Linux 6.12 Adds Build Options For Greater Control Over CPU Security Mitigations
([Linux Security] 4 Hours Ago
Linux 6.12 Kconfig Options)
- Reference: 0001492365
- News link: https://www.phoronix.com/news/Linux-6.12-Kconfig-Mitigations
- Source link:
Not to be confused with the proposal a few days ago by an AMD engineer for [1]Attack Vector Controls for broader control over CPU security mitigation handling , the in-development Linux 6.12 kernel is adding new Kconfig options to allow for more build-time control over what CPU security mitigation code is compiled for the kernel.
The "x86/bugs" pull request was sent out for the Linux 6.12 merge window and its primary add is introducing separate Kconfig options for every possible hardware CPU mitigation. While you can run your kernel right now with "mitigations=off" or specifying other parameters to disable various CPU security mitigations at run-time, this is about allowing greater control of disabling different CPU security mitigations at kernel build time.
New Kconfig options are added for the CPU security vulnerabilities of MDS, TAA, MMIO Stale Data, L1TF, Retbleed, Spectre V1, SRBDS, Spectre V2, SSB, and GDS.
[2]
These Kconfig build options were added by Debian developer Breno Leitao. His intention with the more fine-grained CPU security mitigation controls is for allowing users to only pick and compile the mitigations that are important to their workloads, making it easier to disable mitigations that might mangle the Assembly code generation and in turn making it harder to read/debug, and lastly:
"3) Separate Kconfigs for just source code readability, so that we see *which* butt-ugly piece of crap code is for what reason..."
These new options come with the [3]x86/bugs pull request for Linux 6.12.
[1] https://www.phoronix.com/news/Attack-Vector-Controls-RFC
[2] https://www.phoronix.com/image-viewer.php?id=2024&image=busted_cpus_lrg
[3] https://lore.kernel.org/lkml/20240909151344.GAZt8QqEDhZCMVYQbY@fat_crate.local/
The "x86/bugs" pull request was sent out for the Linux 6.12 merge window and its primary add is introducing separate Kconfig options for every possible hardware CPU mitigation. While you can run your kernel right now with "mitigations=off" or specifying other parameters to disable various CPU security mitigations at run-time, this is about allowing greater control of disabling different CPU security mitigations at kernel build time.
New Kconfig options are added for the CPU security vulnerabilities of MDS, TAA, MMIO Stale Data, L1TF, Retbleed, Spectre V1, SRBDS, Spectre V2, SSB, and GDS.
[2]
These Kconfig build options were added by Debian developer Breno Leitao. His intention with the more fine-grained CPU security mitigation controls is for allowing users to only pick and compile the mitigations that are important to their workloads, making it easier to disable mitigations that might mangle the Assembly code generation and in turn making it harder to read/debug, and lastly:
"3) Separate Kconfigs for just source code readability, so that we see *which* butt-ugly piece of crap code is for what reason..."
These new options come with the [3]x86/bugs pull request for Linux 6.12.
[1] https://www.phoronix.com/news/Attack-Vector-Controls-RFC
[2] https://www.phoronix.com/image-viewer.php?id=2024&image=busted_cpus_lrg
[3] https://lore.kernel.org/lkml/20240909151344.GAZt8QqEDhZCMVYQbY@fat_crate.local/
ahrs