| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <uhfexplln3n736m4yxdrfqg666x4hs5pokxqw6ycnaktastvko@zi2saqxeoidj>
Date: Thu, 10 Apr 2025 11:12:09 -0700
From: Josh Poimboeuf <jpoimboe@...nel.org>
To: David Kaplan <david.kaplan@....com>
Cc: Thomas Gleixner <tglx@...utronix.de>, Borislav Petkov <bp@...en8.de>,
Peter Zijlstra <peterz@...radead.org>, Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>,
Ingo Molnar <mingo@...hat.com>, Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org,
"H . Peter Anvin" <hpa@...or.com>, linux-kernel@...r.kernel.org,
Brendan Jackman <jackmanb@...gle.com>, Derek Manwaring <derekmn@...zon.com>
Subject: Re: [PATCH v4 18/36] cpu: Define attack vectors
On Mon, Mar 10, 2025 at 11:40:05AM -0500, David Kaplan wrote:
> @@ -3178,8 +3179,38 @@ void __init boot_cpu_hotplug_init(void)
>
> #ifdef CONFIG_CPU_MITIGATIONS
> /*
> - * These are used for a global "mitigations=" cmdline option for toggling
> - * optional CPU mitigations.
> + * All except the cross-thread attack vector are mitigated by default.
> + * Cross-thread mitigation often requires disabling SMT which is too expensive
> + * to be enabled by default.
Cross-thread is *partially* mitigated by default (everything except
disabling SMT).
> +bool cpu_mitigate_attack_vector(enum cpu_attack_vectors v)
> +{
> + if (v < NR_CPU_ATTACK_VECTORS)
> + return attack_vectors[v];
> +
> + WARN_ON_ONCE(v >= NR_CPU_ATTACK_VECTORS);
This can be a WARN_ONCE(), v is already known to be invalid here.
> static int __init mitigations_parse_cmdline(char *arg)
> {
> - if (!strcmp(arg, "off"))
> - cpu_mitigations = CPU_MITIGATIONS_OFF;
> - else if (!strcmp(arg, "auto"))
> - cpu_mitigations = CPU_MITIGATIONS_AUTO;
> - else if (!strcmp(arg, "auto,nosmt"))
> - cpu_mitigations = CPU_MITIGATIONS_AUTO_NOSMT;
> - else
> - pr_crit("Unsupported mitigations=%s, system may still be vulnerable\n",
> - arg);
> + char *s, *p;
> + int len;
> +
> + len = mitigations_parse_global_opt(arg);
> +
> + if (cpu_mitigations_off()) {
> + memset(attack_vectors, 0, sizeof(attack_vectors));
> + smt_mitigations = SMT_MITIGATIONS_OFF;
> + } else if (cpu_mitigations_auto_nosmt())
> + smt_mitigations = SMT_MITIGATIONS_ON;
Kernel coding style wants consistent braces for if-then-else:
if (cpu_mitigations_off()) {
memset(attack_vectors, 0, sizeof(attack_vectors));
smt_mitigations = SMT_MITIGATIONS_OFF;
} else if (cpu_mitigations_auto_nosmt()) {
smt_mitigations = SMT_MITIGATIONS_ON;
}
--
Josh
Powered by blists - more mailing lists