Tex*_*gan 6 security grub2 intel microcode logwatch
错误消息显示要检查:
有关更多详细信息,请参阅https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html 。
但我不是 100% 确定如何解决它。
我查看了 /etc/default/intel-microcode 并发现了这个:
# Configuration script for intel-microcode version 3
#
# initramfs helper
#
# Set this to "no" to disable automatic microcode updates on boot;
# Set this to "auto" to use early initramfs mode automatically (default);
# Set this to "early" to always attempt to create an early initramfs;
# IUCODE_TOOL_INITRAMFS=auto
# Set this to "yes" (default) to use "iucode_tool --scan-system" to reduce
# the initramfs size bloat, by detecting which Intel processors are active
# in this system, and installing only their microcodes.
#
# Set this to "no" to either include all microcodes, or only the microcodes
# selected through the use of IUCODE_TOOL_EXTRA_OPTIONS below.
#
# WARNING: including all microcodes will increase initramfs size greatly.
# This can cause boot issues if the initramfs is already large.
# IUCODE_TOOL_SCANCPUS=yes
# Extra options to pass to iucode_tool, useful to forbid or to
# force the inclusion of microcode for specific processor signatures.
# See iucode_tool(8) for details.
#IUCODE_TOOL_EXTRA_OPTIONS=""
我改成这样:
# Configuration script for intel-microcode version 3
#
# initramfs helper
#
# Set this to "no" to disable automatic microcode updates on boot;
# Set this to "auto" to use early initramfs mode automatically (default);
# Set this to "early" to always attempt to create an early initramfs;
IUCODE_TOOL_INITRAMFS=auto
# Set this to "yes" (default) to use "iucode_tool --scan-system" to reduce
# the initramfs size bloat, by detecting which Intel processors are active
# in this system, and installing only their microcodes.
#
# Set this to "no" to either include all microcodes, or only the microcodes
# selected through the use of IUCODE_TOOL_EXTRA_OPTIONS below.
#
# WARNING: including all microcodes will increase initramfs size greatly.
# This can cause boot issues if the initramfs is already large.
IUCODE_TOOL_SCANCPUS=yes
# Extra options to pass to iucode_tool, useful to forbid or to
# force the inclusion of microcode for specific processor signatures.
# See iucode_tool(8) for details.
#IUCODE_TOOL_EXTRA_OPTIONS=""
之前,我在 BIOS 中关闭了超线程,并且还将 /etc/default/grub 中的设置更改为:
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash maxcpus=6"
因为,我的机器上有六个物理 CPU。
注意/etc/default/intel-microcode:撤消之前对和的编辑/etc/default/grub。
内核命令行上的缓解控制
\n内核命令行允许使用选项 \xe2\x80\x9cmds=\xe2\x80\x9d 在启动时控制 MDS 缓解措施。该选项的有效参数是:
\nfull \n如果 CPU 易受攻击,请启用针对 MDS 漏洞的所有可用缓解措施、退出用户空间和进入虚拟机时清除 CPU 缓冲区。如果启用了 SMT,空闲转换也会受到保护。
\n它不会自动禁用 SMT。
\nfull,nosmt\n与 mds=full 相同,但在易受攻击的 CPU 上禁用 SMT。这是完整的缓解措施。
\noff\n完全禁用 MDS 缓解措施。
\nsudo -H gedit /etc/default/grub
改变:
\nGRUB_CMDLINE_LINUX_DEFAULT="quiet splash"\n到:
\nGRUB_CMDLINE_LINUX_DEFAULT="quiet splash mds=full,nosmt"\n保存文件并退出gedit。
sudo update-grub
reboot
注意:请注意,在多 CPU 或多核配置上,您的性能会受到巨大影响。
\n注意:如果性能损失太大,请尝试mds=full改为mds=full,nosmt.