Re: /sys/devices/system/cpu/vulnerabilities/ doesn't show all known CPU vulnerabilities
On Thu, 15 Aug 2019 11:03:35 +0200 (CEST) Thomas Gleixner wrote: > It's used to denote vulnerability classes and their mitigations: > > - Spectre v1 > - Spectre v2 > - Meltdown > - SSB > - L1TF > - MDS In the Wikipedia article there are: + Bounds Check Bypass (Spectre, Variant 1) + Branch Target Injection (Spectre, Variant 2) + Rogue Data Cache Load (Meltdown, Variant 3) - Rogue System Register Read (Spectre-NG, Variant 3a) + Speculative Store Bypass (Spectre-NG, Variant 4) - Lazy FP state restore (Spectre-NG) - Bounds Check Bypass Store (Spectre-NG) + Foreshadow - Spoiler + Microarchitectural Data Sampling I have marked with '+' those which I recognize in the list you provided and with '-' those which are not. > We are not tracking subclasses and their individual CVEs. Why do you say that? In your list only L1TF and MDS are not subclasses, i.e. subclasses are in the list. So why not have the others? Also Spoiler seems to be a separate class.
Re: /sys/devices/system/cpu/vulnerabilities/ doesn't show all known CPU vulnerabilities
Thomas Gleixner, Alright. Then I guess I am wasting everyone's time and everything is as it should be according to you. I will unsubscribe from this mailing list because it is flooding my mail box with so many messages and I don't know of any way to subscribe only to this particular thread. Please CC me if this discussion continues.
/sys/devices/system/cpu/vulnerabilities/ doesn't show all known CPU vulnerabilities
Hi, 'ls /sys/devices/system/cpu/vulnerabilities/' doesn't show all known CPU vulnerabilities and their variants. Only some of them: l1tf mds meltdown spec_store_bypass spectre_v1 spectre_v2 Wikipedia shows more variants: https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)#Speculative_execution_security_vulnerabilities It would be good to have a full list with statuses. Then one won't need to use external (potentially non-safe) tools like https://github.com/speed47/spectre-meltdown-checker to find out the vulnerabilities of a system. This started as a feature request on openSUSE's bugzilla where it was suggested to report it here: http://bugzilla.suse.com/show_bug.cgi?id=1145191
Re: /sys/devices/system/cpu/vulnerabilities/ doesn't show all known CPU vulnerabilities
On Tue, 13 Aug 2019 23:21:15 +0200 Borislav Petkov wrote: > You have to consider that some of those are addressed by a single mitigation like MDS That could be clarified like: vulnerability1 - mitigation MDS vulnerability2 - mitigation MDS vulnerability3 - mitigation 3 (another mitigation) ... > the mitigation for others like lazy FPU restore is not even present > in /sys/devices/system/cpu/vulnerabilities/. Then it could be a file with content saying "No mitigation". > Also, depending on the CPU, some are not even affected. That could say "Not affected" (which AFAIK is the case for some cases). > So maintaining this in the kernel is unnecessary to say the least. Knowing that there is no mitigation or that a CPU is not affected is quite different from not knowing anything. So I don't see why you conclude that knowledge is unnecessary.
Re: /sys/devices/system/cpu/vulnerabilities/ doesn't show all known CPU vulnerabilities
On Wed, 14 Aug 2019 09:04:57 +0200 Borislav Petkov wrote: > IMO, what you want does not belong in sysfs but in documentation. How would documentation (a fixed static text file) tell whether a particular system is vulnerable or not? > I partially see your point that a table of sorts mapping all those CPU > vulnerability names to (possible) mitigations is needed for users > which would like to know whether they're covered, without having to > run some scripts from github, Correct. > but sysfs just ain't the place. Then why is it currently used for some of the vulnerabilities? I am not an expert and I don't know if it is the place. My only concern is to have that information which we currently don't regardless of where it may be placed.
