| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 3 Jan 2019 10:46:53 -0600
From: Jeremy Linton <jeremy.linton@....com>
To: Dave Martin <Dave.Martin@....com>
Cc: linux-arm-kernel@...ts.infradead.org, mark.rutland@....com,
mlangsdo@...hat.com,
"Rafael J . Wysocki" <rafael.j.wysocki@...el.com>,
Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>,
suzuki.poulose@....com, marc.zyngier@....com,
catalin.marinas@....com, Dave Hansen <dave.hansen@...el.com>,
julien.thierry@....com, will.deacon@....com,
linux-kernel@...r.kernel.org, steven.price@....com,
Peter Zijlstra <peterz@...radead.org>,
Borislav Petkov <bp@...en8.de>,
David Woodhouse <dwmw@...zon.co.uk>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
ykaukab@...e.de, Thomas Gleixner <tglx@...utronix.de>,
shankerd@...eaurora.org
Subject: Re: [PATCH v2 1/7] sysfs/cpu: Add "Unknown" vulnerability state
Hi,
On 01/03/2019 10:37 AM, Dave Martin wrote:
> On Wed, Jan 02, 2019 at 06:49:15PM -0600, Jeremy Linton wrote:
>> There is a lot of variation in the Arm ecosystem. Because of this,
>> there exist possible cases where the kernel cannot authoritatively
>> determine if a machine is vulnerable.
>>
>> Rather than guess the vulnerability status in cases where
>> the mitigation is disabled or the firmware isn't responding
>> correctly, we need to display an "Unknown" state.
>>
>> Signed-off-by: Jeremy Linton <jeremy.linton@....com>
>> Cc: Thomas Gleixner <tglx@...utronix.de>
>> Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
>> Cc: Rafael J. Wysocki <rafael.j.wysocki@...el.com>
>> Cc: Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>
>> Cc: Peter Zijlstra <peterz@...radead.org>
>> Cc: Dave Hansen <dave.hansen@...el.com>
>> Cc: Borislav Petkov <bp@...en8.de>
>> Cc: David Woodhouse <dwmw@...zon.co.uk>
>> ---
>> Documentation/ABI/testing/sysfs-devices-system-cpu | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu
>> index 9605dbd4b5b5..876103fddfa4 100644
>> --- a/Documentation/ABI/testing/sysfs-devices-system-cpu
>> +++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
>> @@ -495,6 +495,7 @@ Description: Information about CPU vulnerabilities
>> "Not affected" CPU is not affected by the vulnerability
>> "Vulnerable" CPU is affected and no mitigation in effect
>> "Mitigation: $M" CPU is affected and mitigation $M is in effect
>> + "Unknown" The kernel is unable to make a determination
>
> Do some of the "Unknown" cases arise from the vulnerability detection
> code being compiled out of the kernel?
>
Yes,
> I wonder whether at least the detection support should be mandatory.
> sysfs is not very useful as a standard vulnerability reporting interface
> unless we make best efforts to always populate it with real information. >
>
> Also, does "Unknown" convey anything beyond what is indicated by the
> sysfs entry being omitted altogether?
I'm not sure about this one. I tend to think the "unknown" case
encourages users that really want an answer to dig deeper and call their
hardware/os/whoever to get an answer. I would tend to think that if the
entry is missing it would tend to encourage the behavior that Greg KH
mentions where the user assumes "hey the system doesn't have a sysfs
entry for $VUNLERABILITY, that probably means that its not possible on
the architecture".
Powered by blists - more mailing lists