mitigations.7 - OpenGrok cross reference for /freebsd/share/man/man7/mitigations.7

Lines Matching +full:system +full:- +full:firmware
1 .\"-
2 .\" SPDX-License-Identifer: BSD-2-Clause
41 vulnerabilities and protect the system from malicious attacks.
42 Some of these mitigations have run-time controls to enable them on a global
43 or per-process basis, some are optionally enabled or disabled at compile time,
48 .Bl -bullet -compact
58 Relocation Read-Only (RELRO)
68 Firmware and Microcode
76 version and system configuration.
91 to enhance the overall security of the operating system.
98 that works by randomizing the memory addresses where system and application
107 ASLR can be enabled on both a global and per-process basis.
110 knobs for 32- and 64-bit processes.
111 It can be or disabled on a per-process basis via
117 Global controls for 32-bit processes:
118 .Bl -tag -width kern.elf32.aslr.pie_enable
120 Enable ASLR for 32-bit ELF binaries, other than Position Independent
123 Enable ASLR for 32-bit Position Independent Executable (PIE) ELF binaries.
129 Randomize the stack location for 32-bit ELF binaries.
132 Global controls for 64-bit processes:
133 .Bl -tag -width kern.elf64.aslr.pie_enable
135 Enable ASLR for 64-bit ELF binaries, other than Position Independent
138 Enable ASLR for 64-bit Position Independent Executable (PIE) ELF binaries.
144 Randomize the stack location for 64-bit ELF binaries.
158 run-time linker.
163 the security of the system by controlling memory access permissions.
175 knobs to control W^X policy enforcement for 32- and 64-bit processes.
179 .Bl -tag -width kern.elf64.allow_wx
181 Allow 32-bit processes to map pages simultaneously writable and executable.
183 Allow 64-bit processes to map pages simultaneously writable and executable.
190 -specific extension to
203 .Ss Relocation Read-Only (RELRO)
204 Relocation Read-Only (RELRO) is a mitigation tool that makes certain portions
205 of a program's address space that contain ELF metadata read-only, after
212 In this case the Procedure Linkage Table (PLT)-related part of the
219 build-time option
226 build-time option causes binaries to be built with the
229 The run-time loader
238 The entire GOT (.got and .got.plt) are made read-only at program startup,
250 In userland, SSP adds a per-process randomized canary at the end of every stack
259 option to enable per-thread randomized canaries.
271 .Fl fstack-protector-strong
273 .Fl fstack-clash-protection
276 .Fl fstack-protector
294 .Pa /etc/src-env.conf
302 .Bl -column -offset indent "snprintf()" "memmove()" "strncpy()" "vsnprintf()" "readlink()"
324 This effectively provides finer-grained protection than SSP for some class of
325 function and system calls, along with some protection for buffers allocated as
330 pages accessible to userspace (non-privileged) code, while in a privileged
338 .Bl -column -offset indent "Architecture" "Feature" "Access Type Prevented"
345 .It riscv       Ta -     Ta Execute
349 There is no user-facing configuration.
357 .Ss Firmware and Microcode
359 notably CPU ones generally caused by detectable microarchitectural side-effects
363 releasing microcode updates, which may then be bundled into platform firmware
366 or packages to be updated by the operating system at boot time.
368 Platform firmware updates, if available from the manufacturer,
376 If platform firmware updates are no longer available,
378 .Pa sysutils/cpu-microcode
386 (e.g., CPU Simultaneous Multi-Threading).
388 helpful on out-of-support hardware or as complements for just-discovered
394 usual policy is to apply by default all OS-level mitigations that do
397 .Pq which sometimes requires firmware updates ,
400 OS-level mitigations generally can have noticeable performance impacts on
421 .Po disabling Simultaneous Muti-Threading
426 According to the vulnerability's discoverer, all Zen2-based processors are
433 .Pq AMD-SB-7008
435 .Dq Cross-Process Information Leak
436 indicating that platform firmware fixing the vulnerability will be distributed
440 The only readily-applicable fix mentioned by the discoverer is to set a bit of
447 microcode updates have been actually released and community-tested.
449 .Bl -tag -width indent
451 A read-write integer tunable and sysctl indicating whether the mitigation should
456 Note that this setting is silently ignored when running on non-Zen2 processors
459 A read-only string indicating the current mitigation state.
462 if the processor is not Zen2-based,
481 system.