x86: deduplicate the spectre_v2_user documentation
This would need updating to make prctl be the new default, but it's simpler to delete it and refer to the dup. Signed-off-by: Andrea Arcangeli <aarcange@redhat.com> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20201105001406.13005-2-aarcange@redhat.com
This commit is contained in:
Andrea Arcangeli
Kees Cook
parent
2f46993d83
commit
d9bbdbf324
1 changed files with 2 additions and 49 deletions
|
|
@ -593,61 +593,14 @@ kernel command line.
|
||||||
Not specifying this option is equivalent to
|
Not specifying this option is equivalent to
|
||||||
spectre_v2=auto.
|
spectre_v2=auto.
|
||||||
|
|
||||||
For user space mitigation:
|
|
||||||
|
|
||||||
spectre_v2_user=
|
|
||||||
|
|
||||||
[X86] Control mitigation of Spectre variant 2
|
|
||||||
(indirect branch speculation) vulnerability between
|
|
||||||
user space tasks
|
|
||||||
|
|
||||||
on
|
|
||||||
Unconditionally enable mitigations. Is
|
|
||||||
enforced by spectre_v2=on
|
|
||||||
|
|
||||||
off
|
|
||||||
Unconditionally disable mitigations. Is
|
|
||||||
enforced by spectre_v2=off
|
|
||||||
|
|
||||||
prctl
|
|
||||||
Indirect branch speculation is enabled,
|
|
||||||
but mitigation can be enabled via prctl
|
|
||||||
per thread. The mitigation control state
|
|
||||||
is inherited on fork.
|
|
||||||
|
|
||||||
prctl,ibpb
|
|
||||||
Like "prctl" above, but only STIBP is
|
|
||||||
controlled per thread. IBPB is issued
|
|
||||||
always when switching between different user
|
|
||||||
space processes.
|
|
||||||
|
|
||||||
seccomp
|
|
||||||
Same as "prctl" above, but all seccomp
|
|
||||||
threads will enable the mitigation unless
|
|
||||||
they explicitly opt out.
|
|
||||||
|
|
||||||
seccomp,ibpb
|
|
||||||
Like "seccomp" above, but only STIBP is
|
|
||||||
controlled per thread. IBPB is issued
|
|
||||||
always when switching between different
|
|
||||||
user space processes.
|
|
||||||
|
|
||||||
auto
|
|
||||||
Kernel selects the mitigation depending on
|
|
||||||
the available CPU features and vulnerability.
|
|
||||||
|
|
||||||
Default mitigation:
|
|
||||||
If CONFIG_SECCOMP=y then "seccomp", otherwise "prctl"
|
|
||||||
|
|
||||||
Not specifying this option is equivalent to
|
|
||||||
spectre_v2_user=auto.
|
|
||||||
|
|
||||||
In general the kernel by default selects
|
In general the kernel by default selects
|
||||||
reasonable mitigations for the current CPU. To
|
reasonable mitigations for the current CPU. To
|
||||||
disable Spectre variant 2 mitigations, boot with
|
disable Spectre variant 2 mitigations, boot with
|
||||||
spectre_v2=off. Spectre variant 1 mitigations
|
spectre_v2=off. Spectre variant 1 mitigations
|
||||||
cannot be disabled.
|
cannot be disabled.
|
||||||
|
|
||||||
|
For spectre_v2_user see :doc:`/admin-guide/kernel-parameters`.
|
||||||
|
|
||||||
Mitigation selection guide
|
Mitigation selection guide
|
||||||
--------------------------
|
--------------------------
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue