lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250710151702.GCaG_Zbjo1sqZ6NB2g@fat_crate.local>
Date: Thu, 10 Jul 2025 17:17:02 +0200
From: Borislav Petkov <bp@...en8.de>
To: "Kaplan, David" <David.Kaplan@....com>
Cc: Thomas Gleixner <tglx@...utronix.de>,
	Peter Zijlstra <peterz@...radead.org>,
	Josh Poimboeuf <jpoimboe@...nel.org>,
	Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>,
	Ingo Molnar <mingo@...hat.com>,
	Dave Hansen <dave.hansen@...ux.intel.com>,
	"x86@...nel.org" <x86@...nel.org>,
	"H . Peter Anvin" <hpa@...or.com>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v6 02/21] cpu: Define attack vectors

On Thu, Jul 10, 2025 at 02:02:56PM +0000, Kaplan, David wrote:
> Interesting.  I would suggest a comma instead, so you have things like
> "mitigations=auto,no_user_kernel".  That's somewhat consistent with the
> existing 'auto,nosmt' option as well.

Ack, see below.

> Still you would have global options come first, and then the attack vector
> options.  But since commas are already used to separate tokens, that seems
> cleaner to me.
> 
> If you're going to edit the patch directly, just please remember to update
> the documentation file accordingly too.

Yeah, and the commit messages. 

This is just the patche(es), I'll go over the commit messages too.

---

diff --git a/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst b/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst
index ee56e849616f..b4de16f5ec44 100644
--- a/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst
+++ b/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst
@@ -137,7 +137,7 @@ or more options to disable various attack vectors.
 
 Format:
 	| ``mitigations=[global]``
-	| ``mitigations=[global];[attack vectors]``
+	| ``mitigations=[global],[attack vectors]``
 
 Global options:
 
@@ -166,17 +166,17 @@ the global option is not specified, it defaults to 'auto'.  The global option
 'off' is equivalent to disabling all attack vectors.
 
 Examples:
-	| ``mitigations=auto;no_user_kernel``
+	| ``mitigations=auto,no_user_kernel``
 
 	Enable all attack vectors except user-to-kernel.  Partial cross-thread
 	mitigations.
 
-	| ``mitigations=auto,nosmt;no_guest_host,no_guest_guest``
+	| ``mitigations=auto,nosmt,no_guest_host,no_guest_guest``
 
 	Enable all attack vectors and cross-thread mitigations except for
 	guest-to-host and guest-to-guest mitigations.
 
-	| ``mitigations=;no_cross_thread``
+	| ``mitigations=,no_cross_thread``
 
 	Enable all attack vectors but not cross-thread mitigations.
 
diff --git a/kernel/cpu.c b/kernel/cpu.c
index be25543567c0..c976a6686d8b 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -3276,8 +3276,8 @@ static int __init mitigations_parse_cmdline(char *arg)
 	if (!*p)
 		return 0;
 
-	/* Attack vector controls may come after a ';' */
-	if (*p++ != ';' || !IS_ENABLED(CONFIG_ARCH_HAS_CPU_ATTACK_VECTORS)) {
+	/* Attack vector controls may come after the ',' */
+	if (*p++ != ',' || !IS_ENABLED(CONFIG_ARCH_HAS_CPU_ATTACK_VECTORS)) {
 		pr_crit("Unsupported mitigations=%s, system may still be vulnerable\n",	arg);
 		return 0;
 	}

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ