Configure Speculative Store Bypass Mitigation

An XCCDF Rule

Description

Certain CPUs are vulnerable to an exploit against a common wide industry wide performance optimization known as Speculative Store Bypass (SSB). In such cases, recent stores to the same memory location cannot always be observed by later loads during speculative execution. However, such stores are unlikely and thus they can be detected prior to instruction retirement at the end of a particular speculation execution window. Since Linux Kernel 4.17 you can check the SSB mitigation state with the following command: cat /sys/devices/system/cpu/vulnerabilities/spec_store_bypass Select the appropriate SSB state by adding the argument spec_store_bypass_disable= to the default GRUB 2 command line for the Linux operating system. To ensure that spec_store_bypass_disable= is added as a kernel command line argument to newly installed kernels, add spec_store_bypass_disable= to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:

GRUB_CMDLINE_LINUX="... spec_store_bypass_disable= ..."

Run the following command to update command line for already installed kernels:

# grubby --update-kernel=ALL --args="spec_store_bypass_disable="

warning alert: Performance Warning

Disabling Speculative Store Bypass may impact performance of the system.

Rationale

In vulnerable processsors, the speculatively forwarded store can be used in a cache side channel attack. An example of this is reading memory to which the attacker does not directly have access, for example inside the sandboxed code.

ID: xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument
Severity: Medium
References: BP28(R8)
Updated: about 1 year ago

[customizations.kernel]
append = "spec_store_bypass_disable=<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options" use="legacy"/>"

# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

var_spec_store_bypass_disable_options='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options" use="legacy"/>'


grubby --update-kernel=ALL --args=spec_store_bypass_disable=$var_spec_store_bypass_disable_options --env=/boot/grub2/grubenv

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - grub2_spec_store_bypass_disable_argument
  - low_disruption  - medium_complexity
  - medium_severity
  - reboot_required
  - restrict_strategy
- name: XCCDF Value var_spec_store_bypass_disable_options # promote to variable
  set_fact:
    var_spec_store_bypass_disable_options: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options" use="legacy"/>
  tags:
    - always

- name: Update grub defaults and the bootloader menu
  command: /sbin/grubby --update-kernel=ALL --args="spec_store_bypass_disable={{ var_spec_store_bypass_disable_options
    }}"
  when:
  - '"grub2-common" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - grub2_spec_store_bypass_disable_argument
  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - restrict_strategy

Configure Speculative Store Bypass Mitigation

Description

Rationale

Remediation - OS Build Blueprint

Remediation - Shell Script

Remediation - Ansible