Re: [RFC PATCH 18/34] Documentation/x86: Document the new attack vector controls

[Manwaring, Derek]

On 2024-09-12 14:08-0500 David Kaplan wrote:
> +
> +Summary of attack-vector mitigations
> +------------------------------------
> +
> +When a vulnerability is mitigated due to an attack-vector control, the default
> +mitigation option for that particular vulnerability is used.  To use a different
> +mitigation, please use the vulnerability-specific command line option.
> +
> +The table below summarizes which vulnerabilities are mitigated when different
> +attack vectors are enabled and assuming the CPU is vulnerable.

Really excited to see this breakdown of which attacks matter when. I
think this will help demystify the space generally. I am tempted to add
even more issues to the table, but I suppose the idea is to limit only
to issues for which there is a kernel parameter, is that right?

I think it'd be useful to get to a point that if someone comes across
one of the many papers & issue names, they could find it here and have
an idea of how it impacts their workload. Maybe this isn't the place for
that kind of a glossary, but interested in hearing where you see
something like that fitting in. If we could at least add a column or
footnote for each to capture something like "SRSO is also known as
Inception and CVE-2023-20569," I think that would go a long way to
reduce confusion.

Derek