Put a safety on that toggle! Automating SAFE Dynamic Mitigation

-

How to Build tuned Profiles for Dynamic Linux Kernel Mitigations

dynamic mitigation functionality was created by AMD engineer David Kaplan, linked here is an article discussing it

The recent introduction of "Dynamic Mitigations" for the Linux kernel provides a powerful new capability: the ability to enable or disable CPU security mitigations at runtime without a reboot. This is managed by writing to a special file at /sys/devices/system/cpu/mitigations.

While you can do this manually with a simple echo command, a more robust and manageable approach is to use the tuned daemon. tuned is a system service designed to switch between performance profiles, making it the perfect tool for this job.

This guide will show you how to create custom tuned profiles to easily manage your system's security and performance posture.

Start Somewhere : Create a Custom tuned Profile

Creating a custom profile is straightforward. First, you need to create a new directory for your profile inside /etc/tuned/. User-created profiles in this directory take precedence over the system-default profiles located in /usr/lib/tuned/.


DISCLAIMER : USE AT YOUR OWN RISK, WHAT WORKS ON MINE DOESNT NECESSARILY WORK ON YOURS! TREAT ANY AND ALL CODE AS A TEMPLATE TO BUILD UPON FOR YOUR OWN PURPOSES. TEST IT, TEST IT, TEST IT, BREAK IT ON PURPOSE & UNDERSTAND IT BEFORE YOU EVER CONSIDER USE ON A PRODUCTION ENVIRONMENT!


you've agreed to the disclaimer...

Inside your new directory, you'll create a configuration file named tuned.conf. This file uses a simple INI-style format and is where you define your tuning settings.

# Create a directory for our new profile
sudo mkdir /etc/tuned/full-security 
​Create the configuration file
​sudo nano /etc/tuned/full-security/tuned.conf

A basic tuned.conf file starts with a [main] section where you can provide a summary and, most importantly, inherit settings from an existing profile using the include= directive. This saves you from having to redefine common settings.

Willing? Here's A way : The sysfs Plugin 

+-+Simple & Declarative+-+

The easiest way to set the mitigation level is with the sysfs plugin. This plugin allows you to directly write a specific value to any file in the sysfs filesystem. It's declarative, simple, and perfect for static configurations.

Let's create a full-security profile that inherits from the latency-performance profile but ensures all mitigations are enabled and Simultaneous Multi-Threading (SMT) is disabled.

full-security/tuned.conf

# /etc/tuned/full-security/tuned.conf 
​[main]
summary=Full mitigations for speculative execution vulnerabilities
include=latency-performance
​[sysfs]
/sys/devices/system/cpu/mitigations="auto,nosmt"

In this example, the [sysfs] section contains a single line. The key is the full path to the file, and the value is the exact string that tuned will write to it when the profile is activated.

Built it? : Here's one more

The script Plugin 

+-+Flexible & Powerful+-+

For more complex scenarios where you might need conditional logic, custom logging, or to run other commands, the script plugin is the ideal choice. This plugin executes an external shell script when the profile is activated or deactivated.

Let's create a profile for a high-performance computing (HPC) workload that disables all optional mitigations to maximize performance and logs the change for auditing purposes.

hpc-performance/tuned.conf

First, create the profile directory and the tuned.conf file:

# /etc/tuned/hpc-performance/tuned.conf 
​[main]
summary=Disable all optional CPU mitigations for maximum performance
include=throughput-performance
​[script]
script=/etc/tuned/hpc-performance/mitigation-script.sh

Next, create the corresponding script specified in the config file. The script will be called with either a "start" or "stop" argument.

hpc-performance/mitigation-script.sh

#!/bin/bash
​/etc/tuned/hpc-performance/mitigation-script.sh
​LOG_FILE="/var/log/tuned/mitigations.log"
MITIGATIONS_FILE="/sys/devices/system/cpu/mitigations"
​The script is called with 'start' when the profile is activated,
​and 'stop' when it is deactivated.
​if [ "1" == "start" ]; then
echo "(date): Activating hpc-performance profile. Setting mitigations to OFF." >> ${LOG_FILE}
echo "mitigations=off" > ${MITIGATIONS_FILE}
elif [ "$1" == "stop" ]; then
​When a profile is stopped, tuned automatically reverts settings.
​This block is for logging or any other cleanup needed.
​echo "$(date): Deactivating hpc-performance profile. Mitigations will be reverted." >> ${LOG_FILE}
fi
​exit 0

Finally, make the script executable:

sudo chmod +x /etc/tuned/hpc-performance/mitigation-script.sh

Make it so...

+-+Activate and Verify+-+

Once you've created your profile, you can activate it using the tuned-adm command.

# Activate the full-security profile
sudo tuned-adm profile full-security 
​Check which profile is currently active
​sudo tuned-adm active

When you switch profiles, tuned automatically handles reverting the settings of the old profile before applying the new one, ensuring a clean transition.

By using custom tuned profiles, you can create a library of well-defined, auditable, and easily switchable security postures for your Linux systems, allowing you to balance performance and security with a single command.


Generated report, which adds full explanations of theory, step-by-step breakdown of dynamic mitigations, the threats that must be dealt with, and solutions.

Comments

Post a Comment

Popular posts from this blog

Bash One-Liners

-
BASH One-liners Run the last command as root $ sudo !! copy Serve current directory tree at http://$HOSTNAME:8000/ $ python -m SimpleHTTPServer copy Runs previous command but replacing $ ^foo^bar copy Rapidly invoke an editor to write a long, complex, or tricky command $ ctrl-x e copy Place the argument of the most recent command on the shell $ 'ALT+.' or '<ESC> .' copy currently mounted filesystems in nice layout $ mount | column -t copy Salvage a borked terminal $ reset copy Get your external IP address $ curl ifconfig.me copy Execute a command at a given time $ echo "ls -l" | at midnight copy Quick access to the ascii table. $ man ascii copy output your microphone to a remote computer's speaker $ dd if=/dev/dsp | ssh -c arcfour -C username@host dd of=/dev/dsp copy type partial command, kill this command, check something you forgot, yank the command, resume typing. $ <ctrl+u> [...] <ctrl+y> copy Query Wikipedia via console over DNS...
Read more