mirror of
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-08-05 16:54:27 +00:00
1caa1b0509
Document the 5 new attack vector command line options, how they interact with existing vulnerability controls, and recommendations on when they can be disabled. Note that while mitigating against untrusted userspace requires both user-to-kernel and user-to-user protection, these are kept separate. The kernel can control what code executes inside of it and that may affect the risk associated with vulnerabilities especially if new kernel mitigations are implemented. The same isn't typically true of userspace. In other words, the risk associated with user-to-user or guest-to-guest attacks is unlikely to change over time. While the risk associated with user-to-kernel or guest-to-host attacks may change. Therefore, these controls are separated. Signed-off-by: David Kaplan <david.kaplan@amd.com> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Link: https://lore.kernel.org/20250709155731.3279419-1-david.kaplan@amd.com
28 lines
620 B
ReStructuredText
28 lines
620 B
ReStructuredText
========================
|
|
Hardware vulnerabilities
|
|
========================
|
|
|
|
This section describes CPU vulnerabilities and provides an overview of the
|
|
possible mitigations along with guidance for selecting mitigations if they
|
|
are configurable at compile, boot or run time.
|
|
|
|
.. toctree::
|
|
:maxdepth: 1
|
|
|
|
attack_vector_controls
|
|
spectre
|
|
l1tf
|
|
mds
|
|
tsx_async_abort
|
|
multihit
|
|
special-register-buffer-data-sampling
|
|
core-scheduling
|
|
l1d_flush
|
|
processor_mmio_stale_data
|
|
cross-thread-rsb
|
|
srso
|
|
gather_data_sampling
|
|
reg-file-data-sampling
|
|
rsb
|
|
old_microcode
|
|
indirect-target-selection
|