Linux 6.12 Adds Build Options For Greater Control Over CPU Security Mitigations

Written by Michael Larabel in Linux Security on 18 September 2024 at 08:00 AM EDT. 2 Comments
LINUX SECURITY
Not to be confused with the proposal a few days ago by an AMD engineer for Attack Vector Controls for broader control over CPU security mitigation handling, the in-development Linux 6.12 kernel is adding new Kconfig options to allow for more build-time control over what CPU security mitigation code is compiled for the kernel.

The "x86/bugs" pull request was sent out for the Linux 6.12 merge window and its primary add is introducing separate Kconfig options for every possible hardware CPU mitigation. While you can run your kernel right now with "mitigations=off" or specifying other parameters to disable various CPU security mitigations at run-time, this is about allowing greater control of disabling different CPU security mitigations at kernel build time.

New Kconfig options are added for the CPU security vulnerabilities of MDS, TAA, MMIO Stale Data, L1TF, Retbleed, Spectre V1, SRBDS, Spectre V2, SSB, and GDS.

Broken CPUs


These Kconfig build options were added by Debian developer Breno Leitao. His intention with the more fine-grained CPU security mitigation controls is for allowing users to only pick and compile the mitigations that are important to their workloads, making it easier to disable mitigations that might mangle the Assembly code generation and in turn making it harder to read/debug, and lastly:
"3) Separate Kconfigs for just source code readability, so that we see *which* butt-ugly piece of crap code is for what reason..."


These new options come with the x86/bugs pull request for Linux 6.12.
2 Comments
Related News
New Linux Patch Lets You Force CPU Bugs/Mitigations Even When Not Vulnerable
Linux To Allow Disabling TPM PCR Integrity Protection Due To Performance Bottleneck
OpenPaX Announced As "Open-Source Alternative To GrSecurity" With Free Kernel Patch
Unauthenticated RCE Flaw With CVSS 9.9 Rating For Linux Systems Affects CUPS
Landlock Sandboxing Now Supports More Controls Around Unix Sockets
Linux 6.12 Landing Integrity Policy Enforcement "IPE" Module
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
Linus Torvalds Comes Out Against "Completely Broken" x86_64 Feature Levels
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
How AMD Is Taking Standard C/C++ Code To Run Directly On GPUs
Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal
COSMIC Alpha 4 Released For System76's Rust-Based Desktop
GNU Shepherd 1.0 Service Manager Released As "Solid Tool" Alternative To systemd
KDE Starts December By Landing A Number Of New Features