Linux Attack Vector Controls Updated To More Easily Controlling CPU Security Mitigations

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts
  • phoronix
    Administrator
    • Jan 2007
    • 67385

    Linux Attack Vector Controls Updated To More Easily Controlling CPU Security Mitigations

    Phoronix: Linux Attack Vector Controls Updated To More Easily Controlling CPU Security Mitigations

    Last year an AMD engineer proposed the notion of "Attack Vector Controls" for the Linux kernel to re-think how the CPU security mitigation handling is done and making it easier for system administrators/users to toggle the mitigations they are concerned about or not...

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
  • JEBjames
    Senior Member
    • Jan 2018
    • 376

    #2
    Michael

    Typo

    "makes it easier managing the CPU" should be "to manage"

    Comment

    • hf_139
      Senior Member
      • May 2023
      • 339

      #3
      mitigations=off i915.mitigations=off

      Comment

      • Kjell
        Senior Member
        • Apr 2019
        • 691

        #4
        Originally posted by hf_139 View Post
        mitigations=off i915.mitigations=off
        Are there any other modules with a .mitigation option? E.g. amdgpu?

        Comment

        • the-burrito-triangle
          Phoronix Member
          • Jul 2024
          • 80

          #5
          Does i915.mitigations=off have any meaningful affect on newer Intel GPUs, say Xe and newer?

          I believe this mitigation option was first introduced for Haswell:

          Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite

          Comment

          • the-burrito-triangle
            Phoronix Member
            • Jul 2024
            • 80

            #6
            It would be nice if mitigations, in general, could be controlled per process. That way games could have them disabled and, say, browsers could have them enabled. This way one doesn't have to take as big a hit globally, just where it actually makes sense.

            Comment

            • fafreeman
              Phoronix Member
              • Feb 2021
              • 113

              #7
              Originally posted by the-burrito-triangle View Post
              Does i915.mitigations=off have any meaningful affect on newer Intel GPUs, say Xe and newer?

              I believe this mitigation option was first introduced for Haswell:

              https://www.phoronix.com/news/Intel-...ations-off-Opt
              If it doesn't, it probably will, when new exploits are found as time goes on. No idea if the UHD 770 has mitigations but I run with them off like I do with the CPU ones since my 14900k has an igpu and I actually use it for a lot of things to take strain off my 7900 XTX for it can just focus on the stuff I care more about, like games.

              Comment

              • hf_139
                Senior Member
                • May 2023
                • 339

                #8
                Originally posted by the-burrito-triangle View Post
                Does i915.mitigations=off have any meaningful affect on newer Intel GPUs, say Xe and newer?

                I believe this mitigation option was first introduced for Haswell:

                https://www.phoronix.com/news/Intel-...ations-off-Opt
                It's up until including 10th gen.
                11th gen released 2021 and according to the intel specification page, some of them aren't even discontinued yet.

                Typically, new "vulnerabilities" show up just in time when a CPU got discontinued and its warranties run out.
                That there will be new "mitigation" methods crippling your CPU, is guaranteed.

                Comment

                • Developer12
                  Senior Member
                  • Dec 2019
                  • 1584

                  #9
                  This is just as bad an idea as trying to linearize x86 CPUID bits into "feature levels" was. Everyone called it the greatest thing on earth despite largely theoretical gains, and then intel went and decided that all new CPUs wouldn't support a core feature of v4. Oh, and nevermind that intel still make low-end chips TODAY that can't meet v2 or v3 or whatever.

                  Just give us the list of fucking toggles and leave it at that. This is only going to become outdated as mitigations evolve.

                  Comment

                  • Havin_it
                    Junior Member
                    • Mar 2015
                    • 34

                    #10
                    I noticed in my last or maybe 1-from-last kernel upgrade that few or none of the mitigation configs had any commentary in their helptexts regarding their effect on performance.

                    Am I just imagining this or was some of that information removed from the notes for the older mitigs? If so is there a deliberate policy behind it? Just curious.

                    Comment

                    Working...
                    X