1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
documentation_complete: true
title: 'Avoid speculative indirect branches in kernel'
description: |-
Compile kernel with the retpoline compiler options to guard against kernel-to-user data leaks
by avoiding speculative indirect branches.
Requires a compiler with -mindirect-branch=thunk-extern support for full protection.
The kernel may run slower.
{{{ describe_kernel_build_config("CONFIG_RETPOLINE", "y") | indent(4) }}}
rationale: |-
This is required to enable protection against Spectre v2.
warnings:
{{{ warning_kernel_build_config() | indent(4) }}}
severity: medium
identifiers:
cce@rhel8: CCE-87494-1
cce@rhel9: CCE-87495-8
cce@rhel10: CCE-89562-3
ocil_clause: 'the kernel was not built with the required value'
ocil: |-
{{{ ocil_kernel_build_config("CONFIG_RETPOLINE", "y") | indent(4) }}}
template:
name: kernel_build_config
vars:
config: CONFIG_RETPOLINE
value: 'y'
|
