1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
documentation_complete: true
title: 'Enable randomization of the page allocator'
description: |-
To enable randomization of the page allocator in the kernel, add the
<tt>page_alloc.shuffle=1</tt> argument to the default GRUB 2 command line.
{{{ describe_grub2_argument("page_alloc.shuffle=1") | indent(4) }}}
rationale: |-
The <tt>CONFIG_SHUFFLE_PAGE_ALLOCATOR</tt> config option is primarily
focused on improving the average utilization of a direct-mapped
memory-side-cache. Aside of this performance effect, it also reduces
predictability of page allocations in situations when the bad actor can
crash the system and somehow leverage knowledge of (page) allocation order
right after a fresh reboot, or can control the timing between a
hot-pluggable memory node (as in NUMA node) and applications allocating
memory ouf of that node. The <tt>page_alloc.shuffle=1</tt> kernel command
line parameter then forces this functionality irrespectively of memory cache
architecture.
severity: medium
identifiers:
cce@rhel9: CCE-85879-5
cce@rhel10: CCE-90506-7
ocil_clause: 'randomization of the page allocator is not enabled in the kernel'
ocil: |-
{{{ ocil_grub2_argument("page_alloc.shuffle=1") | indent(4) }}}
references:
ospp: AVA_VAN.1
template:
name: grub2_bootloader_argument
vars:
arg_name: page_alloc.shuffle
arg_value: '1'
|
