lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ZS6jX9v+QBsKyavE@gmail.com>
Date:   Tue, 17 Oct 2023 08:08:15 -0700
From:   Breno Leitao <leitao@...ian.org>
To:     Borislav Petkov <bp@...en8.de>, mingo@...nel.org,
        jpoimboe@...nel.org
Cc:     Ingo Molnar <mingo@...nel.org>,
        Josh Poimboeuf <jpoimboe@...nel.org>, tglx@...utronix.de,
        Ingo Molnar <mingo@...hat.com>,
        Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org,
        "H. Peter Anvin" <hpa@...or.com>,
        Peter Zijlstra <peterz@...radead.org>,
        Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>, leit@...a.com,
        "open list:X86 ARCHITECTURE (32-BIT AND 64-BIT)" 
        <linux-kernel@...r.kernel.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        gustavold@...a.com
Subject: Re: [PATCH v4] x86/bugs: Add a separate config for each mitigation

On Mon, Oct 16, 2023 at 02:46:54PM +0200, Borislav Petkov wrote:
> IOW, I don't see the particular reason for having those namespaced. But
> since you and Josh care so much and I don't - not that much :-) - and
> I definitely won't be doing the work, feel free.

Thanks for all the discussion so far.

I am summarizing what I got from this discussion so far, and
starting to get the direction on where we want to be:

0) Each mitigation should have their own Kconfig entry under
SPECULATION_MITIGATIONS.

1) Have "Mitigation" namespace for each mitigation. These are the new
name for the mitigations:
 * MITIGATION_PAGE_TABLE_ISOLATION
 * MITIGATION_RETPOLINE
 * MITIGATION_UNRET_ENTRY
 * MITIGATION_CALL_DEPTH_TRACKING
 * MITIGATION_IBPB_ENTRY
 * MITIGATION_IBRS_ENTRY
 * MITIGATION_SRSO
 * MITIGATION_SLS

2) Split the GDS mitigation in two:
 * MITIGATION_GDS
 * MITIGATION_GDS_FORCE

3) Create new Kconfigs for the following missing mitigations:
 * MITIGATION_MDS
 * MITIGATION_TAA
 * MITIGATION_MMIO_STALE_DATA
 * MITIGATION_L1TF
 * MITIGATION_RETBLEED
 * MITIGATION_SPECTRE_V1
 * MITIGATION_SPECTRE_V2
 * MITIGATION_SRBDS
 * MITIGATION_SSB

4) Do no touch the enum order, instead use the something as the code
below to avoid the #ifdefs in the code:

  static enum retbleed_mitigation_cmd retbleed_cmd __ro_after_init =
        IS_ENABLED(CONFIG_MITIGATION_RETBLEED) ? RETBLEED_CMD_AUTO : RETBLEED_CMD_OFF;

5) Make sure that there is clear messages when the mitigations are
disabled.  i.e, make sure that the current pr_info() we have today are
called in case the mitigation is disabled.

Am I missing something?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ