| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250227012329.vbwdmihjlqu6h5da@jpoimboe> Date: Wed, 26 Feb 2025 17:23:29 -0800 From: Josh Poimboeuf <jpoimboe@...nel.org> To: Pawan Gupta <pawan.kumar.gupta@...ux.intel.com> Cc: "Kaplan, David" <David.Kaplan@....com>, Borislav Petkov <bp@...en8.de>, Thomas Gleixner <tglx@...utronix.de>, Peter Zijlstra <peterz@...radead.org>, Ingo Molnar <mingo@...hat.com>, Dave Hansen <dave.hansen@...ux.intel.com>, "x86@...nel.org" <x86@...nel.org>, "H . Peter Anvin" <hpa@...or.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org> Subject: Re: [PATCH v3 20/35] x86/bugs: Define attack vectors On Wed, Feb 26, 2025 at 04:35:28PM -0800, Pawan Gupta wrote: > On Wed, Feb 26, 2025 at 03:44:40PM -0800, Josh Poimboeuf wrote: > > On Wed, Feb 26, 2025 at 02:13:24PM -0800, Pawan Gupta wrote: > > > On Wed, Feb 26, 2025 at 09:03:58PM +0000, Kaplan, David wrote: > > > > > Extending =auto to take attack vectors is going to be tricky, because it already > > > > > takes ",nosmt" which would conflict with ",no_cross_thread". > > > > > > > > > > How about we keep =off, and =auto as is, and add: > > > > > > > > > > mitigations=selective,no_user_kernel,no_cross_thread,... > > > > > > > > > > Requiring the user to explicitly select attack vectors to disable (rather than to > > > > > enable). This would be more verbose, but it would be clear that the user is explicitly > > > > > selecting attack vectors to disable. Also, if a new attack vector gets added in future, > > > > > it would be mitigated by default, without requiring the world to change their cmdline. > > > > > > > > I kind of like that. > > > > While it might be true that we don't necessarily need both opt-in and > > opt-out options... > > > > I'm missing the point of the "selective" thing vs just > > "auto,no_whatever"? > > That was my first thought, but then I realized that in "auto,nosmt" nosmt > is the opposite of disabling the mitigation. It would be cleaner to have > "=selective,no_whatever" which is self-explanatory. The "auto,nosmt,no_whatever" is indeed a bit confusing because of the opposite meanings of the word "no", but least it sort of makes some kind of sense if you consider the existing "auto,nosmt" option to be the starting point. And we could document it from that perspective: start with "auto" or "auto,smt" and then optionally append the ",no_*" options for the vectors you want to disable. IMO "selective" doesn't seem very self-explanatory, it says nothing to indicate "opting out of defaults", in fact it sounds to me more like opting in. At least with "auto,no_whatever" it's more clear that it starts with the defaults and subtracts from there. -- Josh
Powered by blists - more mailing lists