lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID:
 <LV3PR12MB9265BA06BBDBFCEB868CFF0694B22@LV3PR12MB9265.namprd12.prod.outlook.com>
Date: Tue, 15 Apr 2025 16:10:49 +0000
From: "Kaplan, David" <David.Kaplan@....com>
To: Josh Poimboeuf <jpoimboe@...nel.org>
CC: Thomas Gleixner <tglx@...utronix.de>, Borislav Petkov <bp@...en8.de>,
	Peter Zijlstra <peterz@...radead.org>, Pawan Gupta
	<pawan.kumar.gupta@...ux.intel.com>, Ingo Molnar <mingo@...hat.com>, Dave
 Hansen <dave.hansen@...ux.intel.com>, "x86@...nel.org" <x86@...nel.org>, "H .
 Peter Anvin" <hpa@...or.com>, "linux-kernel@...r.kernel.org"
	<linux-kernel@...r.kernel.org>, Brendan Jackman <jackmanb@...gle.com>, Derek
 Manwaring <derekmn@...zon.com>
Subject: RE: [PATCH v4 17/36] Documentation/x86: Document the new attack
 vector controls

[AMD Official Use Only - AMD Internal Distribution Only]

> -----Original Message-----
> From: Josh Poimboeuf <jpoimboe@...nel.org>
> Sent: Tuesday, April 15, 2025 10:32 AM
> To: Kaplan, David <David.Kaplan@....com>
> Cc: Thomas Gleixner <tglx@...utronix.de>; Borislav Petkov <bp@...en8.de>;
> Peter Zijlstra <peterz@...radead.org>; Pawan Gupta
> <pawan.kumar.gupta@...ux.intel.com>; Ingo Molnar <mingo@...hat.com>; Dave
> Hansen <dave.hansen@...ux.intel.com>; x86@...nel.org; H . Peter Anvin
> <hpa@...or.com>; linux-kernel@...r.kernel.org; Brendan Jackman
> <jackmanb@...gle.com>; Derek Manwaring <derekmn@...zon.com>
> Subject: Re: [PATCH v4 17/36] Documentation/x86: Document the new attack
> vector controls
>
> Caution: This message originated from an External Source. Use proper caution
> when opening attachments, clicking links, or responding.
>
>
> On Tue, Apr 15, 2025 at 02:59:32PM +0000, Kaplan, David wrote:
> > > > > > +BHI                   X                           X
> > > > > > +GDS                   X              X            X              X        (Note 1)
> > > > > > +L1TF                  X                           X                       (Note 2)
> > > > > > +MDS                   X              X            X              X        (Note 2)
> > > > > > +MMIO                  X              X            X              X        (Note 2)
> > > > > > +Meltdown              X
> > > > > > +Retbleed              X                           X                       (Note 3)
> > > > > > +RFDS                  X              X            X              X
> > > > > > +Spectre_v1            X
> > > > > > +Spectre_v2            X                           X
> > > > > > +Spectre_v2_user                      X                           X        (Note 1)
> > > > > > +SRBDS                 X              X            X              X
> > > > > > +SRSO                  X                           X
> > > > > > +SSB (Note 4)
> > > > >
> > > > > Any reason not to put the "Note 4" in the same column as the others?
> > > > >
> > > >
> > > > The other notes are about cross-thread mitigation specifically and
> > > > those notes
> > > refer to the SMT aspects of those issues.
> > > >
> > > > Note 4 in this case is about the SSB vulnerability itself,
> > > > explaining that by default there is no mitigation for any case.  I
> > > > was concerned that including SSB but without any X's in any of the
> > > > columns would be confusing, so the note attempted to explain that
> > > > there were no default mitigations for SSB under any attack vector.
> > >
> > > Putting the note there makes it a lot harder to see it.  And I think
> > > the lack of X's is accurate, no?
> > >
> >
> > It is, it's just rather unique compared to the other bugs.  I could
> > remove the note entirely, but I was concerned that might look odd
> > because it'd be the only bug that isn't mitigated under any of the
> > attack vectors.  And that's really just because the current default is
> > not to mitigate that one.
>
> I think the note is helpful, it attempts to explain why there are no X's.  I was just
> thinking that it seems more logical to put it in the same column as the others.  And
> that would also help make it more clear that yes, the X's are missing.  Which is
> indeed odd, but it's also the reality.
>

Right, except that the last column is about the cross-thread vector, which is irrelevant for SSB.  All the other notes specifically pertain to SMT leakage.

I could put the '(Note 4)' text in every column, but that might be even weirder.  I could also remove SSB entirely from the table since it isn't technically relevant for any of the attack vector controls?

--David Kaplan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ