Re: /sys/devices/system/cpu/vulnerabilities/ doesn't show all known CPU vulnerabilities

From: Thomas Gleixner
Date: Thu Aug 15 2019 - 16:04:25 EST


On Thu, 15 Aug 2019, Kernel User wrote:
> On Thu, 15 Aug 2019 11:03:35 +0200 (CEST) Thomas Gleixner wrote:
>
> > It's used to denote vulnerability classes and their mitigations:
> >
> > - Spectre v1
> > - Spectre v2
> > - Meltdown
> > - SSB
> > - L1TF
> > - MDS
>
> In the Wikipedia article there are:
>
> + Bounds Check Bypass (Spectre, Variant 1)
> + Branch Target Injection (Spectre, Variant 2)
> + Rogue Data Cache Load (Meltdown, Variant 3)
> - Rogue System Register Read (Spectre-NG, Variant 3a)

Is a subclass of Meltdown, but cannot be mitigated in software and we don't
know whether the micro-code contains a fix or not unless the CPU/microcode
tells us that Meltdown is fixed, which includes 3a. We report that
correctly.

It's also not a really spectacular issue. The only valuable data you might
get out of it is info to break KASLR, but there are a gazillion other ways
to do so.

> + Speculative Store Bypass (Spectre-NG, Variant 4)
> - Lazy FP state restore (Spectre-NG)

The kernel is not using lazy restore. Dead kernels did, but they got
patched and no longer allow the lazy mode. So, nothing to see here.

> - Bounds Check Bypass Store (Spectre-NG)

Is a subclass of Spectre V1 similar to the recently published SWAPGS issue.

> + Foreshadow
> - Spoiler

Spoiler cannot be mitigated by any means. It's like Rowhammer. Nothing we
can do about and nothing to show.

> + Microarchitectural Data Sampling
>
> I have marked with '+' those which I recognize in the list you provided
> and with '-' those which are not.
>
> > We are not tracking subclasses and their individual CVEs.
>
> Why do you say that? In your list only L1TF and MDS are not subclasses,
> i.e. subclasses are in the list. So why not have the others? Also
> Spoiler seems to be a separate class.

What? Spectre V1, V2 and Meltdown and SSB are different classes despite the
variant 1,2,3,4 enumeration. They are different classes because they
utilize different parts of the whole speculative execution machinery and
need very different mitigation mechanisms.

Just because Wikipedia has a list of some sort does not mean that we have
to blindly follow it.

Thanks,

tglx