News: 0001492365

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Linux 6.12 Adds Build Options For Greater Control Over CPU Security Mitigations

([Linux Security] 4 Hours Ago Linux 6.12 Kconfig Options)


Not to be confused with the proposal a few days ago by an AMD engineer for [1]Attack Vector Controls for broader control over CPU security mitigation handling , the in-development Linux 6.12 kernel is adding new Kconfig options to allow for more build-time control over what CPU security mitigation code is compiled for the kernel.

The "x86/bugs" pull request was sent out for the Linux 6.12 merge window and its primary add is introducing separate Kconfig options for every possible hardware CPU mitigation. While you can run your kernel right now with "mitigations=off" or specifying other parameters to disable various CPU security mitigations at run-time, this is about allowing greater control of disabling different CPU security mitigations at kernel build time.

New Kconfig options are added for the CPU security vulnerabilities of MDS, TAA, MMIO Stale Data, L1TF, Retbleed, Spectre V1, SRBDS, Spectre V2, SSB, and GDS.

[2]

These Kconfig build options were added by Debian developer Breno Leitao. His intention with the more fine-grained CPU security mitigation controls is for allowing users to only pick and compile the mitigations that are important to their workloads, making it easier to disable mitigations that might mangle the Assembly code generation and in turn making it harder to read/debug, and lastly:

"3) Separate Kconfigs for just source code readability, so that we see *which* butt-ugly piece of crap code is for what reason..."

These new options come with the [3]x86/bugs pull request for Linux 6.12.



[1] https://www.phoronix.com/news/Attack-Vector-Controls-RFC

[2] https://www.phoronix.com/image-viewer.php?id=2024&image=busted_cpus_lrg

[3] https://lore.kernel.org/lkml/20240909151344.GAZt8QqEDhZCMVYQbY@fat_crate.local/



ahrs

Espionage724

If you hype something and it succeeds, you're a genius -- it wasn't a
hype. If you hype it and it fails, then it was just a hype.
-- Neil Bogart