| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250509162839.3057217-1-david.kaplan@amd.com> Date: Fri, 9 May 2025 11:28:19 -0500 From: David Kaplan <david.kaplan@....com> To: Thomas Gleixner <tglx@...utronix.de>, Borislav Petkov <bp@...en8.de>, Peter Zijlstra <peterz@...radead.org>, Josh Poimboeuf <jpoimboe@...nel.org>, Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>, Ingo Molnar <mingo@...hat.com>, Dave Hansen <dave.hansen@...ux.intel.com>, <x86@...nel.org>, "H . Peter Anvin" <hpa@...or.com> CC: <linux-kernel@...r.kernel.org> Subject: [PATCH v5 00/20] Attack vector controls (part 2) This is an updated version of the second half of the attack vector series which adds new attack vector command line options designed to make it easier to control which CPU mitigations are enabled. The first half of this series focused on bugs.c restructuring and was merged on May 2. Link: https://lore.kernel.org/all/20250418161721.1855190-1-david.kaplan@amd.com/ Attack vector options are designed to make it easier to select appropriate mitigations based on the usage of the system. While many users may not be intimately familiar with the details of these CPU vulnerabilities, they are likely better able to understand the intended usage of their system. As a result, unneeded mitigations may be disabled, allowing users to recoup more performance. New documentation is included with recommendations on what to consider when choosing which attack vectors to enable/disable. In this series, attack vector options are chosen using the mitigations= command line. Attack vectors may be individually disabled such as 'mitigations=auto;no_user_kernel,no_user_user'. The 'mitigations=off' option is equivalent to disabling all attack vectors. 'mitigations=off' therefore disables all mitigations, unless bug-specific command line options are used to re-enable some. Note that this patch series does not change any of the existing mitigation defaults. Changes in v5: - Updated table layout in documentation file - Minor clean up David Kaplan (20): Documentation/x86: Document new attack vector controls cpu: Define attack vectors x86/Kconfig: Add arch attack vector support x86/bugs: Define attack vectors relevant for each bug x86/bugs: Add attack vector controls for MDS x86/bugs: Add attack vector controls for TAA x86/bugs: Add attack vector controls for MMIO x86/bugs: Add attack vector controls for RFDS x86/bugs: Add attack vector controls for SRBDS x86/bugs: Add attack vector controls for GDS x86/bugs: Add attack vector controls for spectre_v1 x86/bugs: Add attack vector controls for retbleed x86/bugs: Add attack vector controls for spectre_v2_user x86/bugs: Add attack vector controls for BHI x86/bugs: Add attack vector controls for spectre_v2 x86/bugs: Add attack vector controls for L1TF x86/bugs: Add attack vector controls for SRSO x86/pti: Add attack vector controls for PTI x86/bugs: Print enabled attack vectors cpu: Show attack vectors in sysfs .../hw-vuln/attack_vector_controls.rst | 236 +++++++++++++++ Documentation/admin-guide/hw-vuln/index.rst | 1 + .../admin-guide/kernel-parameters.txt | 4 + arch/Kconfig | 3 + arch/x86/Kconfig | 1 + arch/x86/kernel/cpu/bugs.c | 278 ++++++++++++++---- arch/x86/mm/pti.c | 4 +- drivers/base/cpu.c | 67 +++++ include/linux/cpu.h | 21 ++ kernel/cpu.c | 130 +++++++- 10 files changed, 672 insertions(+), 73 deletions(-) create mode 100644 Documentation/admin-guide/hw-vuln/attack_vector_controls.rst base-commit: fd569ffb9ea03da78b1719ccee5bce34fa130fa7 -- 2.34.1
Powered by blists - more mailing lists