mitigations.7 - OpenGrok cross reference for /freebsd/share/man/man7/mitigations.7

Lines Matching +full:performance +full:- +full:affecting
1 .\"-
2 .\" SPDX-License-Identifer: BSD-2-Clause
42 Some of these mitigations have run-time controls to enable them on a global
43 or per-process basis, some are optionally enabled or disabled at compile time,
48 .Bl -bullet -compact
58 Relocation Read-Only (RELRO)
107 ASLR can be enabled on both a global and per-process basis.
110 knobs for 32- and 64-bit processes.
111 It can be or disabled on a per-process basis via
117 Global controls for 32-bit processes:
118 .Bl -tag -width kern.elf32.aslr.pie_enable
120 Enable ASLR for 32-bit ELF binaries, other than Position Independent
123 Enable ASLR for 32-bit Position Independent Executable (PIE) ELF binaries.
129 Randomize the stack location for 32-bit ELF binaries.
132 Global controls for 64-bit processes:
133 .Bl -tag -width kern.elf64.aslr.pie_enable
135 Enable ASLR for 64-bit ELF binaries, other than Position Independent
138 Enable ASLR for 64-bit Position Independent Executable (PIE) ELF binaries.
144 Randomize the stack location for 64-bit ELF binaries.
158 run-time linker.
175 knobs to control W^X policy enforcement for 32- and 64-bit processes.
179 .Bl -tag -width kern.elf64.allow_wx
181 Allow 32-bit processes to map pages simultaneously writable and executable.
183 Allow 64-bit processes to map pages simultaneously writable and executable.
190 -specific extension to
203 .Ss Relocation Read-Only (RELRO)
204 Relocation Read-Only (RELRO) is a mitigation tool that makes certain portions
205 of a program's address space that contain ELF metadata read-only, after
212 In this case the Procedure Linkage Table (PLT)-related part of the
219 build-time option
226 build-time option causes binaries to be built with the
229 The run-time loader
238 The entire GOT (.got and .got.plt) are made read-only at program startup,
250 In userland, SSP adds a per-process randomized canary at the end of every stack
259 option to enable per-thread randomized canaries.
271 .Fl fstack-protector-strong
273 .Fl fstack-clash-protection
276 .Fl fstack-protector
294 .Pa /etc/src-env.conf
302 .Bl -column -offset indent "snprintf()" "memmove()" "strncpy()" "vsnprintf()" "readlink()"
324 This effectively provides finer-grained protection than SSP for some class of
330 pages accessible to userspace (non-privileged) code, while in a privileged
338 .Bl -column -offset indent "Architecture" "Feature" "Access Type Prevented"
345 .It riscv       Ta -     Ta Execute
349 There is no user-facing configuration.
359 notably CPU ones generally caused by detectable microarchitectural side-effects
378 .Pa sysutils/cpu-microcode
386 (e.g., CPU Simultaneous Multi-Threading).
388 helpful on out-of-support hardware or as complements for just-discovered
394 usual policy is to apply by default all OS-level mitigations that do
398 or those that are extremely detrimental to performance in proportion to the
400 OS-level mitigations generally can have noticeable performance impacts on
403 order to possibly get better performance.
416 bug affecting the CPU's architectural state.
421 .Po disabling Simultaneous Muti-Threading
426 According to the vulnerability's discoverer, all Zen2-based processors are
433 .Pq AMD-SB-7008
435 .Dq Cross-Process Information Leak
440 The only readily-applicable fix mentioned by the discoverer is to set a bit of
447 microcode updates have been actually released and community-tested.
449 .Bl -tag -width indent
451 A read-write integer tunable and sysctl indicating whether the mitigation should
456 Note that this setting is silently ignored when running on non-Zen2 processors
459 A read-only string indicating the current mitigation state.
462 if the processor is not Zen2-based,
478 The performance impact and threat models related to these mitigations