lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180125133433.3a750f25@alans-desktop>
Date:   Thu, 25 Jan 2018 13:34:33 +0000
From:   Alan Cox <gnomes@...rguk.ukuu.org.uk>
To:     "Jason A. Donenfeld" <Jason@...c4.com>
Cc:     gregkh@...uxfoundation.org, linux-kernel@...r.kernel.org,
        kernel-hardening@...ts.openwall.com
Subject: Re: [PATCH] cpu: do not leak vulnerabilities to unprivileged users

On Thu, 25 Jan 2018 13:04:01 +0100
"Jason A. Donenfeld" <Jason@...c4.com> wrote:

> While it's public information if the CPU in general has spectre/meltdown
> bugs, it probably shouldn't be as globally obvious to all unprivileged
> users whether or not the kernel is doing something to mitigate

There are plenty of cases where it is useful for an application such as a
JIT to know what level of protection it needs to be providing. For
example if you look across the ecosystem (notably ARM) a lot of common
slower processors are not vulnerable. For those a JIT would want to
generate code without the overhead of any protections.

As you observe any attacker can already trivially ascertain whether
protection is on, so there is no point pretending file permissions
magically stop that. In fact the information is already in cpuinfo.

IMHO given it's trivially available info and useful for JITs it make
sense for the data to be exposed.

Alan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ