TODO(fxbug.dev/53594): move kernel_cmdline.md verbiage here
Provides entropy to be mixed into the kernel's CPRNG. The value must be a string of lowercase hexadecimal digits.
The original value will be scrubbed from memory as soon as possible and will be redacted from all diagnostic output.
Default: none
TODO(53594)
Default: false
If set, disables all speculative execution information leak mitigations.
If unset, the per-mitigation defaults will be used.
Default: true
MDS (Microarchitectural Data Sampling) is a family of speculative execution information leak bugs that allow the contents of recent loads or stores to be inferred by hostile code, regardless of privilege level (CVE-2019-11091, CVE-2018-12126, CVE-2018-12130, CVE-2018-12127). For example, this could allow user code to read recent kernel loads/stores.
To avoid this bug, it is required that all microarchitectural structures that could leak data be flushed on trust level transitions. Also, it is important that trust levels do not concurrently execute on a single physical processor core.
This option controls whether microarchitectual structures are flushed on the kernel to user exit path, if possible. It may have a negative performance impact.
Default: 0x2
Page table isolation configures user page tables to not have kernel text or data mapped. This may impact performance negatively. This is a mitigation for Meltdown (AKA CVE-2017-5754).
TODO(joshuaseaton): make this an enum instead of using magic integers.
Default: false
Spec-store-bypass (Spectre V4) is a speculative execution information leak vulnerability that affects many Intel and AMD x86 CPUs. It targets memory disambiguation hardware to infer the contents of recent stores. The attack only affects same-privilege-level, intra-process data.
This command line option controls whether a mitigation is enabled. The mitigation has negative performance impacts.
TODO: put something here