Attack Vector Controls Could Be Ready For Linux 6.17 Introduction
([Linux Security] 5 Hours Ago
Attack Vector Controls)
- Reference: 0001560453
- News link: https://www.phoronix.com/news/Attack-Vector-Controls-Coming
- Source link:
The AMD engineering led work on [1]Attack Vector Controls for the Linux kernel could be mainlined with the upcoming Linux 6.17 kernel with the remaining patches now being queued within a TIP branch.
Sent out last year were the original patches for Attack Vector Controls as [2]a way to re-think CPU security mitigation handling . With Attack Vector Controls it becomes easier for Linux system/server administrators to control which CPU mitigations are applied based upon the intended role of the system, rather than worrying about enabling/disabling individual security mitigations.
Attack Vector Controls [3]allow much easier mitigation management by classifying CPU securirty mitigations in areas of user-to-kernel, user-to-user, guest-to-host, guest-to-guest, and cross-thread mitigations. Depending upon whether the server(s) are running any virtual machines, whether the server is running all trusted VMs or a mix of VMs from different untrusted users, and similar scenarios allow for more effective control of these security mitigations across different AMD and Intel processors.
Back in Linux 6.15 [4]some of the preparation patches were merged while it looks like for Linux 6.17 the actual enablement could be upstreamed.
Merged today via the [5]tip/tip.git's x86/bugs branch are the Attack Vector Controls patches. Now that the patches are in a TIP branch, they will presumably be submitted for the next kernel cycle: the upcoming Linux 6.17 merge window opening around the end of July / early August.
See [6]the current Attack Vector Controls documentation for more information around these upcoming controls for managing CPU security mitigations on Linux systems.
[1] https://www.phoronix.com/search/Attack+Vector+Controls
[2] https://www.phoronix.com/news/Attack-Vector-Controls-RFC
[3] https://www.phoronix.com/news/Linux-CPU-Attack-Vector-Control
[4] https://www.phoronix.com/news/Linux-6.15-x86-bugs
[5] https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/log/?h=x86/bugs
[6] https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?h=x86/bugs&id=1caa1b0509eaec2ea111b875da4eddb44edc9ea5
Sent out last year were the original patches for Attack Vector Controls as [2]a way to re-think CPU security mitigation handling . With Attack Vector Controls it becomes easier for Linux system/server administrators to control which CPU mitigations are applied based upon the intended role of the system, rather than worrying about enabling/disabling individual security mitigations.
Attack Vector Controls [3]allow much easier mitigation management by classifying CPU securirty mitigations in areas of user-to-kernel, user-to-user, guest-to-host, guest-to-guest, and cross-thread mitigations. Depending upon whether the server(s) are running any virtual machines, whether the server is running all trusted VMs or a mix of VMs from different untrusted users, and similar scenarios allow for more effective control of these security mitigations across different AMD and Intel processors.
Back in Linux 6.15 [4]some of the preparation patches were merged while it looks like for Linux 6.17 the actual enablement could be upstreamed.
Merged today via the [5]tip/tip.git's x86/bugs branch are the Attack Vector Controls patches. Now that the patches are in a TIP branch, they will presumably be submitted for the next kernel cycle: the upcoming Linux 6.17 merge window opening around the end of July / early August.
See [6]the current Attack Vector Controls documentation for more information around these upcoming controls for managing CPU security mitigations on Linux systems.
[1] https://www.phoronix.com/search/Attack+Vector+Controls
[2] https://www.phoronix.com/news/Attack-Vector-Controls-RFC
[3] https://www.phoronix.com/news/Linux-CPU-Attack-Vector-Control
[4] https://www.phoronix.com/news/Linux-6.15-x86-bugs
[5] https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/log/?h=x86/bugs
[6] https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?h=x86/bugs&id=1caa1b0509eaec2ea111b875da4eddb44edc9ea5
Developer12