Continued Work On Attack Vector Controls Ahead Of Linux 6.16
([Linux Security] 5 Hours Ago
Attack Vector Controls)
- Reference: 0001544184
- News link: https://www.phoronix.com/news/Linux-616-Likely-Attack-Control
- Source link:
Going back to last year an AMD engineer has been pursuing [1]"Attack Vecotr Controls" to rethink CPU security mitigation handling . Attack Vector Controls aims to make it [2]easier to manage CPU security mitigation settings by focusing on the class/scope of vulnerabilities rather than managing the mitigations at an individual level. It's looking like the initial attack vectors control code will be ready for mainlining in the upcoming Linux 6.16 cycle but stopping short of the complete implementation.
With Linux 6.15 was [3]some prep work for attack vector controls while this week numerous attack vector control patches were queued into [4]tip/tip.git's x86/bugs branch . With the patches now in a TIP branch ahead of the upcoming Linux 6.16 merge window, it's looking like the patches could be ready for submitting the next merge window.
These are the patches that are [5]"part 1" of attack vector controls . AMD engineer David Kaplan explains of it:
"These patches restructure the existing mitigation selection logic to use a uniform set of functions. First, the "select" function is called for each mitigation to select an appropriate mitigation. Unless a mitigation is explicitly selected or disabled with a command line option, the default mitigation is AUTO and the "select" function will then choose the best mitigation. After the "select" function is called for each mitigation, some mitigations define an "update" function which can be used to update the selection, based on the choices made by other mitigations. Finally, the "apply" function is called which enables the chosen mitigation.
This structure simplifies the mitigation control logic, especially when there are dependencies between multiple vulnerabilities."
Now to get the rest of the Attack Vector Controls support across the finish line...
[1] https://www.phoronix.com/news/Attack-Vector-Controls-RFC
[2] https://www.phoronix.com/news/Linux-CPU-Attack-Vector-Control
[3] https://www.phoronix.com/news/Linux-6.15-x86-bugs
[4] https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/log/?h=x86/bugs
[5] https://lore.kernel.org/all/20250418161721.1855190-1-david.kaplan@amd.com/
With Linux 6.15 was [3]some prep work for attack vector controls while this week numerous attack vector control patches were queued into [4]tip/tip.git's x86/bugs branch . With the patches now in a TIP branch ahead of the upcoming Linux 6.16 merge window, it's looking like the patches could be ready for submitting the next merge window.
These are the patches that are [5]"part 1" of attack vector controls . AMD engineer David Kaplan explains of it:
"These patches restructure the existing mitigation selection logic to use a uniform set of functions. First, the "select" function is called for each mitigation to select an appropriate mitigation. Unless a mitigation is explicitly selected or disabled with a command line option, the default mitigation is AUTO and the "select" function will then choose the best mitigation. After the "select" function is called for each mitigation, some mitigations define an "update" function which can be used to update the selection, based on the choices made by other mitigations. Finally, the "apply" function is called which enables the chosen mitigation.
This structure simplifies the mitigation control logic, especially when there are dependencies between multiple vulnerabilities."
Now to get the rest of the Attack Vector Controls support across the finish line...
[1] https://www.phoronix.com/news/Attack-Vector-Controls-RFC
[2] https://www.phoronix.com/news/Linux-CPU-Attack-Vector-Control
[3] https://www.phoronix.com/news/Linux-6.15-x86-bugs
[4] https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/log/?h=x86/bugs
[5] https://lore.kernel.org/all/20250418161721.1855190-1-david.kaplan@amd.com/
phoronix