| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 11 Sep 2021 14:13:36 -0700
From: Kees Cook <keescook@...omium.org>
To: Andrea Arcangeli <aarcange@...hat.com>
Cc: Thomas Gleixner <tglx@...utronix.de>,
YiFei Zhu <zhuyifei1999@...il.com>,
Linux Containers <containers@...ts.linux-foundation.org>,
YiFei Zhu <yifeifz2@...inois.edu>, bpf <bpf@...r.kernel.org>,
kernel list <linux-kernel@...r.kernel.org>,
Aleksa Sarai <cyphar@...har.com>,
Andy Lutomirski <luto@...capital.net>,
David Laight <David.Laight@...lab.com>,
Dimitrios Skarlatos <dskarlat@...cmu.edu>,
Giuseppe Scrivano <gscrivan@...hat.com>,
Hubertus Franke <frankeh@...ibm.com>,
Jack Chen <jianyan2@...inois.edu>,
Jann Horn <jannh@...gle.com>,
Josep Torrellas <torrella@...inois.edu>,
Tianyin Xu <tyxu@...inois.edu>,
Tobin Feldman-Fitzthum <tobin@....com>,
Tycho Andersen <tycho@...ho.pizza>,
Valentin Rothberg <vrothber@...hat.com>,
Will Drewry <wad@...omium.org>, Jiri Kosina <jikos@...nel.org>,
Waiman Long <longman@...hat.com>,
Josh Poimboeuf <jpoimboe@...hat.com>,
Andi Kleen <ak@...ux.intel.com>
Subject: Re: [PATCH 1/1] x86: deduplicate the spectre_v2_user documentation
On Wed, Nov 04, 2020 at 07:14:06PM -0500, Andrea Arcangeli wrote:
> This would need updating to make prctl be the new default, but it's
> simpler to delete it and refer to the dup.
>
> Signed-off-by: Andrea Arcangeli <aarcange@...hat.com>
I'll take this too.
-Kees
> ---
> Documentation/admin-guide/hw-vuln/spectre.rst | 51 +------------------
> 1 file changed, 2 insertions(+), 49 deletions(-)
>
> diff --git a/Documentation/admin-guide/hw-vuln/spectre.rst b/Documentation/admin-guide/hw-vuln/spectre.rst
> index 19b897cb1d45..ab7d402c1677 100644
> --- a/Documentation/admin-guide/hw-vuln/spectre.rst
> +++ b/Documentation/admin-guide/hw-vuln/spectre.rst
> @@ -593,61 +593,14 @@ kernel command line.
> Not specifying this option is equivalent to
> spectre_v2=auto.
>
> -For user space mitigation:
> -
> - spectre_v2_user=
> -
> - [X86] Control mitigation of Spectre variant 2
> - (indirect branch speculation) vulnerability between
> - user space tasks
> -
> - on
> - Unconditionally enable mitigations. Is
> - enforced by spectre_v2=on
> -
> - off
> - Unconditionally disable mitigations. Is
> - enforced by spectre_v2=off
> -
> - prctl
> - Indirect branch speculation is enabled,
> - but mitigation can be enabled via prctl
> - per thread. The mitigation control state
> - is inherited on fork.
> -
> - prctl,ibpb
> - Like "prctl" above, but only STIBP is
> - controlled per thread. IBPB is issued
> - always when switching between different user
> - space processes.
> -
> - seccomp
> - Same as "prctl" above, but all seccomp
> - threads will enable the mitigation unless
> - they explicitly opt out.
> -
> - seccomp,ibpb
> - Like "seccomp" above, but only STIBP is
> - controlled per thread. IBPB is issued
> - always when switching between different
> - user space processes.
> -
> - auto
> - Kernel selects the mitigation depending on
> - the available CPU features and vulnerability.
> -
> - Default mitigation:
> - If CONFIG_SECCOMP=y then "seccomp", otherwise "prctl"
> -
> - Not specifying this option is equivalent to
> - spectre_v2_user=auto.
> -
> In general the kernel by default selects
> reasonable mitigations for the current CPU. To
> disable Spectre variant 2 mitigations, boot with
> spectre_v2=off. Spectre variant 1 mitigations
> cannot be disabled.
>
> +For spectre_v2_user see :doc:`/admin-guide/kernel-parameters`.
> +
> Mitigation selection guide
> --------------------------
>
>
--
Kees Cook
Powered by blists - more mailing lists