| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 3 Jan 2019 10:38:58 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Jeremy Linton <jeremy.linton@....com>
Cc: linux-arm-kernel@...ts.infradead.org, catalin.marinas@....com,
will.deacon@....com, marc.zyngier@....com, suzuki.poulose@....com,
dave.martin@....com, shankerd@...eaurora.org, mark.rutland@....com,
linux-kernel@...r.kernel.org, ykaukab@...e.de,
julien.thierry@....com, mlangsdo@...hat.com, steven.price@....com,
Thomas Gleixner <tglx@...utronix.de>,
"Rafael J . Wysocki" <rafael.j.wysocki@...el.com>,
Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>,
Peter Zijlstra <peterz@...radead.org>,
Dave Hansen <dave.hansen@...el.com>,
Borislav Petkov <bp@...en8.de>,
David Woodhouse <dwmw@...zon.co.uk>
Subject: Re: [PATCH v2 1/7] sysfs/cpu: Add "Unknown" vulnerability state
On Wed, Jan 02, 2019 at 06:49:15PM -0600, Jeremy Linton wrote:
> There is a lot of variation in the Arm ecosystem. Because of this,
> there exist possible cases where the kernel cannot authoritatively
> determine if a machine is vulnerable.
Really? Why not? What keeps you from "knowing" this? Can't the
developer of the chip tell you?
> Rather than guess the vulnerability status in cases where
> the mitigation is disabled or the firmware isn't responding
> correctly, we need to display an "Unknown" state.
Shouldn't "Unknown" really be the same thing as "Vulnerable"? A user
should treat it the same way, "Unknown" makes it feel like "maybe I can
just ignore this and hope I really am safe", which is not a good idea at
all.
thanks,
greg k-h
Powered by blists - more mailing lists