93 lines
3.4 KiB
Diff
93 lines
3.4 KiB
Diff
From fbcd3e42106b95efd8a63914a558c04c76487783 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Mon, 21 Sep 2020 10:26:53 +0200
|
|
Subject: [PATCH] Remove zIPL rule for PTI bootloader option
|
|
|
|
This setting is to mitigate a problem specific for intel archs.
|
|
Also returns the CCE to the pool.
|
|
---
|
|
.../zipl_pti_argument/rule.yml | 38 -------------------
|
|
rhel8/profiles/ospp.profile | 1 -
|
|
rhel8/profiles/stig.profile | 1 -
|
|
.../data/profile_stability/rhel8/ospp.profile | 1 -
|
|
4 files changed, 41 deletions(-)
|
|
delete mode 100644 linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
|
deleted file mode 100644
|
|
index 96170e6d85..0000000000
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
|
+++ /dev/null
|
|
@@ -1,38 +0,0 @@
|
|
-documentation_complete: true
|
|
-
|
|
-prodtype: rhel8
|
|
-
|
|
-title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL'
|
|
-
|
|
-description: |-
|
|
- To enable Kernel page-table isolation,
|
|
- check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
|
|
- included in its options.<br />
|
|
- To ensure that new kernels and boot entries continue to enable page-table isolation,
|
|
- add <tt>pti=on</tt> to <tt>/etc/kernel/cmdline</tt>.
|
|
-
|
|
-rationale: |-
|
|
- Kernel page-table isolation is a kernel feature that mitigates
|
|
- the Meltdown security vulnerability and hardens the kernel
|
|
- against attempts to bypass kernel address space layout
|
|
- randomization (KASLR).
|
|
-
|
|
-severity: medium
|
|
-
|
|
-identifiers:
|
|
- cce@rhel8: 83361-6
|
|
-
|
|
-ocil_clause: 'Kernel page-table isolation is not enabled'
|
|
-
|
|
-ocil: |-
|
|
- To check that page-table isolation is enabled at boot time, check all boot entries with following command:
|
|
- <pre>sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf</pre>
|
|
- No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
|
|
-
|
|
-platform: machine
|
|
-
|
|
-template:
|
|
- name: zipl_bls_entries_option
|
|
- vars:
|
|
- arg_name: pti
|
|
- arg_value: 'on'
|
|
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
|
|
index 5e81e4a92a..46f00c89f1 100644
|
|
--- a/rhel8/profiles/ospp.profile
|
|
+++ b/rhel8/profiles/ospp.profile
|
|
@@ -426,4 +426,3 @@ selections:
|
|
- zipl_vsyscall_argument
|
|
- zipl_vsyscall_argument.role=unscored
|
|
- zipl_vsyscall_argument.severity=info
|
|
- - zipl_pti_argument
|
|
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
|
|
index 53647475aa..817d5dbadd 100644
|
|
--- a/rhel8/profiles/stig.profile
|
|
+++ b/rhel8/profiles/stig.profile
|
|
@@ -52,7 +52,6 @@ selections:
|
|
- "!zipl_audit_argument"
|
|
- "!zipl_audit_backlog_limit_argument"
|
|
- "!zipl_page_poison_argument"
|
|
- - "!zipl_pti_argument"
|
|
- "!zipl_slub_debug_argument"
|
|
- "!zipl_vsyscall_argument"
|
|
- "!zipl_vsyscall_argument.role=unscored"
|
|
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
|
index 7b7307cba8..223b1423cd 100644
|
|
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
|
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
|
@@ -219,7 +219,6 @@ selections:
|
|
- zipl_bls_entries_only
|
|
- zipl_bootmap_is_up_to_date
|
|
- zipl_page_poison_argument
|
|
-- zipl_pti_argument
|
|
- zipl_slub_debug_argument
|
|
- zipl_vsyscall_argument
|
|
- var_sshd_set_keepalive=0
|