Re: [PATCH v4] x86/bugs: Add a separate config for each mitigation

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Ingo Molnar <mingo@kernel.org>
To: Josh Poimboeuf <jpoimboe@kernel.org>
Cc: Breno Leitao <leitao@debian.org>,
	tglx@linutronix.de, bp@alien8.de, Ingo Molnar <mingo@redhat.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
	Peter Zijlstra <peterz@infradead.org>,
	Pawan Gupta <pawan.kumar.gupta@linux.intel.com>,
	leit@meta.com,
	"open list:X86 ARCHITECTURE (32-BIT AND 64-BIT)" 
	<linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v4] x86/bugs: Add a separate config for each mitigation
Date: Thu, 12 Oct 2023 20:51:24 +0200	[thread overview]
Message-ID: <ZShALJDaxJ9VJvek@gmail.com> (raw)
In-Reply-To: <20231012170548.o5vi4kgpvpjyld7s@treble>


* Josh Poimboeuf <jpoimboe@kernel.org> wrote:

> On Thu, Oct 12, 2023 at 06:02:41AM -0700, Breno Leitao wrote:
> > > Yeah, so this #ifdeffery is unnecessarily ugly - we can actually assign 
> > > integer values in the Kconfig language and use that for initialization.
> > > 
> > > Is there a reason why we wouldn't want to do something like:
> > > 
> > > 	static enum retbleed_mitigation_cmd retbleed_cmd __ro_after_init = CONFIG_BOOT_DEFAULT_X86_MITIGATE_RETBLEED;
> > > 
> > > ... or so?
> > 
> > Yes. There are two reasons rigth now:
> > 
> > 1) How to avoid the "undefined" behaviour when
> > CONFIG_BOOT_DEFAULT_X86_MITIGATE_RETBLEED is not defined ? Something as:
> > 
> >  error: ‘CONFIG_BOOT_DEFAULT_X86_MITIGATE_RETBLEED’ undeclared (first use in this function)
> > 
> > 2) Right now, these _cmd values are all different by default. Here are a few
> > examples when the kernel is compiled with the mitigations:
> > 
> >  retbleed_cmd = RETBLEED_CMD_AUTO (1)
> >  spectre_v2_mitigation_cmd = SPECTRE_V2_CMD_AUTO (1)
> >  ssb_mitigation_cmd = SPEC_STORE_BYPASS_CMD_AUTO (1)
> >  l1tf_mitigation = L1TF_MITIGATION_FLUSH(2)
> >  mds_mitigation =  MDS_MITIGATION_FULL(1)
> >  taa_mitigation = TAA_MITIGATION_VERW (2)
> >  mmio_mitigation = MMIO_MITIGATION_VERW (2)
> >  gds_mitigation =  GDS_MITIGATION_FULL (3)
> > 
> > If there is a solution for 1, then I _think_ we can probably reorder the
> > enums, so, the "AUTO" value is always 1?!
> 
> I'd rather avoid hard-coding enums as that adds fragility into the mix.
> 
> Another way to avoid ifdeffery:
> 
> static enum retbleed_mitigation_cmd retbleed_cmd __ro_after_init =
> 	IS_ENABLED(CONFIG_MITIGATION_RETBLEED) ? RETBLEED_CMD_AUTO : RETBLEED_CMD_OFF;

I think we could make it a simple:

	static enum retbleed_mitigation_cmd retbleed_cmd __ro_after_init = IS_ENABLED(CONFIG_MITIGATION_RETBLEED);

Because RETBLEED_CMD_AUTO && RETBLEED_CMD_OFF maps naturally to 1 and 0. 
Maybe add a comment to the enum to maintain this property in the future 
too.

> > > 3)
> > > 
> > > And yes, now that the rush of CPU vulnerabilities seems to be ebbing, we 
> > > should probably consider unifying the existing hodgepodge of mitigation 
> > > Kconfig options as well, to not build up even more technical debt.
> > 
> > What do you mean by unifying the existing hodgepodge of mitigation
> > Kconfigs? If you are implying to just have fewer config options, I think
> > that is the opposite of what Linus has suggested previously:
> > 
> > https://lore.kernel.org/all/CAHk-=wjTHeQjsqtHcBGvy9TaJQ5uAm5HrCDuOD9v7qA9U1Xr4w@mail.gmail.com/
> 
> I read that as Ingo agreeing with me that we should rename all the
> existing options for consistency.

Yeah, and this is doubly important for security features: inconsistency 
invites misunderstandings & bugs ...

> > > Sometimes it can be a simple configuration mistake, or a user might have 
> > > different opinion about the importance of a particular mitigation. Nothing 
> > > heavy-handed, just a simple pr_info() table of changes?
> > 
> > That could be done, but, right now messages are printed in regard to the
> > mitigations. Aren't these enough?
> > 
> > Here are some examples:
> > 
> >   pr_info("MDS: %s\n", mds_strings[mds_mitigation]);
> >   pr_info("TAA: %s\n", taa_strings[taa_mitigation]);
> >   pr_info("MMIO Stale Data: %s\n", mmio_strings[mmio_mitigation]);
> >   pr_info("MMIO Stale Data: Unknown: No mitigations\n");
> >   pr_info("%s\n", srbds_strings[srbds_mitigation]);
> >   pr_info("%s\n", gds_strings[gds_mitigation]);
> >   pr_info("%s\n", spectre_v1_strings[spectre_v1_mitigation]);
> >   pr_info("%s\n", spectre_v2_user_strings[mode]);
> >   pr_info("%s\n", retbleed_strings[retbleed_mitigation]);
> >   pr_info("%s\n", ssb_strings[ssb_mode]);
> 
> But notice many/most of those functions exit early if the mitigation is
> turned off, thereby skipping the pr_info().  It might be a matter of
> just tweaking the print behavior and making it consistent across all the
> mitigations.

Yeah. A single consistent table would be the most user-friendly outcome, 
with no silence. 'No output' is what kernels without the fixes do too, so 
we should always output the chosen bootup status of relevant mitigations.

This would make it a bit easier for users to report bugs too: for example 
if some uncommon CPU model number is not enumerated by the mitigations code 
and the kernel mistakenly believes that the CPU is safe. While much of this 
information can be recovered from the sysfs files too, they are subject to 
runtime changes and the values are also not reliably logged at bootup.

Thanks,

	Ingo

next prev parent reply	other threads:[~2023-10-12 18:51 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-10 10:30 [PATCH v4] x86/bugs: Add a separate config for each mitigation Breno Leitao
2023-10-11  4:42 ` Josh Poimboeuf
2023-10-11 12:20   ` Breno Leitao
2023-10-11 16:49     ` Josh Poimboeuf
2023-10-11 19:03   ` Borislav Petkov
2023-10-11 22:03     ` Josh Poimboeuf
2023-10-12  7:29       ` Borislav Petkov
2023-10-12 16:48         ` Josh Poimboeuf
2023-10-15 15:06           ` Borislav Petkov
2023-10-16 10:07         ` Ingo Molnar
2023-10-16 12:46           ` Borislav Petkov
2023-10-17 15:08             ` Breno Leitao
2023-10-11 21:59 ` Ingo Molnar
2023-10-12 13:02   ` Breno Leitao
2023-10-12 17:05     ` Josh Poimboeuf
2023-10-12 18:51       ` Ingo Molnar [this message]
2023-10-12 20:43         ` Josh Poimboeuf
2023-10-13 10:50           ` Ingo Molnar
2023-10-15 14:11             ` Josh Poimboeuf
2023-10-16  9:45               ` Ingo Molnar
2023-10-17 17:15                 ` Josh Poimboeuf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZShALJDaxJ9VJvek@gmail.com \
    --to=mingo@kernel.org \
    --cc=bp@alien8.de \
    --cc=dave.hansen@linux.intel.com \
    --cc=hpa@zytor.com \
    --cc=jpoimboe@kernel.org \
    --cc=leit@meta.com \
    --cc=leitao@debian.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@redhat.com \
    --cc=pawan.kumar.gupta@linux.intel.com \
    --cc=peterz@infradead.org \
    --cc=tglx@linutronix.de \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox