| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20231011164955.mm5ipmuyf4rje5u3@treble>
Date: Wed, 11 Oct 2023 09:49:55 -0700
From: Josh Poimboeuf <jpoimboe@...nel.org>
To: Breno Leitao <leitao@...ian.org>
Cc: tglx@...utronix.de, bp@...en8.de, Ingo Molnar <mingo@...hat.com>,
Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org,
"H. Peter Anvin" <hpa@...or.com>,
Peter Zijlstra <peterz@...radead.org>,
Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>, leit@...a.com,
"open list:X86 ARCHITECTURE (32-BIT AND 64-BIT)"
<linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v4] x86/bugs: Add a separate config for each mitigation
On Wed, Oct 11, 2023 at 05:20:59AM -0700, Breno Leitao wrote:
> On Tue, Oct 10, 2023 at 09:42:52PM -0700, Josh Poimboeuf wrote:
> > On Tue, Oct 10, 2023 at 03:30:27AM -0700, Breno Leitao wrote:
> > > +config MITIGATE_MDS
> > > + bool "Mitigate Microarchitectural Data Sampling (MDS) hardware bug"
> > > + depends on CPU_SUP_INTEL
> > > + default y
> > > + help
> > > + Enable mitigation for Microarchitectural Data Sampling (MDS). MDS is
> > > + a hardware vulnerability which allows unprivileged speculative access
> > > + to data which is available in various CPU internal buffer. Deeper
> > > + technical information is available in the MDS specific x86 architecture
> > > + section: Documentation/arch/x86/mds.rst.
> >
> > MITIGATE_GDS seems to be missing?
>
> GDS is named `GDS_FORCE_MITIGATION` instead of MITIGATE_GDS. See
> 11cf22869ea ("x86/speculation: Add Kconfig option for GDS")
Enabling/disabling GDS_FORCE_MITIGATION doesn't enable/disable the
mitigation, it just changes the default.
For consistency that option should probably be renamed to
MITIGATION_GDS_FORCE. It should depend on MITIGATION_GDS. If
MITIGATION_GDS is disabled, gds_mitigation should default to
GDS_MITIGATION_OFF.
e.g., something like
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 66bfabae8814..c8c879302b37 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2549,9 +2549,16 @@ config SLS
against straight line speculation. The kernel image might be slightly
larger.
-config GDS_FORCE_MITIGATION
- bool "Force GDS Mitigation"
+config MITIGATION_GDS
+ bool" Mitigate Gather Data Sampling"
depends on CPU_SUP_INTEL
+ default y
+ help
+ (Insert actual description here)
+
+config MITIGATION_GDS_FORCE
+ bool "Force GDS Mitigation"
+ depends on MITIGATION_GDS
default n
help
Gather Data Sampling (GDS) is a hardware vulnerability which allows
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index f081d26616ac..43ad3eee3d4c 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -671,11 +671,15 @@ enum gds_mitigations {
GDS_MITIGATION_HYPERVISOR,
};
-#if IS_ENABLED(CONFIG_GDS_FORCE_MITIGATION)
+#if IS_ENABLED(CONFIG_MITIGATION_GDS)
+#if IS_ENABLED(CONFIG_MITIGATION_GDS_FORCE)
static enum gds_mitigations gds_mitigation __ro_after_init = GDS_MITIGATION_FORCE;
#else
static enum gds_mitigations gds_mitigation __ro_after_init = GDS_MITIGATION_FULL;
#endif
+#else
+static enum gds_mitigations gds_mitigation __ro_after_init = GDS_MITIGATION_OFF;
+#endif
static const char * const gds_strings[] = {
[GDS_MITIGATION_OFF] = "Vulnerable",
Powered by blists - more mailing lists