|
| 1 | +.. SPDX-License-Identifier: GPL-2.0 |
| 2 | +
|
| 3 | +Attack Vector Controls |
| 4 | +====================== |
| 5 | + |
| 6 | +Attack vector controls provide a simple method to configure only the mitigations |
| 7 | +for CPU vulnerabilities which are relevant given the intended use of a system. |
| 8 | +Administrators are encouraged to consider which attack vectors are relevant and |
| 9 | +disable all others in order to recoup system performance. |
| 10 | + |
| 11 | +When new relevant CPU vulnerabilities are found, they will be added to these |
| 12 | +attack vector controls so administrators will likely not need to reconfigure |
| 13 | +their command line parameters as mitigations will continue to be correctly |
| 14 | +applied based on the chosen attack vector controls. |
| 15 | + |
| 16 | +Attack Vectors |
| 17 | +-------------- |
| 18 | + |
| 19 | +There are 5 sets of attack-vector mitigations currently supported by the kernel: |
| 20 | + |
| 21 | +#. :ref:`user_kernel` |
| 22 | +#. :ref:`user_user` |
| 23 | +#. :ref:`guest_host` |
| 24 | +#. :ref:`guest_guest` |
| 25 | +#. :ref:`smt` |
| 26 | + |
| 27 | +To control the enabled attack vectors, see :ref:`cmdline`. |
| 28 | + |
| 29 | +.. _user_kernel: |
| 30 | + |
| 31 | +User-to-Kernel |
| 32 | +^^^^^^^^^^^^^^ |
| 33 | + |
| 34 | +The user-to-kernel attack vector involves a malicious userspace program |
| 35 | +attempting to leak kernel data into userspace by exploiting a CPU vulnerability. |
| 36 | +The kernel data involved might be limited to certain kernel memory, or include |
| 37 | +all memory in the system, depending on the vulnerability exploited. |
| 38 | + |
| 39 | +If no untrusted userspace applications are being run, such as with single-user |
| 40 | +systems, consider disabling user-to-kernel mitigations. |
| 41 | + |
| 42 | +Note that the CPU vulnerabilities mitigated by Linux have generally not been |
| 43 | +shown to be exploitable from browser-based sandboxes. User-to-kernel |
| 44 | +mitigations are therefore mostly relevant if unknown userspace applications may |
| 45 | +be run by untrusted users. |
| 46 | + |
| 47 | +*user-to-kernel mitigations are enabled by default* |
| 48 | + |
| 49 | +.. _user_user: |
| 50 | + |
| 51 | +User-to-User |
| 52 | +^^^^^^^^^^^^ |
| 53 | + |
| 54 | +The user-to-user attack vector involves a malicious userspace program attempting |
| 55 | +to influence the behavior of another unsuspecting userspace program in order to |
| 56 | +exfiltrate data. The vulnerability of a userspace program is based on the |
| 57 | +program itself and the interfaces it provides. |
| 58 | + |
| 59 | +If no untrusted userspace applications are being run, consider disabling |
| 60 | +user-to-user mitigations. |
| 61 | + |
| 62 | +Note that because the Linux kernel contains a mapping of all physical memory, |
| 63 | +preventing a malicious userspace program from leaking data from another |
| 64 | +userspace program requires mitigating user-to-kernel attacks as well for |
| 65 | +complete protection. |
| 66 | + |
| 67 | +*user-to-user mitigations are enabled by default* |
| 68 | + |
| 69 | +.. _guest_host: |
| 70 | + |
| 71 | +Guest-to-Host |
| 72 | +^^^^^^^^^^^^^ |
| 73 | + |
| 74 | +The guest-to-host attack vector involves a malicious VM attempting to leak |
| 75 | +hypervisor data into the VM. The data involved may be limited, or may |
| 76 | +potentially include all memory in the system, depending on the vulnerability |
| 77 | +exploited. |
| 78 | + |
| 79 | +If no untrusted VMs are being run, consider disabling guest-to-host mitigations. |
| 80 | + |
| 81 | +*guest-to-host mitigations are enabled by default if KVM support is present* |
| 82 | + |
| 83 | +.. _guest_guest: |
| 84 | + |
| 85 | +Guest-to-Guest |
| 86 | +^^^^^^^^^^^^^^ |
| 87 | + |
| 88 | +The guest-to-guest attack vector involves a malicious VM attempting to influence |
| 89 | +the behavior of another unsuspecting VM in order to exfiltrate data. The |
| 90 | +vulnerability of a VM is based on the code inside the VM itself and the |
| 91 | +interfaces it provides. |
| 92 | + |
| 93 | +If no untrusted VMs, or only a single VM is being run, consider disabling |
| 94 | +guest-to-guest mitigations. |
| 95 | + |
| 96 | +Similar to the user-to-user attack vector, preventing a malicious VM from |
| 97 | +leaking data from another VM requires mitigating guest-to-host attacks as well |
| 98 | +due to the Linux kernel phys map. |
| 99 | + |
| 100 | +*guest-to-guest mitigations are enabled by default if KVM support is present* |
| 101 | + |
| 102 | +.. _smt: |
| 103 | + |
| 104 | +Cross-Thread |
| 105 | +^^^^^^^^^^^^ |
| 106 | + |
| 107 | +The cross-thread attack vector involves a malicious userspace program or |
| 108 | +malicious VM either observing or attempting to influence the behavior of code |
| 109 | +running on the SMT sibling thread in order to exfiltrate data. |
| 110 | + |
| 111 | +Many cross-thread attacks can only be mitigated if SMT is disabled, which will |
| 112 | +result in reduced CPU core count and reduced performance. |
| 113 | + |
| 114 | +If cross-thread mitigations are fully enabled ('auto,nosmt'), all mitigations |
| 115 | +for cross-thread attacks will be enabled. SMT may be disabled depending on |
| 116 | +which vulnerabilities are present in the CPU. |
| 117 | + |
| 118 | +If cross-thread mitigations are partially enabled ('auto'), mitigations for |
| 119 | +cross-thread attacks will be enabled but SMT will not be disabled. |
| 120 | + |
| 121 | +If cross-thread mitigations are disabled, no mitigations for cross-thread |
| 122 | +attacks will be enabled. |
| 123 | + |
| 124 | +Cross-thread mitigation may not be required if core-scheduling or similar |
| 125 | +techniques are used to prevent untrusted workloads from running on SMT siblings. |
| 126 | + |
| 127 | +*cross-thread mitigations default to partially enabled* |
| 128 | + |
| 129 | +.. _cmdline: |
| 130 | + |
| 131 | +Command Line Controls |
| 132 | +--------------------- |
| 133 | + |
| 134 | +Attack vectors are controlled through the mitigations= command line option. The |
| 135 | +value provided begins with a global option and then may optionally include one |
| 136 | +or more options to disable various attack vectors. |
| 137 | + |
| 138 | +Format: |
| 139 | + | ``mitigations=[global]`` |
| 140 | + | ``mitigations=[global],[attack vectors]`` |
| 141 | +
|
| 142 | +Global options: |
| 143 | + |
| 144 | +============ ============================================================= |
| 145 | +Option Description |
| 146 | +============ ============================================================= |
| 147 | +'off' All attack vectors disabled. |
| 148 | +'auto' All attack vectors enabled, partial cross-thread mitigations. |
| 149 | +'auto,nosmt' All attack vectors enabled, full cross-thread mitigations. |
| 150 | +============ ============================================================= |
| 151 | + |
| 152 | +Attack vector options: |
| 153 | + |
| 154 | +================= ======================================= |
| 155 | +Option Description |
| 156 | +================= ======================================= |
| 157 | +'no_user_kernel' Disables user-to-kernel mitigations. |
| 158 | +'no_user_user' Disables user-to-user mitigations. |
| 159 | +'no_guest_host' Disables guest-to-host mitigations. |
| 160 | +'no_guest_guest' Disables guest-to-guest mitigations |
| 161 | +'no_cross_thread' Disables all cross-thread mitigations. |
| 162 | +================= ======================================= |
| 163 | + |
| 164 | +Multiple attack vector options may be specified in a comma-separated list. If |
| 165 | +the global option is not specified, it defaults to 'auto'. The global option |
| 166 | +'off' is equivalent to disabling all attack vectors. |
| 167 | + |
| 168 | +Examples: |
| 169 | + | ``mitigations=auto,no_user_kernel`` |
| 170 | +
|
| 171 | + Enable all attack vectors except user-to-kernel. Partial cross-thread |
| 172 | + mitigations. |
| 173 | + |
| 174 | + | ``mitigations=auto,nosmt,no_guest_host,no_guest_guest`` |
| 175 | +
|
| 176 | + Enable all attack vectors and cross-thread mitigations except for |
| 177 | + guest-to-host and guest-to-guest mitigations. |
| 178 | + |
| 179 | + | ``mitigations=,no_cross_thread`` |
| 180 | +
|
| 181 | + Enable all attack vectors but not cross-thread mitigations. |
| 182 | + |
| 183 | +Interactions with command-line options |
| 184 | +-------------------------------------- |
| 185 | + |
| 186 | +Vulnerability-specific controls (e.g. "retbleed=off") take precedence over all |
| 187 | +attack vector controls. Mitigations for individual vulnerabilities may be |
| 188 | +turned on or off via their command-line options regardless of the attack vector |
| 189 | +controls. |
| 190 | + |
| 191 | +Summary of attack-vector mitigations |
| 192 | +------------------------------------ |
| 193 | + |
| 194 | +When a vulnerability is mitigated due to an attack-vector control, the default |
| 195 | +mitigation option for that particular vulnerability is used. To use a different |
| 196 | +mitigation, please use the vulnerability-specific command line option. |
| 197 | + |
| 198 | +The table below summarizes which vulnerabilities are mitigated when different |
| 199 | +attack vectors are enabled and assuming the CPU is vulnerable. |
| 200 | + |
| 201 | +=============== ============== ============ ============= ============== ============ ======== |
| 202 | +Vulnerability User-to-Kernel User-to-User Guest-to-Host Guest-to-Guest Cross-Thread Notes |
| 203 | +=============== ============== ============ ============= ============== ============ ======== |
| 204 | +BHI X X |
| 205 | +ITS X X |
| 206 | +GDS X X X X * (Note 1) |
| 207 | +L1TF X X * (Note 2) |
| 208 | +MDS X X X X * (Note 2) |
| 209 | +MMIO X X X X * (Note 2) |
| 210 | +Meltdown X |
| 211 | +Retbleed X X * (Note 3) |
| 212 | +RFDS X X X X |
| 213 | +Spectre_v1 X |
| 214 | +Spectre_v2 X X |
| 215 | +Spectre_v2_user X X * (Note 1) |
| 216 | +SRBDS X X X X |
| 217 | +SRSO X X |
| 218 | +SSB (Note 4) |
| 219 | +TAA X X X X * (Note 2) |
| 220 | +TSA X X X X |
| 221 | +=============== ============== ============ ============= ============== ============ ======== |
| 222 | + |
| 223 | +Notes: |
| 224 | + 1 -- Can be mitigated without disabling SMT. |
| 225 | + |
| 226 | + 2 -- Disables SMT if cross-thread mitigations are fully enabled and the CPU |
| 227 | + is vulnerable |
| 228 | + |
| 229 | + 3 -- Disables SMT if cross-thread mitigations are fully enabled, the CPU is |
| 230 | + vulnerable, and STIBP is not supported |
| 231 | + |
| 232 | + 4 -- Speculative store bypass is always enabled by default (no kernel |
| 233 | + mitigation applied) unless overridden with spec_store_bypass_disable option |
| 234 | + |
| 235 | +When an attack-vector is disabled, all mitigations for the vulnerabilities |
| 236 | +listed in the above table are disabled, unless mitigation is required for a |
| 237 | +different enabled attack-vector or a mitigation is explicitly selected via a |
| 238 | +vulnerability-specific command line option. |
0 commit comments