[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250509162839.3057217-1-david.kaplan@amd.com>
Date: Fri, 9 May 2025 11:28:19 -0500
From: David Kaplan <david.kaplan@....com>
To: Thomas Gleixner <tglx@...utronix.de>, Borislav Petkov <bp@...en8.de>,
Peter Zijlstra <peterz@...radead.org>, Josh Poimboeuf <jpoimboe@...nel.org>,
Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>, Ingo Molnar
<mingo@...hat.com>, Dave Hansen <dave.hansen@...ux.intel.com>,
<x86@...nel.org>, "H . Peter Anvin" <hpa@...or.com>
CC: <linux-kernel@...r.kernel.org>
Subject: [PATCH v5 00/20] Attack vector controls (part 2)
This is an updated version of the second half of the attack vector
series which adds new attack vector command line options designed to make
it easier to control which CPU mitigations are enabled.
The first half of this series focused on bugs.c restructuring and was
merged on May 2. Link:
https://lore.kernel.org/all/20250418161721.1855190-1-david.kaplan@amd.com/
Attack vector options are designed to make it easier to select appropriate
mitigations based on the usage of the system. While many users may not be
intimately familiar with the details of these CPU vulnerabilities, they are
likely better able to understand the intended usage of their system. As a
result, unneeded mitigations may be disabled, allowing users to recoup more
performance. New documentation is included with recommendations on what to
consider when choosing which attack vectors to enable/disable.
In this series, attack vector options are chosen using the mitigations=
command line. Attack vectors may be individually disabled such as
'mitigations=auto;no_user_kernel,no_user_user'. The 'mitigations=off'
option is equivalent to disabling all attack vectors. 'mitigations=off'
therefore disables all mitigations, unless bug-specific command line
options are used to re-enable some.
Note that this patch series does not change any of the existing
mitigation defaults.
Changes in v5:
- Updated table layout in documentation file
- Minor clean up
David Kaplan (20):
Documentation/x86: Document new attack vector controls
cpu: Define attack vectors
x86/Kconfig: Add arch attack vector support
x86/bugs: Define attack vectors relevant for each bug
x86/bugs: Add attack vector controls for MDS
x86/bugs: Add attack vector controls for TAA
x86/bugs: Add attack vector controls for MMIO
x86/bugs: Add attack vector controls for RFDS
x86/bugs: Add attack vector controls for SRBDS
x86/bugs: Add attack vector controls for GDS
x86/bugs: Add attack vector controls for spectre_v1
x86/bugs: Add attack vector controls for retbleed
x86/bugs: Add attack vector controls for spectre_v2_user
x86/bugs: Add attack vector controls for BHI
x86/bugs: Add attack vector controls for spectre_v2
x86/bugs: Add attack vector controls for L1TF
x86/bugs: Add attack vector controls for SRSO
x86/pti: Add attack vector controls for PTI
x86/bugs: Print enabled attack vectors
cpu: Show attack vectors in sysfs
.../hw-vuln/attack_vector_controls.rst | 236 +++++++++++++++
Documentation/admin-guide/hw-vuln/index.rst | 1 +
.../admin-guide/kernel-parameters.txt | 4 +
arch/Kconfig | 3 +
arch/x86/Kconfig | 1 +
arch/x86/kernel/cpu/bugs.c | 278 ++++++++++++++----
arch/x86/mm/pti.c | 4 +-
drivers/base/cpu.c | 67 +++++
include/linux/cpu.h | 21 ++
kernel/cpu.c | 130 +++++++-
10 files changed, 672 insertions(+), 73 deletions(-)
create mode 100644 Documentation/admin-guide/hw-vuln/attack_vector_controls.rst
base-commit: fd569ffb9ea03da78b1719ccee5bce34fa130fa7
--
2.34.1
Powered by blists - more mailing lists