lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20251013143444.3999-3-david.kaplan@amd.com>
Date: Mon, 13 Oct 2025 09:33:50 -0500
From: David Kaplan <david.kaplan@....com>
To: Thomas Gleixner <tglx@...utronix.de>, Borislav Petkov <bp@...en8.de>,
	Peter Zijlstra <peterz@...radead.org>, Josh Poimboeuf <jpoimboe@...nel.org>,
	Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>, Ingo Molnar
	<mingo@...hat.com>, Dave Hansen <dave.hansen@...ux.intel.com>,
	<x86@...nel.org>, "H . Peter Anvin" <hpa@...or.com>
CC: Alexander Graf <graf@...zon.com>, Boris Ostrovsky
	<boris.ostrovsky@...cle.com>, <linux-kernel@...r.kernel.org>
Subject: [RFC PATCH 02/56] x86/Kconfig: Add CONFIG_DYNAMIC_MITIGATIONS

CONFIG_DYNAMIC_MITIGATIONS enables support for runtime re-patching of the
kernel when mitigation selections are changed.  It depends on
CONFIG_LIVEPATCH because it needs modules to preserve all their ELF
information for later re-patching.  It also depends on CONFIG_FREEZER
because re-patching must be done while all tasks are in the freezer to
avoid race conditions.

CONFIG_DEBUG_ENTRY must be false because dynamic mitigations relies on a
non-reentrant NMI handler which does not unmask NMIs early.

CONFIG_DYNAMIC_MITIGATIONS is optional because support for dynamic
mitigations does increase runtime kernel memory usage.

Signed-off-by: David Kaplan <david.kaplan@....com>
---
 arch/x86/Kconfig | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index fa3b616af03a..0c8c1e508223 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2711,6 +2711,18 @@ config MITIGATION_VMSCAPE
 	  Enable mitigation for VMSCAPE attacks. VMSCAPE is a hardware security
 	  vulnerability on Intel and AMD CPUs that may allow a guest to do
 	  Spectre v2 style attacks on userspace hypervisor.
+
+config DYNAMIC_MITIGATIONS
+	bool "Support dynamic reconfiguration of CPU mitigations at runtime"
+	depends on LIVEPATCH && FREEZER && !DEBUG_ENTRY
+	default y
+	help
+	  Allow CPU mitigations to be reconfigured at runtime via
+	  sysfs.  Dynamic mitigation support requires extra kernel memory
+	  to keep around alternative information after kernel boot but
+	  allows CPU mitigation settings to be modified without a
+	  kexec/reboot.
+
 endif
 
 config ARCH_HAS_ADD_PAGES
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ