For starters, I'm going to link to
Which currently has:
Code: Select all
noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off mitigations=off
These are obviously some options you can pass to the Kernel (such as via bootloader / Grub: https://wiki.ubuntu.com/Kernel/KernelBootParameters
). If you want to make kernel config file changes, you will need to investigate, as there doesn't seem to be a simple guide for this yet (see below). This is what I was referring to in the intro post. There are MULTIPLE changes you have to make. And the options are changed with every new vulnerability, so it's not as simple as one flag.
Perhaps the installation guides should touch upon this subject...
Regarding Kernel config options, One possible approach would be to run this script:
and review what you have been patched against. Then investigate the shell script. I looked briefly, and the script appears to have distinct functions for all CVE / vulnerabilities, so if you are patched for one, look at that function is the script. It includes a lookup for configs, so there are various kernel flags there such as CONFIG_RETPOLINE, CONFIG_PAGE_TABLE_ISOLATION, CONFIG_KAISER, CONFIG_HARDEN_BRANCH_PREDICTOR, etc.
If someone goes through this process it would be helpful to leave a list of what flags you changed.
5/17/19 - Post edited to include details searching for kernel flags