| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250818183120.gxeptjocg6ur6jvo@desk>
Date: Mon, 18 Aug 2025 11:31:20 -0700
From: Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>
To: "Kaplan, David" <David.Kaplan@....com>
Cc: Thomas Gleixner <tglx@...utronix.de>, Borislav Petkov <bp@...en8.de>,
Peter Zijlstra <peterz@...radead.org>,
Josh Poimboeuf <jpoimboe@...nel.org>,
Ingo Molnar <mingo@...hat.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
"x86@...nel.org" <x86@...nel.org>,
"H . Peter Anvin" <hpa@...or.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 3/3] x86/bugs: Simplify SSB cmdline parsing
On Mon, Aug 18, 2025 at 05:55:35PM +0000, Kaplan, David wrote:
> [AMD Official Use Only - AMD Internal Distribution Only]
>
> > -----Original Message-----
> > From: Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>
> > Sent: Monday, August 18, 2025 12:42 PM
> > To: Kaplan, David <David.Kaplan@....com>
> > Cc: Thomas Gleixner <tglx@...utronix.de>; Borislav Petkov <bp@...en8.de>; Peter
> > Zijlstra <peterz@...radead.org>; Josh Poimboeuf <jpoimboe@...nel.org>; Ingo
> > Molnar <mingo@...hat.com>; Dave Hansen <dave.hansen@...ux.intel.com>;
> > x86@...nel.org; H . Peter Anvin <hpa@...or.com>; linux-kernel@...r.kernel.org
> > Subject: Re: [PATCH 3/3] x86/bugs: Simplify SSB cmdline parsing
> >
> > Caution: This message originated from an External Source. Use proper caution
> > when opening attachments, clicking links, or responding.
> >
> >
> > On Mon, Aug 11, 2025 at 09:26:59AM -0500, David Kaplan wrote:
> > > Simplify the SSB command line parsing by selecting a mitigation directly,
> > > as is done in most of the simpler vulnerabilities. Use early_param instead
> > > of cmdline_find_option for consistency with the other mitigation
> > > selections.
> > >
> > > Signed-off-by: David Kaplan <david.kaplan@....com>
> > > ---
> > > arch/x86/kernel/cpu/bugs.c | 118 ++++++++++++-------------------------
> > > 1 file changed, 39 insertions(+), 79 deletions(-)
> > >
> > > diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> > > index 19a3891953c3..3766dff9a699 100644
> > > --- a/arch/x86/kernel/cpu/bugs.c
> > > +++ b/arch/x86/kernel/cpu/bugs.c
> > > @@ -2625,16 +2625,8 @@ void cpu_bugs_smt_update(void)
> > > #undef pr_fmt
> > > #define pr_fmt(fmt) "Speculative Store Bypass: " fmt
> > >
> > > -static enum ssb_mitigation ssb_mode __ro_after_init =
> > SPEC_STORE_BYPASS_NONE;
> > > -
> > > -/* The kernel command line selection */
> > > -enum ssb_mitigation_cmd {
> > > - SPEC_STORE_BYPASS_CMD_NONE,
> > > - SPEC_STORE_BYPASS_CMD_AUTO,
> > > - SPEC_STORE_BYPASS_CMD_ON,
> > > - SPEC_STORE_BYPASS_CMD_PRCTL,
> > > - SPEC_STORE_BYPASS_CMD_SECCOMP,
> > > -};
> > > +static enum ssb_mitigation ssb_mode __ro_after_init =
> > > + IS_ENABLED(CONFIG_MITIGATION_SSB) ?
> > SPEC_STORE_BYPASS_PRCTL : SPEC_STORE_BYPASS_NONE;
> >
> > Other mitigations default to "AUTO", but not this one. Isn't that something
> > that attack-vector controls rely on?
>
> I hadn't modified SSB in the initial attack vector series because SSB
> mitigation was never actually turned on (set to
> SPEC_STORE_BYPASS_DISABLE) by default. The default option requires
> applications to opt-in to mitigation.
I think of it as mitigation being conditionally enabled (for applications
opting in).
> However this probably could be done better by saying that ssb defaults to
> SPEC_STORE_BYPASS_PRCTL if the user->user vector is enabled...and
> otherwise it is SPEC_STORE_BYPASS_NONE, since the default ssb mitigation
> is only for applications that want to protect themselves.
>
> I can do that in a separate patch in this series after this clean-up
> patch if that sounds reasonable.
Sounds good to me. Thanks.
Powered by blists - more mailing lists