From 32ecdb4e8ccccf07acd8c6c82a3676ec15647b4a Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 16 Feb 2022 14:02:45 +0100
Subject: [PATCH 1/3] add grub2 variant

---
 .../rule.yml                                  | 40 +++++++++++++++++++
 2 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml

diff --git a/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml
new file mode 100644
index 00000000000..3d0c8b95d8a
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+prodtype: rhel9
+
+title: 'Enable randomization of the page allocator'
+
+description: |-
+    To enable randomization of the page allocator in the kernel, add the
+    <tt>page_alloc.shuffle=1</tt> argument to the default GRUB 2 command line.
+    {{{ describe_grub2_argument("page_alloc.shuffle=1") | indent(4) }}}
+
+rationale: |-
+    The <tt>CONFIG_SHUFFLE_PAGE_ALLOCATOR</tt> config option is primarily
+    focused on improving the average utilization of a direct-mapped
+    memory-side-cache. Aside of this performance effect, it also reduces
+    predictability of page allocations in situations when the bad actor can
+    crash the system and somehow leverage knowledge of (page) allocation order
+    right after a fresh reboot, or can control the timing between a
+    hot-pluggable memory node (as in NUMA node) and applications allocating
+    memory ouf of that node. The <tt>page_alloc.shuffle=1</tt> kernel command
+    line parameter then forces this functionality irrespectively of memory cache
+    architecture.
+
+severity: medium
+
+identifiers:
+    cce@rhel9: CCE-85879-5
+
+ocil_clause: 'randomization of the page allocator is not enabled in the kernel'
+
+ocil: |-
+    {{{ ocil_grub2_argument("page_alloc.shuffle=1") | indent(4) }}}
+
+platform: machine
+
+template:
+    name: grub2_bootloader_argument
+    vars:
+        arg_name: page_alloc.shuffle
+        arg_value: '1'

From ccd4bee3bec201cdee883c662056fc408b2d88ad Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 16 Feb 2022 14:20:59 +0100
Subject: [PATCH 2/3] add zipl variant

---
 .../zipl_page_alloc_shuffle_argument/rule.yml | 46 +++++++++++++++++++
 2 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml
new file mode 100644
index 00000000000..5179b19fcc0
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml
@@ -0,0 +1,46 @@
+documentation_complete: true
+
+prodtype: rhel9
+
+title: 'Enable randomization of the page allocator in zIPL'
+
+description: |-
+    To enable the randomization of the page allocator in the kernel, check that
+    all boot entries in <tt>/boot/loader/entries/*.conf</tt> have
+    <tt>page_alloc.shuffle=1</tt> included in its options.<br />
+
+    To enable randomization of the page allocator also for  newly installed
+    kernels, add <tt>page_alloc.shuffle=1</tt> to <tt>/etc/kernel/cmdline</tt>.
+
+rationale: |-
+    The <tt>CONFIG_SHUFFLE_PAGE_ALLOCATOR</tt> config option is primarily
+    focused on improving the average utilization of a direct-mapped
+    memory-side-cache. Aside of this performance effect, it also reduces
+    predictability of page allocations in situations when the bad actor can
+    crash the system and somehow leverage knowledge of (page) allocation order
+    right after a fresh reboot, or can control the timing between a
+    hot-pluggable memory node (as in NUMA node) and applications allocating
+    memory ouf of that node. The <tt>page_alloc.shuffle=1</tt> kernel command
+    line parameter then forces this functionality irrespectively of memory cache
+    architecture.
+
+severity: medium
+
+identifiers:
+    cce@rhel9: CCE-85880-3
+
+ocil_clause: 'randomization of the page allocator is not enabled in the kernel'
+
+ocil: |-
+  To check that the randomization of the page allocator in the kernel is
+  enabled, check all boot entries with following command:
+  <pre>sudo grep -L"^options\s+.*\bpage_alloc\.shuffle=1\b" /boot/loader/entries/*.conf</pre>
+  No line should be returned, each line returned is a boot entry that doesn't enable audit.
+
+platform: machine
+
+template:
+  name: zipl_bls_entries_option
+  vars:
+    arg_name: page_alloc.shuffle
+    arg_value: '1'

From 89671b0a5a69ccaf0a46ff1fc86db82fc822dda0 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 16 Feb 2022 14:24:32 +0100
Subject: [PATCH 3/3] add rules to rhel9 ospp profile

---
 products/rhel9/profiles/ospp.profile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index f25abd7e4c4..4bdf8d98b97 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -126,6 +126,7 @@ selections:
     - grub2_audit_backlog_limit_argument
     - grub2_vsyscall_argument
     - grub2_init_on_alloc_argument
+    - grub2_page_alloc_shuffle_argument
 
     ## Security Settings
     - sysctl_kernel_kptr_restrict
@@ -409,3 +410,4 @@ selections:
     - zipl_audit_backlog_limit_argument
     - zipl_vsyscall_argument
     - zipl_init_on_alloc_argument
+    - zipl_page_alloc_shuffle_argument