(R) Core(TM) i5-4570S CPU @ 2.90GHz
Stepping:                        3
CPU MHz:                         941.676
CPU max MHz:                     3600.0000
CPU min MHz:                     800.0000
BogoMIPS:                        5786.92
Virtualization:                  VT-x
L1d cache:                       128 KiB
L1i cache:                       128 KiB
L2 cache:                        1 MiB
L3 cache:                        6 MiB
NUMA node0 CPU(s):               0-3
Vulnerability Itlb multihit:     KVM: Mitigation: Split huge pages
Vulnerability L1tf:              Mitigation; PTE Inversion; VMX conditional cache flushes, SMT disabled
Vulnerability Mds:               Mitigation; Clear CPU buffers; SMT disabled
Vulnerability Meltdown:          Mitigation; PTI
Vulnerability Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl and seccomp
Vulnerability Spectre v1:        Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2:        Mitigation; Full generic retpoline, IBPB conditional, IBRS_FW, STIBP disabled, RSB filling
Vulnerability Tsx async abort:   Not affected
Flags:                           fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse ss
                                 e2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology 
                                 nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtp
                                 r pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm c
                                 puid_fault epb invpcid_single pti ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid ept_ad fsgs
                                 base tsc_adjust bmi1 avx2 smep bmi2 erms invpcid xsaveopt dtherm ida arat pln
Проверка конфигурации GRUB.
$ cat /etc/default/grub
# If you change this file, run 'update-grub' afterwards to update
# /boot/grub/grub.cfg.
# For full documentation of the options in this file, see:
#   info -f grub -n 'Simple configuration'

GRUB_DEFAULT=0
GRUB_TIMEOUT_STYLE=hidden
GRUB_TIMEOUT=0
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
GRUB_CMDLINE_LINUX=""

# Uncomment to enable BadRAM filtering, modify to suit your needs
# This works with Linux (no patch required) and with any kernel that obtains
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"

# Uncomment to disable graphical terminal (grub-pc only)
#GRUB_TERMINAL=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
#GRUB_GFXMODE=640x480

# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
#GRUB_DISABLE_LINUX_UUID=true

# Uncomment to disable generation of recovery mode menu entries
#GRUB_DISABLE_RECOVERY="true"

# Uncomment to get a beep at grub sta`rt
#GRUB_INIT_TUNE="480 440 1
Добавьте параметр ядра: mitigations=of
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash mitigations=off"

Проверьте параметры ядра для получения подробной информации.

mitigations=
			[X86,PPC,S390,ARM64] Control optional mitigations for
			CPU vulnerabilities.  This is a set of curated,
			arch-independent options, each of which is an
			aggregation of existing arch-specific options.

			off
				Disable all optional CPU mitigations.  This
				improves system performance, but it may also
				expose users to several CPU vulnerabilities.
				Equivalent to: nopti [X86,PPC]
					       kpti=0 [ARM64]
					       nospectre_v1 [X86,PPC]
					       nobp=0 [S390]
					       nospectre_v2 [X86,PPC,S390,ARM64]
					       spectre_v2_user=off [X86]
					       spec_store_bypass_disable=off [X86,PPC]
					       ssbd=force-off [ARM64]
					       l1tf=off [X86]
					       mds=off [X86]
					       tsx_async_abort=off [X86]
					       kvm.nx_huge_pages=off [X86]

				Exceptions:
					       This does not have any effect on
					       kvm.nx_huge_pages when
					       kvm.nx_huge_pages=force.

			auto (default)
				Mitigate all CPU vulnerabilities, but leave SMT
				enabled, even if it's vulnerable.  This is for
				users who don't want to be surprised by SMT
				getting disabled across kernel upgrades, or who
				have other ways of avoiding SMT-based attacks.
				Equivalent to: (default behavior)

			auto,nosmt
				Mitigate all CPU vulnerabilities, disabling SMT
				if needed.  This is for users who always want to
				be fully mitigated, even if it means losing SMT.
				Equivalent to: l1tf=flush,nosmt [X86]
					       mds=full,nosmt [X86]
					       tsx_async_abort=full,nosmt [X86]

Обновите GRUB

$ sudo update-grub
Sourcing file `/etc/default/grub'
Sourcing file `/etc/default/grub.d/init-select.cfg'
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-5.4.0-14-generic
Found initrd image: /boot/initrd.img-5.4.0-14-generic
Found linux image: /boot/vmlinuz-5.4.0-9-generic
Found initrd image: /boot/initrd.img-5.4.0-9-generic
Found memtest86+ image: /memtest86+.elf
Found memtest86+ image: /memtest86+.bin
done

Перезапустите систему:

$ sudo reboot

Проверьте применяемые меры.

~$ lscpu 
Architecture:                    x86_64
CPU op-mode(s):                  32-bit, 64-bit
Byte Order:                      Little Endian
Address sizes:                   39 bits physical, 48 bits virtual
CPU(s):                          4
On-line CPU(s) list:             0-3
Thread(s) per core:              1
Core(s) per socket:              4
Socket(s):                       1
NUMA node(s):                    1
Vendor ID:                       GenuineIntel
CPU family:                      6
Model:                           60
Model name:                      Intel(R) Core(TM) i5-4570S CPU @ 2.90GHz
Stepping:                        3
CPU MHz:                         1200.788
CPU max MHz:                     3600.0000
CPU min MHz:                     800.0000
BogoMIPS:                        5786.81
Virtualization:                  VT-x
L1d cache:                       128 KiB
L1i cache:                       128 KiB
L2 cache:                        1 MiB
L3 cache:                        6 MiB
NUMA node0 CPU(s):               0-3
Vulnerability Itlb multihit:     KVM: Vulnerable
Vulnerability L1tf:              Mitigation; PTE Inversion; VMX vulnerable, SMT disabled
Vulnerability Mds:               Vulnerable; SMT disabled
Vulnerability Meltdown:          Vulnerable
Vulnerability Spec store bypass: Vulnerable
Vulnerability Spectre v1:        Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers
Vulnerability Spectre v2:        Vulnerable, IBPB: disabled, STIBP: disabled
Vulnerability Tsx async abort:   Not affected
Flags:                           fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse s
                                 se2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopolog
                                 y nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 
                                 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm a
                                 bm cpuid_fault epb invpcid_single ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid ept_ad fsg
                                 sbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid xsaveopt dtherm ida a

 

Добавить комментарий

Ваш e-mail не будет опубликован. Обязательные поля помечены *

5e7fa976b0640d40