Put a safety on that toggle! Automating SAFE Dynamic Mitigation

-

How to Build tuned Profiles for Dynamic Linux Kernel Mitigations

dynamic mitigation functionality was created by AMD engineer David Kaplan, linked here is an article discussing it

The recent introduction of "Dynamic Mitigations" for the Linux kernel provides a powerful new capability: the ability to enable or disable CPU security mitigations at runtime without a reboot. This is managed by writing to a special file at /sys/devices/system/cpu/mitigations.

While you can do this manually with a simple echo command, a more robust and manageable approach is to use the tuned daemon. tuned is a system service designed to switch between performance profiles, making it the perfect tool for this job.

This guide will show you how to create custom tuned profiles to easily manage your system's security and performance posture.

Start Somewhere : Create a Custom tuned Profile

Creating a custom profile is straightforward. First, you need to create a new directory for your profile inside /etc/tuned/. User-created profiles in this directory take precedence over the system-default profiles located in /usr/lib/tuned/.


DISCLAIMER : USE AT YOUR OWN RISK, WHAT WORKS ON MINE DOESNT NECESSARILY WORK ON YOURS! TREAT ANY AND ALL CODE AS A TEMPLATE TO BUILD UPON FOR YOUR OWN PURPOSES. TEST IT, TEST IT, TEST IT, BREAK IT ON PURPOSE & UNDERSTAND IT BEFORE YOU EVER CONSIDER USE ON A PRODUCTION ENVIRONMENT!


you've agreed to the disclaimer...

Inside your new directory, you'll create a configuration file named tuned.conf. This file uses a simple INI-style format and is where you define your tuning settings.

# Create a directory for our new profile
sudo mkdir /etc/tuned/full-security 
​Create the configuration file
​sudo nano /etc/tuned/full-security/tuned.conf

A basic tuned.conf file starts with a [main] section where you can provide a summary and, most importantly, inherit settings from an existing profile using the include= directive. This saves you from having to redefine common settings.

Willing? Here's A way : The sysfs Plugin 

+-+Simple & Declarative+-+

The easiest way to set the mitigation level is with the sysfs plugin. This plugin allows you to directly write a specific value to any file in the sysfs filesystem. It's declarative, simple, and perfect for static configurations.

Let's create a full-security profile that inherits from the latency-performance profile but ensures all mitigations are enabled and Simultaneous Multi-Threading (SMT) is disabled.

full-security/tuned.conf

# /etc/tuned/full-security/tuned.conf 
​[main]
summary=Full mitigations for speculative execution vulnerabilities
include=latency-performance
​[sysfs]
/sys/devices/system/cpu/mitigations="auto,nosmt"

In this example, the [sysfs] section contains a single line. The key is the full path to the file, and the value is the exact string that tuned will write to it when the profile is activated.

Built it? : Here's one more

The script Plugin 

+-+Flexible & Powerful+-+

For more complex scenarios where you might need conditional logic, custom logging, or to run other commands, the script plugin is the ideal choice. This plugin executes an external shell script when the profile is activated or deactivated.

Let's create a profile for a high-performance computing (HPC) workload that disables all optional mitigations to maximize performance and logs the change for auditing purposes.

hpc-performance/tuned.conf

First, create the profile directory and the tuned.conf file:

# /etc/tuned/hpc-performance/tuned.conf 
​[main]
summary=Disable all optional CPU mitigations for maximum performance
include=throughput-performance
​[script]
script=/etc/tuned/hpc-performance/mitigation-script.sh

Next, create the corresponding script specified in the config file. The script will be called with either a "start" or "stop" argument.

hpc-performance/mitigation-script.sh

#!/bin/bash
​/etc/tuned/hpc-performance/mitigation-script.sh
​LOG_FILE="/var/log/tuned/mitigations.log"
MITIGATIONS_FILE="/sys/devices/system/cpu/mitigations"
​The script is called with 'start' when the profile is activated,
​and 'stop' when it is deactivated.
​if [ "1" == "start" ]; then
echo "(date): Activating hpc-performance profile. Setting mitigations to OFF." >> ${LOG_FILE}
echo "mitigations=off" > ${MITIGATIONS_FILE}
elif [ "$1" == "stop" ]; then
​When a profile is stopped, tuned automatically reverts settings.
​This block is for logging or any other cleanup needed.
​echo "$(date): Deactivating hpc-performance profile. Mitigations will be reverted." >> ${LOG_FILE}
fi
​exit 0

Finally, make the script executable:

sudo chmod +x /etc/tuned/hpc-performance/mitigation-script.sh

Make it so...

+-+Activate and Verify+-+

Once you've created your profile, you can activate it using the tuned-adm command.

# Activate the full-security profile
sudo tuned-adm profile full-security 
​Check which profile is currently active
​sudo tuned-adm active

When you switch profiles, tuned automatically handles reverting the settings of the old profile before applying the new one, ensuring a clean transition.

By using custom tuned profiles, you can create a library of well-defined, auditable, and easily switchable security postures for your Linux systems, allowing you to balance performance and security with a single command.


Generated report, which adds full explanations of theory, step-by-step breakdown of dynamic mitigations, the threats that must be dealt with, and solutions.

Comments

Post a Comment

Popular posts from this blog

Where Sanctions Cannot Tread -- The Lancet Drone & The Western Components Inside

-
Image
🅆🄷🄴🅁🄴           🅂🄰🄽🄲🅃🄸🄾🄽🅂                 🄲🄰🄽🄽🄾🅃                          🅃🅁🄴🄰🄳 An American-made HIMARS artillery system races down a Ukrainian road as a kamikaze drone hunts it down. The drone flies into the vehicle, followed by an explosion. The scene was caught on video by a Russian reconnaissance drone in mid-November. The drone that hit the HIMARS was a Lancet — one of Russia’s most used unmanned aerial vehicles (UAV). Russia has used thousands of them against Ukraine. The weapons are produced by Zala Aero Group, a privately-owned group of Russian companies, with the state holding a minority stake in one of its entities. It is one of the largest manufacturers of Russian combat drones attacking Ukraine. Like other Russian defense producers, the group has been targeted by Western sanctions and export re...
Read more

ESP8266 WEMOS D1 || PACKET MONITOR

-
Image
#include <ESP8266WiFi.h> #include <Wire.h> #include <EEPROM.h>   #include "SSD1306.h"   extern "C" { #include "user_interface.h" }   SSD1306 display ( 0x3c , 5 , 4 ) ;    // GPIO 5 = D1, GPIO 4 = D2 پین های مربوط   #define btn D3         // Nodemcu   #define maxCh 13       //   US = 11, EU = 13, Japan = 14  #define ledPin 2       // LED #define packetRate 5   //   #define flipDisplay true   #define minRow       0           #define maxRow     127               #define minLine      0               #define maxLine ...
Read more