lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250509162839.3057217-1-david.kaplan@amd.com>
Date: Fri, 9 May 2025 11:28:19 -0500
From: David Kaplan <david.kaplan@....com>
To: Thomas Gleixner <tglx@...utronix.de>, Borislav Petkov <bp@...en8.de>,
	Peter Zijlstra <peterz@...radead.org>, Josh Poimboeuf <jpoimboe@...nel.org>,
	Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>, Ingo Molnar
	<mingo@...hat.com>, Dave Hansen <dave.hansen@...ux.intel.com>,
	<x86@...nel.org>, "H . Peter Anvin" <hpa@...or.com>
CC: <linux-kernel@...r.kernel.org>
Subject: [PATCH v5 00/20] Attack vector controls (part 2)

This is an updated version of the second half of the attack vector
series which adds new attack vector command line options designed to make
it easier to control which CPU mitigations are enabled.

The first half of this series focused on bugs.c restructuring and was
merged on May 2.  Link:
https://lore.kernel.org/all/20250418161721.1855190-1-david.kaplan@amd.com/

Attack vector options are designed to make it easier to select appropriate
mitigations based on the usage of the system.  While many users may not be
intimately familiar with the details of these CPU vulnerabilities, they are
likely better able to understand the intended usage of their system.  As a
result, unneeded mitigations may be disabled, allowing users to recoup more
performance.  New documentation is included with recommendations on what to
consider when choosing which attack vectors to enable/disable.

In this series, attack vector options are chosen using the mitigations=
command line.  Attack vectors may be individually disabled such as
'mitigations=auto;no_user_kernel,no_user_user'.  The 'mitigations=off'
option is equivalent to disabling all attack vectors.  'mitigations=off'
therefore disables all mitigations, unless bug-specific command line
options are used to re-enable some.

Note that this patch series does not change any of the existing
mitigation defaults.

Changes in v5:
   - Updated table layout in documentation file
   - Minor clean up

David Kaplan (20):
  Documentation/x86: Document new attack vector controls
  cpu: Define attack vectors
  x86/Kconfig: Add arch attack vector support
  x86/bugs: Define attack vectors relevant for each bug
  x86/bugs: Add attack vector controls for MDS
  x86/bugs: Add attack vector controls for TAA
  x86/bugs: Add attack vector controls for MMIO
  x86/bugs: Add attack vector controls for RFDS
  x86/bugs: Add attack vector controls for SRBDS
  x86/bugs: Add attack vector controls for GDS
  x86/bugs: Add attack vector controls for spectre_v1
  x86/bugs: Add attack vector controls for retbleed
  x86/bugs: Add attack vector controls for spectre_v2_user
  x86/bugs: Add attack vector controls for BHI
  x86/bugs: Add attack vector controls for spectre_v2
  x86/bugs: Add attack vector controls for L1TF
  x86/bugs: Add attack vector controls for SRSO
  x86/pti: Add attack vector controls for PTI
  x86/bugs: Print enabled attack vectors
  cpu: Show attack vectors in sysfs

 .../hw-vuln/attack_vector_controls.rst        | 236 +++++++++++++++
 Documentation/admin-guide/hw-vuln/index.rst   |   1 +
 .../admin-guide/kernel-parameters.txt         |   4 +
 arch/Kconfig                                  |   3 +
 arch/x86/Kconfig                              |   1 +
 arch/x86/kernel/cpu/bugs.c                    | 278 ++++++++++++++----
 arch/x86/mm/pti.c                             |   4 +-
 drivers/base/cpu.c                            |  67 +++++
 include/linux/cpu.h                           |  21 ++
 kernel/cpu.c                                  | 130 +++++++-
 10 files changed, 672 insertions(+), 73 deletions(-)
 create mode 100644 Documentation/admin-guide/hw-vuln/attack_vector_controls.rst


base-commit: fd569ffb9ea03da78b1719ccee5bce34fa130fa7
-- 
2.34.1


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ