Re: [RFC PATCH 00/56] Dynamic mitigations

Next message: Markus Elfring: "Re: [PATCH v2 1/1] i3c: fix refcount inconsistency in i3c_master_register"
Previous message: Xin Li: "Re: [PATCH] x86/cpufeatures: Correct LKGS feature flag description"
In reply to: Kaplan, David: "RE: [RFC PATCH 00/56] Dynamic mitigations"
Next in thread: Kaplan, David: "RE: [RFC PATCH 00/56] Dynamic mitigations"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Josh Poimboeuf

Date: Wed Oct 15 2025 - 11:43:10 EST

On Wed, Oct 15, 2025 at 01:53:31PM +0000, Kaplan, David wrote:
> > If `root` is capable of setting `mitigations=off` via this interface,
> > doesn't that somewhat defeat the purpose of denying `/proc/kcore`
> > access in lockdown confidentiality mode? Assuming one is running on a
> > CPU with some form of side-channel memory read vulnerability (which they
> > very likely are), they can turn off all mitigations, then read kernel
> > memory via one of those exploits.
> >
> > There should be a one-way switch to allow denying all further writes to
> > this interface, so that once the system's mitigations are set properly,
> > any further attempts to change them until the next reboot can be
> > prevented.
> >
>
> That's a good idea, there could be a separate mitigation_lock file
> perhaps that once written to 1 denies any further changes.

Wouldn't the enablement of lockdown mode effectively function as that
one way switch?

--
Josh