mitigations.7 - OpenGrok cross reference for /freebsd/share/man/man7/mitigations.7

Lines Matching +full:supervisor +full:- +full:level
1 .\"-
2 .\" SPDX-License-Identifer: BSD-2-Clause
42 Some of these mitigations have run-time controls to enable them on a global
43 or per-process basis, some are optionally enabled or disabled at compile time,
48 .Bl -bullet -compact
58 Relocation Read-Only (RELRO)
64 Supervisor Mode Memory Protection
107 ASLR can be enabled on both a global and per-process basis.
110 knobs for 32- and 64-bit processes.
111 It can be or disabled on a per-process basis via
117 Global controls for 32-bit processes:
118 .Bl -tag -width kern.elf32.aslr.pie_enable
120 Enable ASLR for 32-bit ELF binaries, other than Position Independent
123 Enable ASLR for 32-bit Position Independent Executable (PIE) ELF binaries.
129 Randomize the stack location for 32-bit ELF binaries.
132 Global controls for 64-bit processes:
133 .Bl -tag -width kern.elf64.aslr.pie_enable
135 Enable ASLR for 64-bit ELF binaries, other than Position Independent
138 Enable ASLR for 64-bit Position Independent Executable (PIE) ELF binaries.
144 Randomize the stack location for 64-bit ELF binaries.
158 run-time linker.
175 knobs to control W^X policy enforcement for 32- and 64-bit processes.
179 .Bl -tag -width kern.elf64.allow_wx
181 Allow 32-bit processes to map pages simultaneously writable and executable.
183 Allow 64-bit processes to map pages simultaneously writable and executable.
203 .Ss Relocation Read-Only (RELRO)
204 Relocation Read-Only (RELRO) is a mitigation tool that makes certain portions
205 of a program's address space that contain ELF metadata read-only, after
212 In this case the Procedure Linkage Table (PLT)-related part of the
219 build-time option
226 build-time option causes binaries to be built with the
229 The run-time loader
238 The entire GOT (.got and .got.plt) are made read-only at program startup,
249 In userland, SSP adds a per-process randomized canary at the end of every stack
258 option to enable per-thread randomized canaries.
270 .Fl fstack-protector-strong
272 .Fl fstack-clash-protection
275 .Fl fstack-protector
280 implementation is supported up to level 2 by defining
293 .Pa /etc/src-env.conf
301 .Bl -column -offset indent "snprintf()" "memmove()" "strncpy()" "vsnprintf()" "readlink()"
323 This effectively provides finer-grained protection than SSP for some class of
327 .Ss Supervisor mode memory protection
329 pages accessible to userspace (non-privileged) code, while in a privileged
337 .Bl -column -offset indent "Architecture" "Feature" "Access Type Prevented"
344 .It riscv       Ta -     Ta Execute
348 There is no user-facing configuration.
358 notably CPU ones generally caused by detectable microarchitectural side-effects
377 .Pa sysutils/cpu-microcode
385 (e.g., CPU Simultaneous Multi-Threading).
387 helpful on out-of-support hardware or as complements for just-discovered
393 usual policy is to apply by default all OS-level mitigations that do
399 OS-level mitigations generally can have noticeable performance impacts on
420 .Po disabling Simultaneous Muti-Threading
425 According to the vulnerability's discoverer, all Zen2-based processors are
432 .Pq AMD-SB-7008
434 .Dq Cross-Process Information Leak
439 The only readily-applicable fix mentioned by the discoverer is to set a bit of
446 microcode updates have been actually released and community-tested.
448 .Bl -tag -width indent
450 A read-write integer tunable and sysctl indicating whether the mitigation should
455 Note that this setting is silently ignored when running on non-Zen2 processors
458 A read-only string indicating the current mitigation state.
461 if the processor is not Zen2-based,