Linux 6.12 To Add New Build Options For More Fine-Grained Control Over CPU Mitigations
([Linux Security] 5 Hours Ago
CPU Speculative Security Mitigations)
- Reference: 0001483492
- News link: https://www.phoronix.com/news/Linux-612-More-Kconfig-Mitigate
- Source link:
The Linux 6.12 kernel cycle later this year is expected to see a number of new Kconfig options introduced for greater build-time control over what CPU speculative execution security mitigations are included as part of the kernel build.
Queued into tip/tip.git's "x86/bugs" branch last week is adding a number of new Kconfig options for controlling individual CPU security mitigations at build-time.
Debian developer Breno Leitao explained of the effort in the [1]patch series :
"The current CONFIG_SPECULATION_MITIGATIONS namespace is only halfway populated, where some mitigations have entries in Kconfig, and they could be modified, while others mitigations do not have Kconfig entries, and can not be controlled at build time.
New mitigations, such as BHI, were properly added, i.e, having an independent Kconfig, which depends on CONFIG_SPECULATION_MITIGATIONS, so, you can enable/disable at compilation time.
This patch set aims to have the old mitigations in the same format, bringing some uniformity to the mitigations.
These are the advantages of having fine-grained control for the mitigations:
1) Users can choose and pick only mitigations that are important for their workloads.
2) Users and developers can choose to disable mitigations that mangle the assembly code generation, making it hard to read.
3) Separate Kconfigs for just source code readability, so that we see *which* butt-ugly piece of crap code is for what reason...
In most cases, if a mitigation is disabled at compilation time, it can still be enabled at runtime using kernel command line arguments."
Among the CPU security mitigations now seeing dedicated tunables via Kconfig for build-time control include MDS, TAA, MMIO Stale Data, L1TF, Retbleed, Spectre V1, Spectre V2, SRBDS, SSD, and GDS.
With these patches now making it to a TIP branch ( [2]x86/bugs ), these new options are expected ot be submitted for the Linux 6.12 merge window that will open in September following the v6.11 debut and then see a stable release near year's end.
[1] https://lore.kernel.org/all/20240729164105.554296-1-leitao@debian.org/
[2] https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/log/?h=x86/bugs
Queued into tip/tip.git's "x86/bugs" branch last week is adding a number of new Kconfig options for controlling individual CPU security mitigations at build-time.
Debian developer Breno Leitao explained of the effort in the [1]patch series :
"The current CONFIG_SPECULATION_MITIGATIONS namespace is only halfway populated, where some mitigations have entries in Kconfig, and they could be modified, while others mitigations do not have Kconfig entries, and can not be controlled at build time.
New mitigations, such as BHI, were properly added, i.e, having an independent Kconfig, which depends on CONFIG_SPECULATION_MITIGATIONS, so, you can enable/disable at compilation time.
This patch set aims to have the old mitigations in the same format, bringing some uniformity to the mitigations.
These are the advantages of having fine-grained control for the mitigations:
1) Users can choose and pick only mitigations that are important for their workloads.
2) Users and developers can choose to disable mitigations that mangle the assembly code generation, making it hard to read.
3) Separate Kconfigs for just source code readability, so that we see *which* butt-ugly piece of crap code is for what reason...
In most cases, if a mitigation is disabled at compilation time, it can still be enabled at runtime using kernel command line arguments."
Among the CPU security mitigations now seeing dedicated tunables via Kconfig for build-time control include MDS, TAA, MMIO Stale Data, L1TF, Retbleed, Spectre V1, Spectre V2, SRBDS, SSD, and GDS.
With these patches now making it to a TIP branch ( [2]x86/bugs ), these new options are expected ot be submitted for the Linux 6.12 merge window that will open in September following the v6.11 debut and then see a stable release near year's end.
[1] https://lore.kernel.org/all/20240729164105.554296-1-leitao@debian.org/
[2] https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/log/?h=x86/bugs
Kjell