lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <88baaae8-d9fe-4c8a-a5e2-383d6b641e2c@linux.intel.com>
Date: Mon, 14 Oct 2024 08:42:26 -0700
From: Daniel Sneddon <daniel.sneddon@...ux.intel.com>
To: Borislav Petkov <bp@...en8.de>, Josh Poimboeuf <jpoimboe@...nel.org>
Cc: "Kaplan, David" <David.Kaplan@....com>, Jonathan Corbet <corbet@....net>,
 Thomas Gleixner <tglx@...utronix.de>, Peter Zijlstra <peterz@...radead.org>,
 Ingo Molnar <mingo@...hat.com>, Dave Hansen <dave.hansen@...ux.intel.com>,
 "x86@...nel.org" <x86@...nel.org>, "hpa@...or.com" <hpa@...or.com>,
 "linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>,
 "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
 "pawan.kumar.gupta@...ux.intel.com" <pawan.kumar.gupta@...ux.intel.com>
Subject: Re: [PATCH 1/6] x86/bugs: Create single parameter for VERW based
 mitigations

On 10/10/24 07:57, Borislav Petkov wrote:
> On Wed, Oct 09, 2024 at 09:52:19PM -0700, Josh Poimboeuf wrote:
>> Is this a realistic use case?  Are people really going to want to
>> enable/disable VERW mitigations as a group?

They have to. The way you do it today is by setting four different options. If
you miss one and your system has the bug you missed, too bad, you're getting the
mitigation enabled. Since we have four bugs but only one mitigation, I thought
it made more sense to just have 1 knob to control it rather than 4. However,
since we'd need to keep those old knobs around anyway it turns out we'd just
have 5. :( <insert XKCD comic here>

> 
> +1.
> 
> David's per-attack-vector stuff will simplify the user side of this
> considerably so I'm trying real-hard to find the point for a new option.
> 
> IOW, the reason I requested this cleanup is to have proper sync between the
> different mitigations all using VERW behind the scenes. But there's no need to
> change the user interface, is it?
> 

The reason I did the patches this way wasn't so much "need" as it just seemed a
simpler way to do it. Why have 4 knobs when there is really only 1 mitigation
under the hood? My question for you then is what you mean by "proper sync"? I'm
guessing you mean that if any one of those 4 mitigations is set to off then
assume all are off? No one should want to set say, MMIO to =off but RFDS to =on,
so the only real issue is if I set some to =off, but leave others unset, the
unspecified options will default to on, which means all are on. If the desire is
to reverse that so any one of the 4 being disabled is enough to disable all VERW
mitigations, I can make that change. I just want to make sure I know what the
desired path is.

Thanks,
Dan

> Thx.
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ