{"description": "Speculation attacks against some high-performance processors can be used to bypass MMU\npermission checks and leak kernel data to userspace. This can be defended against by unmapping\nthe kernel when running in userspace, mapping it back in on exception entry via a trampoline\npage in the vector table.\nThis configuration is available from kernel 4.16, but may be available if backported\nby distros.\nThe configuration that was used to build kernel is available at <tt>/boot/config-*</tt>.\n    To check the configuration value for <tt>CONFIG_UNMAP_KERNEL_AT_EL0</tt>, run the following command:\n    <tt>grep CONFIG_UNMAP_KERNEL_AT_EL0 /boot/config-*</tt>\n    \n    For each kernel installed, a line with value \"y\" should be returned.\n    ", "rationale": "This is a countermeasure to the Meltdown attack.", "severity": "medium", "references": {"anssi": ["R27"]}, "control_references": {"anssi": ["R27"]}, "components": [], "identifiers": {}, "ocil_clause": "the kernel was not built with the required value", "ocil": "To determine the config value the kernel was built with, run the following command:\n    <pre>$ grep CONFIG_UNMAP_KERNEL_AT_EL0 /boot/config.*</pre>\n    \n    For each kernel installed, a line with value \"y\" should be returned.\n    ", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "aarch64_arch", "platforms": ["aarch64_arch"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["aarch64_arch"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Unmap kernel when running in userspace (aka KAISER)", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/kernel_build_config/kernel_config_unmap_kernel_at_el0/rule.yml", "template": {"name": "kernel_build_config", "vars": {"config": "CONFIG_UNMAP_KERNEL_AT_EL0", "value": "y"}, "backends": {}}}