How-to guides
Edera advanced techniques
Customize kernel parameters during install

Customize kernel parameters during install

This guide covers advanced configuration options for customizing Xen and Linux kernel parameters during Edera installation.

Warning

These options are intended for advanced users. Misconfiguring hypervisor or kernel flags can reduce security or lead to system instability. Only use these options if you fully understand their impact on the kernel and the Edera hypervisor.

For background information, see Speculative execution mitigations

Before you begin

Make sure you meet the following requirements:

  • You’re using the protect-installer container to install Edera.
  • You have Docker or another compatible container runtime installed.
  • You understand the impact of disabling speculative execution mitigations. These flags are intended for testing or for use in trusted, single-tenant environments.

Recommended settings

There are two main ways to mitigate speculative side-channel attacks in Edera:

  • XPTI/KPTI: Page-table isolation at the hypervisor and zone kernel levels.
  • SMT control: Disabling simultaneous multithreading (SMT), also known as Hyper-Threading.

For optimal performance, we recommend disabling SMT and turning off XPTI/KPTI.

  • On AMD platforms, XPTI and KPTI are not enabled by default, and SMT is generally safe to leave enabled.

How it works

The installer supports two environment variables:

  • EDERA_PROTECT_INSTALLER_XEN_CMDLINE_APPEND: Appends flags to the Xen hypervisor boot parameters.
  • EDERA_PROTECT_INSTALLER_LINUX_CMDLINE_APPEND: Appends flags to the Linux kernel command line for the host.

These values are applied when the system reboots after installation.

Example: Disable speculative execution mitigations

To disable speculative execution mitigations at both the Xen and Linux levels, run the installer with the following options:

$CLIENT run \
  --privileged \
  --env 'TARGET_DIR=/host' \
  --env 'EDERA_PROTECT_INSTALLER_SKIP_REBOOT=true' \
  --env "EDERA_PROTECT_INSTALLER_XEN_CMDLINE_APPEND=\"spec-ctrl=no xpti=dom0=on,domU=off\"" \
  --env "EDERA_PROTECT_INSTALLER_LINUX_CMDLINE_APPEND=\"mitigations=off nopti\"" \
  --volume '/:/host' \
  --volume '/root/override.install.sh:/root/install.sh' \
  --volume "$HOME/.docker/config.json:/root/.docker/config.json" \
  --pid host \
  --net host \
  ${EDERA_REGISTRY}/edera-protect/staging/protect-installer:${TAG}

Flag descriptions

Flag Description
spec-ctrl=no Disables Spectre/Meltdown mitigations in Xen
xpti=dom0=on,domU=off Enables XPTI for dom0 only, reducing overhead for zones
mitigations=off Disables most kernel-level mitigations
nopti Disables Kernel Page Table Isolation (KPTI) in the zone kernel

Verify kernel parameters

To confirm the flags applied to the host, run the following command from the host:

cat /proc/cmdline

Further information

Last updated on
Running Edera (no Kubernetes required)