lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250517132512.GBaCiOOF_JuL0V_j38@fat_crate.local>
Date: Sat, 17 May 2025 15:25:12 +0200
From: Borislav Petkov <bp@...en8.de>
To: Dave Hansen <dave.hansen@...el.com>
Cc: David Kaplan <david.kaplan@....com>,
	Thomas Gleixner <tglx@...utronix.de>,
	Peter Zijlstra <peterz@...radead.org>,
	Josh Poimboeuf <jpoimboe@...nel.org>,
	Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>,
	Ingo Molnar <mingo@...hat.com>,
	Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org,
	"H. Peter Anvin" <hpa@...or.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] x86/bugs: Restructure ITS mitigation

On Fri, May 16, 2025 at 03:47:26PM -0700, Dave Hansen wrote:
> This seems to be explaining what is going on, but there isn't a clear
> problem that this is fixing.
> 
> Why does this need restructuring?

Yeah, we're splitting how the whole mitigations gunk gets determined and we're
adding the capability to mitigate whole attack vectors instead of controlling
single mitigations:

/*
 * Speculation Vulnerability Handling
 *
 * Each vulnerability is handled with the following functions:
 *   <vuln>_select_mitigation() -- Selects a mitigation to use.  This should
 *                                 take into account all relevant command line
 *                                 options.
 *   <vuln>_update_mitigation() -- This is called after all vulnerabilities have
 *                                 selected a mitigation, in case the selection
 *                                 may want to change based on other choices
 *                                 made.  This function is optional.
 *   <vuln>_apply_mitigation() -- Enable the selected mitigation.
 *
 * The compile-time mitigation in all cases should be AUTO.  An explicit
 * command-line option can override AUTO.  If no such option is
 * provided, <vuln>_select_mitigation() will override AUTO to the best
 * mitigation option.
 */

Full details here:

https://lore.kernel.org/r/20250509162839.3057217-2-david.kaplan@amd.com

> There seems to be a mix of command-line parsing functions that have a
> separate 'foo_cmd' from 'foo_mitigation'. What's the reasoning behind
> converting this one?

We've been doing them with cmds first and then based on the cmd, we select the
mitigation. But we don't really need the cmds - we can simply mitigation
variable.

I'm thinking as a future cleanup we'll get rid of all cmds.

Thx.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ