Have the kernel conditionally disable SMT if vulnerable#95
Merged
dustymabe merged 1 commit intocoreos:masterfrom May 17, 2019
bgilbert:nosmt
Merged
Have the kernel conditionally disable SMT if vulnerable#95dustymabe merged 1 commit intocoreos:masterfrom bgilbert:nosmt
dustymabe merged 1 commit intocoreos:masterfrom
bgilbert:nosmt
Conversation
jlebon
reviewed
May 17, 2019
Member
jlebon
left a comment
jlebon
left a comment
There was a problem hiding this comment.
So related here is ostreedev/ostree#479. I.e. with this, we'll be able to choose whether we want to affect machines on upgrade, or only new installs. In the former case, e.g. we'd maintain a list of default kargs in our overlay/.
For nosmt specifically my understanding is that we only want this on new installs (nevermind the fact that FCOS is still in pre-preview :)) so this WFM.
Just bringing this up so we keep it in mind when discussing "default" kargs.
image.yaml
Outdated
| size: 8 | ||
|
|
||
| # Disable SMT on systems vulnerable to MDS or any similar future issue. | ||
| extra-kargs: mitigations=auto,nosmt |
Member
There was a problem hiding this comment.
Might be nicer to have this be a list instead to make it cleaner to e.g. update and maintain context comments.
Contributor
Author
|
Updated. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Requires coreos/coreos-assembler#525. Implements coreos/fedora-coreos-tracker#181.