| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID:
<DS0PR12MB92732E540B0951324A01B51D94E9A@DS0PR12MB9273.namprd12.prod.outlook.com>
Date: Thu, 16 Oct 2025 13:56:03 +0000
From: "Kaplan, David" <David.Kaplan@....com>
To: Nicolas Bouchinet <nicolas.bouchinet@....cyber.gouv.fr>
CC: Josh Poimboeuf <jpoimboe@...nel.org>, Aaron Rainbolt
<arraybolt3@...il.com>, Thomas Gleixner <tglx@...utronix.de>, Borislav Petkov
<bp@...en8.de>, Peter Zijlstra <peterz@...radead.org>, Pawan Gupta
<pawan.kumar.gupta@...ux.intel.com>, Ingo Molnar <mingo@...hat.com>, Dave
Hansen <dave.hansen@...ux.intel.com>, "x86@...nel.org" <x86@...nel.org>, "H .
Peter Anvin" <hpa@...or.com>, Alexander Graf <graf@...zon.com>, Boris
Ostrovsky <boris.ostrovsky@...cle.com>, "linux-kernel@...r.kernel.org"
<linux-kernel@...r.kernel.org>, Xiujianfeng <xiujianfeng@...wei.com>,
"xiujianfeng@...weicloud.com" <xiujianfeng@...weicloud.com>
Subject: RE: [RFC PATCH 00/56] Dynamic mitigations
[AMD Official Use Only - AMD Internal Distribution Only]
> -----Original Message-----
> From: Nicolas Bouchinet <nicolas.bouchinet@....cyber.gouv.fr>
> Sent: Thursday, October 16, 2025 8:55 AM
> To: Kaplan, David <David.Kaplan@....com>
> Cc: Josh Poimboeuf <jpoimboe@...nel.org>; Aaron Rainbolt
> <arraybolt3@...il.com>; Thomas Gleixner <tglx@...utronix.de>; Borislav Petkov
> <bp@...en8.de>; Peter Zijlstra <peterz@...radead.org>; Pawan Gupta
> <pawan.kumar.gupta@...ux.intel.com>; Ingo Molnar <mingo@...hat.com>; Dave
> Hansen <dave.hansen@...ux.intel.com>; x86@...nel.org; H . Peter Anvin
> <hpa@...or.com>; Alexander Graf <graf@...zon.com>; Boris Ostrovsky
> <boris.ostrovsky@...cle.com>; linux-kernel@...r.kernel.org; Xiujianfeng
> <xiujianfeng@...wei.com>; xiujianfeng@...weicloud.com
> Subject: Re: [RFC PATCH 00/56] Dynamic mitigations
>
> Caution: This message originated from an External Source. Use proper caution
> when opening attachments, clicking links, or responding.
>
>
> [snip]
> > > LOCKDOWN_DEV_MEM is an integrity reason and should not be used for this
> > > scenario.
> > > I'd rather like to add a new Lockdown reason in the confidentiality set,
> > > maybe LOCKDOWN_CPU_MITIGATION ?
> > >
> >
> > Ok, that makes sense. Just to clarify, would that mean something like the below:
> >
> > diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c
> > index 3f9410dee67c..9b4864f84146 100644
> > --- a/drivers/base/cpu.c
> > +++ b/drivers/base/cpu.c
> > @@ -691,6 +691,9 @@ ssize_t cpu_write_mitigation_options(struct device *dev,
> > struct device_attribute *attr,
> > const char *buf, size_t count)
> > {
> > + if (security_locked_down(LOCKDOWN_CPU_MITIGATIONS))
> > + return -EPERM;
> > +
> > /* Save and filter the provided options. */
> > cpu_filter_mitigation_opts(buf);
> >
> > diff --git a/include/linux/security.h b/include/linux/security.h
> > index 92ac3f27b973..81cb52cf2111 100644
> > --- a/include/linux/security.h
> > +++ b/include/linux/security.h
> > @@ -153,6 +153,7 @@ enum lockdown_reason {
> > LOCKDOWN_TRACEFS,
> > LOCKDOWN_XMON_RW,
> > LOCKDOWN_XFRM_SECRET,
> > + LOCKDOWN_CPU_MITIGATIONS,
> > LOCKDOWN_CONFIDENTIALITY_MAX,
> > };
>
> You should also add an entry to the lockdown_reasons array in
> `security/security.c` with a description of the reason.
>
Ah right. Thanks!
--David Kaplan
Powered by blists - more mailing lists