the GPE dispatcher.
This facility can be used to prevent such uncontrolled
GPE floodings.
--- - Format: <int>
+++ + Format: <byte>
acpi_no_auto_serialize [HW,ACPI]
Disable auto-serialization of AML methods
Format: {"off" | "on" | "skip[mbr]"}
efi= [EFI]
-- Format: { "old_map", "nochunk", "noruntime", "debug" }
++ Format: { "old_map", "nochunk", "noruntime", "debug",
++ "nosoftreserve" }
old_map [X86-64]: switch to the old ioremap-based EFI
runtime services mapping. 32-bit still uses this one by
default.
firmware implementations.
noruntime : disable EFI runtime services support
debug: enable misc debug output
++ nosoftreserve: The EFI_MEMORY_SP (Specific Purpose)
++ attribute may cause the kernel to reserve the
++ memory range for a memory mapping driver to
++ claim. Specify efi=nosoftreserve to disable this
++ reservation and treat the memory by its base type
++ (i.e. EFI_CONVENTIONAL_MEMORY / "System RAM").
efi_no_storage_paranoia [EFI; X86]
Using this parameter you can use more than 50% of
updating original EFI memory map.
Region of memory which aa attribute is added to is
from ss to ss+nn.
++
If efi_fake_mem=2G@4G:0x10000,2G@0x10a0000000:0x10000
is specified, EFI_MEMORY_MORE_RELIABLE(0x10000)
attribute is added to range 0x100000000-0x180000000 and
0x10a0000000-0x1120000000.
++ If efi_fake_mem=8G@9G:0x40000 is specified, the
++ EFI_MEMORY_SP(0x40000) attribute is added to
++ range 0x240000000-0x43fffffff.
++
Using this parameter you can do debugging of EFI memmap
-- related feature. For example, you can do debugging of
++ related features. For example, you can do debugging of
Address Range Mirroring feature even if your box
-- doesn't support it.
++ doesn't support it, or mark specific memory as
++ "soft reserved".
efivar_ssdt= [EFI; X86] Name of an EFI variable that contains an SSDT
that is to be dynamically loaded by Linux. If there are
KVM MMU at runtime.
Default is 0 (off)
+ kvm.nx_huge_pages=
+ [KVM] Controls the software workaround for the
+ X86_BUG_ITLB_MULTIHIT bug.
+ force : Always deploy workaround.
+ off : Never deploy workaround.
+ auto : Deploy workaround based on the presence of
+ X86_BUG_ITLB_MULTIHIT.
+
+ Default is 'auto'.
+
+ If the software workaround is enabled for the host,
+ guests do need not to enable it for nested guests.
+
+ kvm.nx_huge_pages_recovery_ratio=
+ [KVM] Controls how many 4KiB pages are periodically zapped
+ back to huge pages. 0 disables the recovery, otherwise if
+ the value is N KVM will zap 1/Nth of the 4KiB pages every
+ minute. The default is 60.
+
kvm-amd.nested= [KVM,AMD] Allow nested virtualization in KVM/SVM.
Default is 1 (enabled)
SMT on vulnerable CPUs
off - Unconditionally disable MDS mitigation
++ On TAA-affected machines, mds=off can be prevented by
++ an active TAA mitigation as both vulnerabilities are
++ mitigated with the same mechanism so in order to disable
++ this mitigation, you need to specify tsx_async_abort=off
++ too.
++
Not specifying this option is equivalent to
mds=full.
ssbd=force-off [ARM64]
l1tf=off [X86]
mds=off [X86]
+ tsx_async_abort=off [X86]
+ kvm.nx_huge_pages=off [X86]
+
+ Exceptions:
+ This does not have any effect on
+ kvm.nx_huge_pages when
+ kvm.nx_huge_pages=force.
auto (default)
Mitigate all CPU vulnerabilities, but leave SMT
be fully mitigated, even if it means losing SMT.
Equivalent to: l1tf=flush,nosmt [X86]
mds=full,nosmt [X86]
+ tsx_async_abort=full,nosmt [X86]
mminit_loglevel=
[KNL] When CONFIG_DEBUG_MEMORY_INIT is set, this
[X86,PV_OPS] Disable paravirtualized VMware scheduler
clock and use the default one.
-- no-steal-acc [X86,KVM] Disable paravirtualized steal time accounting.
-- steal time is computed, but won't influence scheduler
-- behaviour
++ no-steal-acc [X86,KVM,ARM64] Disable paravirtualized steal time
++ accounting. steal time is computed, but won't
++ influence scheduler behaviour
nolapic [X86-32,APIC] Do not enable or use the local APIC.
interruptions from clocksource watchdog are not
acceptable).
+ tsx= [X86] Control Transactional Synchronization
+ Extensions (TSX) feature in Intel processors that
+ support TSX control.
+
+ This parameter controls the TSX feature. The options are:
+
+ on - Enable TSX on the system. Although there are
+ mitigations for all known security vulnerabilities,
+ TSX has been known to be an accelerator for
+ several previous speculation-related CVEs, and
+ so there may be unknown security risks associated
+ with leaving it enabled.
+
+ off - Disable TSX on the system. (Note that this
+ option takes effect only on newer CPUs which are
+ not vulnerable to MDS, i.e., have
+ MSR_IA32_ARCH_CAPABILITIES.MDS_NO=1 and which get
+ the new IA32_TSX_CTRL MSR through a microcode
+ update. This new MSR allows for the reliable
+ deactivation of the TSX functionality.)
+
+ auto - Disable TSX if X86_BUG_TAA is present,
+ otherwise enable TSX on the system.
+
+ Not specifying this option is equivalent to tsx=off.
+
+ See Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
+ for more details.
+
+ tsx_async_abort= [X86,INTEL] Control mitigation for the TSX Async
+ Abort (TAA) vulnerability.
+
+ Similar to Micro-architectural Data Sampling (MDS)
+ certain CPUs that support Transactional
+ Synchronization Extensions (TSX) are vulnerable to an
+ exploit against CPU internal buffers which can forward
+ information to a disclosure gadget under certain
+ conditions.
+
+ In vulnerable processors, the speculatively forwarded
+ data can be used in a cache side channel attack, to
+ access data to which the attacker does not have direct
+ access.
+
+ This parameter controls the TAA mitigation. The
+ options are:
+
+ full - Enable TAA mitigation on vulnerable CPUs
+ if TSX is enabled.
+
+ full,nosmt - Enable TAA mitigation and disable SMT on
+ vulnerable CPUs. If TSX is disabled, SMT
+ is not disabled because CPU is not
+ vulnerable to cross-thread TAA attacks.
+ off - Unconditionally disable TAA mitigation
+
++ On MDS-affected machines, tsx_async_abort=off can be
++ prevented by an active MDS mitigation as both vulnerabilities
++ are mitigated with the same mechanism so in order to disable
++ this mitigation, you need to specify mds=off too.
++
+ Not specifying this option is equivalent to
+ tsx_async_abort=full. On CPUs which are MDS affected
+ and deploy MDS mitigation, TAA mitigation is not
+ required and doesn't provide any additional
+ mitigation.
+
+ For details see:
+ Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
+
turbografx.map[2|3]= [HW,JOY]
TurboGraFX parallel port interface
Format:
projects / linux.git / commitdiff