[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID:
<LV3PR12MB92651C6977B4F6F701416ED294772@LV3PR12MB9265.namprd12.prod.outlook.com>
Date: Tue, 1 Oct 2024 01:53:01 +0000
From: "Kaplan, David" <David.Kaplan@....com>
To: "Manwaring, Derek" <derekmn@...zon.com>
CC: "bp@...en8.de" <bp@...en8.de>, "dave.hansen@...ux.intel.com"
<dave.hansen@...ux.intel.com>, "hpa@...or.com" <hpa@...or.com>,
"jpoimboe@...nel.org" <jpoimboe@...nel.org>, "linux-kernel@...r.kernel.org"
<linux-kernel@...r.kernel.org>, "mingo@...hat.com" <mingo@...hat.com>,
"pawan.kumar.gupta@...ux.intel.com" <pawan.kumar.gupta@...ux.intel.com>,
"peterz@...radead.org" <peterz@...radead.org>, "tglx@...utronix.de"
<tglx@...utronix.de>, "x86@...nel.org" <x86@...nel.org>
Subject: RE: [RFC PATCH 18/34] Documentation/x86: Document the new attack
vector controls
[AMD Official Use Only - AMD Internal Distribution Only]
> -----Original Message-----
> From: Manwaring, Derek <derekmn@...zon.com>
> Sent: Monday, September 30, 2024 7:44 PM
> To: Kaplan, David <David.Kaplan@....com>
> Cc: bp@...en8.de; dave.hansen@...ux.intel.com; hpa@...or.com;
> jpoimboe@...nel.org; linux-kernel@...r.kernel.org; mingo@...hat.com;
> pawan.kumar.gupta@...ux.intel.com; peterz@...radead.org;
> tglx@...utronix.de; x86@...nel.org
> Subject: Re: [RFC PATCH 18/34] Documentation/x86: Document the new
> attack vector controls
>
> Caution: This message originated from an External Source. Use proper
> caution when opening attachments, clicking links, or responding.
>
>
> On 2024-09-12 14:08-0500 David Kaplan wrote:
> > +
> > +Summary of attack-vector mitigations
> > +------------------------------------
> > +
> > +When a vulnerability is mitigated due to an attack-vector control,
> > +the default mitigation option for that particular vulnerability is
> > +used. To use a different mitigation, please use the vulnerability-specific
> command line option.
> > +
> > +The table below summarizes which vulnerabilities are mitigated when
> > +different attack vectors are enabled and assuming the CPU is vulnerable.
>
> Really excited to see this breakdown of which attacks matter when. I think
> this will help demystify the space generally. I am tempted to add even more
> issues to the table, but I suppose the idea is to limit only to issues for which
> there is a kernel parameter, is that right?
Right.
>
> I think it'd be useful to get to a point that if someone comes across one of the
> many papers & issue names, they could find it here and have an idea of how
> it impacts their workload. Maybe this isn't the place for that kind of a
> glossary, but interested in hearing where you see something like that fitting
> in. If we could at least add a column or footnote for each to capture
> something like "SRSO is also known as Inception and CVE-2023-20569," I
> think that would go a long way to reduce confusion.
>
That's a good idea. One thought could be a new documentation file which could map CVE numbers to vendor/researcher names, kernel options, and related documentation. Some of the issues already have their own documentation files with more details, but not all do. I tend to agree it would be nice to have something easily searchable to help navigate all the names/acronyms.
Open to other ideas on how to present the info, but this seems like a good thing to add somewhere.
--David Kaplan
Powered by blists - more mailing lists