lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f82878e8-fdf7-4a73-93a1-2edf52fc0145@linux.intel.com>
Date: Tue, 29 Oct 2024 08:33:51 -0700
From: Daniel Sneddon <daniel.sneddon@...ux.intel.com>
To: Borislav Petkov <bp@...en8.de>, David Kaplan <David.Kaplan@....com>
Cc: Jonathan Corbet <corbet@....net>, Thomas Gleixner <tglx@...utronix.de>,
 Peter Zijlstra <peterz@...radead.org>, Josh Poimboeuf <jpoimboe@...nel.org>,
 Ingo Molnar <mingo@...hat.com>, Dave Hansen <dave.hansen@...ux.intel.com>,
 x86@...nel.org, hpa@...or.com, linux-doc@...r.kernel.org,
 linux-kernel@...r.kernel.org, pawan.kumar.gupta@...ux.intel.com
Subject: Re: [PATCH 2/2] x86/bugs: Clean-up verw mitigations

On 10/29/24 08:00, Borislav Petkov wrote:
> On Tue, Oct 29, 2024 at 07:40:28AM -0700, Daniel Sneddon wrote:
>> Sure, I'll split this up as much as possible.
> 
> Actually, thinking about this more and looking at David's rework:
> 
> https://lore.kernel.org/r/20240912190857.235849-1-david.kaplan@amd.com
> 
> his basically is achieving what you're doing - a post-everything routine which
> selects the final mitigation strategy once all the mitigation options have
> been parsed and evaluated.
> 
> So I'm wondering if we should simply take his directly...
> 
> He removes that md_clear* function:
> 
> https://lore.kernel.org/r/20240912190857.235849-8-david.kaplan@amd.com
> 
> in favor of doing the final selection in the ->apply* functions and keeping
> each mitigation functions simple.
> 
> Yours does this in a single function.
> 
> Practically speaking, the end result is the same.
> 
> Hmm...
> 
I really like the attack vector idea David is using. I suspect people really
care about "protect my kernel from bad users" or "protect my host vm from
guests" more than "protect me from mds and rfds." I was trying to get rid of the
need to do a call to any kind of update function where he took the existing
function and split it into one for each mitigation that needs it. Like you said,
different approach same end result really.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ