Unmap kernel when running in userspace (aka KAISER)

An XCCDF Rule

Description

Speculation attacks against some high-performance processors can be used to bypass MMU permission checks and leak kernel data to userspace. This can be defended against by unmapping the kernel when running in userspace, mapping it back in on exception entry via a trampoline page in the vector table. This configuration is available from kernel 4.16, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_UNMAP_KERNEL_AT_EL0, run the following command: grep CONFIG_UNMAP_KERNEL_AT_EL0 /boot/config-* For each kernel installed, a line with value "y" should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

This is a countermeasure to the Meltdown attack.

ID: xccdf_org.ssgproject.content_rule_kernel_config_unmap_kernel_at_el0
Severity: Medium
References: BP28(R27)

CCE-90767-5
Updated: about 1 year ago