Enable randomization of the page allocator in zIPL

An XCCDF Rule

Description

To enable the randomization of the page allocator in the kernel, check that all boot entries in /boot/loader/entries/*.conf have page_alloc.shuffle=1 included in its options.
To enable randomization of the page allocator also for newly installed kernels, add page_alloc.shuffle=1 to /etc/kernel/cmdline.

Rationale

The CONFIG_SHUFFLE_PAGE_ALLOCATOR config option is primarily focused on improving the average utilization of a direct-mapped memory-side-cache. Aside of this performance effect, it also reduces predictability of page allocations in situations when the bad actor can crash the system and somehow leverage knowledge of (page) allocation order right after a fresh reboot, or can control the timing between a hot-pluggable memory node (as in NUMA node) and applications allocating memory ouf of that node. The page_alloc.shuffle=1 kernel command line parameter then forces this functionality irrespectively of memory cache architecture.

ID: xccdf_org.ssgproject.content_rule_zipl_page_alloc_shuffle_argument
Severity: Medium
References: CCE-85880-3
Updated: about 1 year ago

- name: Ensure BLS boot entries options contain page_alloc.shuffle=1
  block:

  - name: 'Check how many boot entries exist '
    find:
      paths: /boot/loader/entries/      patterns: '*.conf'
    register: n_entries

  - name: Check how many boot entries set page_alloc.shuffle=1
    find:
      paths: /boot/loader/entries/
      contains: ^options .*page_alloc.shuffle=1.*$
      patterns: '*.conf'
    register: n_entries_options

  - name: Update boot entries options
    command: grubby --update-kernel=ALL --args="page_alloc.shuffle=1"
    when: n_entries is defined and n_entries_options is defined and n_entries.matched
      != n_entries_options.matched

  - name: Check if /etc/kernel/cmdline exists
    stat:
      path: /etc/kernel/cmdline
    register: cmdline_stat

  - name: Check if /etc/kernel/cmdline contains page_alloc.shuffle=1
    find:
      paths: /etc/kernel/
      patterns: cmdline
      contains: ^.*page_alloc.shuffle=1.*$
    register: cmdline_find

  - name: Add /etc/kernel/cmdline contains page_alloc.shuffle=1
    lineinfile:
      create: true
      path: /etc/kernel/cmdline
      line: page_alloc.shuffle=1
    when: cmdline_stat is defined and not cmdline_stat.stat.exists

  - name: Append /etc/kernel/cmdline contains page_alloc.shuffle=1
    lineinfile:
      path: /etc/kernel/cmdline
      backrefs: true
      regexp: ^(.*)$
      line: \1 page_alloc.shuffle=1
    when: cmdline_stat is defined and cmdline_stat.stat.exists and cmdline_find is
      defined and cmdline_find.matched == 0
  when:
  - ansible_architecture == "s390x"
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-85880-3
  - configure_strategy
  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - zipl_page_alloc_shuffle_argument

# Remediation is applicable only in certain platforms
if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

# Correct BLS option using grubby, which is a thin wrapper around BLS operations
grubby --update-kernel=ALL --args="page_alloc.shuffle=1"
# Ensure new kernels and boot entries retain the boot option
if [ ! -f /etc/kernel/cmdline ]; then
    echo "page_alloc.shuffle=1" > /etc/kernel/cmdline
elif ! grep -q '^(.*\s)?page_alloc.shuffle=1(\s.*)?$' /etc/kernel/cmdline; then
    
    sed -Ei 's/^(.*)$/\1 page_alloc.shuffle=1/' /etc/kernel/cmdline
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enable randomization of the page allocator in zIPL

Description

Rationale

Remediation - Ansible

Remediation - Shell Script