mitigations.7 - OpenGrok cross reference for /freebsd/share/man/man7/mitigations.7

Lines Matching +full:multi +full:- +full:processors
1 .\"-
2 .\" SPDX-License-Identifer: BSD-2-Clause
42 Some of these mitigations have run-time controls to enable them on a global
43 or per-process basis, some are optionally enabled or disabled at compile time,
48 .Bl -bullet -compact
58 Relocation Read-Only (RELRO)
107 ASLR can be enabled on both a global and per-process basis.
110 knobs for 32- and 64-bit processes.
111 It can be or disabled on a per-process basis via
117 Global controls for 32-bit processes:
118 .Bl -tag -width kern.elf32.aslr.pie_enable
120 Enable ASLR for 32-bit ELF binaries, other than Position Independent
123 Enable ASLR for 32-bit Position Independent Executable (PIE) ELF binaries.
129 Randomize the stack location for 32-bit ELF binaries.
132 Global controls for 64-bit processes:
133 .Bl -tag -width kern.elf64.aslr.pie_enable
135 Enable ASLR for 64-bit ELF binaries, other than Position Independent
138 Enable ASLR for 64-bit Position Independent Executable (PIE) ELF binaries.
144 Randomize the stack location for 64-bit ELF binaries.
158 run-time linker.
175 knobs to control W^X policy enforcement for 32- and 64-bit processes.
179 .Bl -tag -width kern.elf64.allow_wx
181 Allow 32-bit processes to map pages simultaneously writable and executable.
183 Allow 64-bit processes to map pages simultaneously writable and executable.
190 -specific extension to
203 .Ss Relocation Read-Only (RELRO)
204 Relocation Read-Only (RELRO) is a mitigation tool that makes certain portions
205 of a program's address space that contain ELF metadata read-only, after
212 In this case the Procedure Linkage Table (PLT)-related part of the
219 build-time option
226 build-time option causes binaries to be built with the
229 The run-time loader
238 The entire GOT (.got and .got.plt) are made read-only at program startup,
250 In userland, SSP adds a per-process randomized canary at the end of every stack
259 option to enable per-thread randomized canaries.
271 .Fl fstack-protector-strong
273 .Fl fstack-clash-protection
276 .Fl fstack-protector
294 .Pa /etc/src-env.conf
302 .Bl -column -offset indent "snprintf()" "memmove()" "strncpy()" "vsnprintf()" "readlink()"
324 This effectively provides finer-grained protection than SSP for some class of
329 Certain processors include features that prevent unintended access to memory
330 pages accessible to userspace (non-privileged) code, while in a privileged
338 .Bl -column -offset indent "Architecture" "Feature" "Access Type Prevented"
345 .It riscv       Ta -     Ta Execute
349 There is no user-facing configuration.
359 notably CPU ones generally caused by detectable microarchitectural side-effects
378 .Pa sysutils/cpu-microcode
386 (e.g., CPU Simultaneous Multi-Threading).
388 helpful on out-of-support hardware or as complements for just-discovered
394 usual policy is to apply by default all OS-level mitigations that do
400 OS-level mitigations generally can have noticeable performance impacts on
412 vulnerability exclusively affects AMD processors based on the Zen2
421 .Po disabling Simultaneous Muti-Threading
426 According to the vulnerability's discoverer, all Zen2-based processors are
433 .Pq AMD-SB-7008
435 .Dq Cross-Process Information Leak
437 to manufacturers no sooner than the end of 2023, except for Rome processors for
440 The only readily-applicable fix mentioned by the discoverer is to set a bit of
444 currently sets this bit by default on all Zen2 processors.
445 In the future, it might set it by default only on those Zen2 processors whose
447 microcode updates have been actually released and community-tested.
449 .Bl -tag -width indent
451 A read-write integer tunable and sysctl indicating whether the mitigation should
456 Note that this setting is silently ignored when running on non-Zen2 processors
459 A read-only string indicating the current mitigation state.
462 if the processor is not Zen2-based,