Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Guide to the Secure Configuration of Fedora
System Settings
Kernel Configuration
Emulate Privileged Access Never (PAN)
Emulate Privileged Access Never (PAN)
An XCCDF Rule
Details
Profiles
Prose
Emulate Privileged Access Never (PAN)
Medium Severity
Enabling this option prevents the kernel from accessing user-space memory directly by pointing TTBR0_EL1 to a reserved zeroed area and reserved ASID. The user access routines restore the valid TTBR0_EL1 temporarily. This configuration is available from kernel 4.10, but may be available if backported by distros. The configuration that was used to build kernel is available at
/boot/config-*
. To check the configuration value for
CONFIG_ARM64_SW_TTBR0_PAN
, run the following command:
grep CONFIG_ARM64_SW_TTBR0_PAN /boot/config-*
For each kernel installed, a line with value "y" should be returned.