tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

x86/bugs: Add a separate config for GDS

Currently, the CONFIG_SPECULATION_MITIGATIONS is halfway populated, where some
mitigations have entries in Kconfig, and they could be modified, while others
mitigations do not have Kconfig entries, and could not be controlled at build
time.

Create a new kernel config that allows GDS to be completely disabled,
similarly to the "gather_data_sampling=off" or "mitigations=off" kernel
command-line.

Now, there are two options for GDS mitigation:

* CONFIG_MITIGATION_GDS=n -> Mitigation disabled (New)
* CONFIG_MITIGATION_GDS=y -> Mitigation enabled (GDS_MITIGATION_FULL)

Suggested-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Breno Leitao <leitao@debian.org>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
Link: https://lore.kernel.org/r/20240729164105.554296-12-leitao@debian.org

authored by

Breno Leitao and committed by
Borislav Petkov (AMD) 225f2bd0 03267a53

+12 -1
+10
arch/x86/Kconfig
··· 2610 2610 against straight line speculation. The kernel image might be slightly 2611 2611 larger. 2612 2612 2613 + config MITIGATION_GDS 2614 + bool "Mitigate Gather Data Sampling" 2615 + depends on CPU_SUP_INTEL 2616 + default y 2617 + help 2618 + Enable mitigation for Gather Data Sampling (GDS). GDS is a hardware 2619 + vulnerability which allows unprivileged speculative access to data 2620 + which was previously stored in vector registers. The attacker uses gather 2621 + instructions to infer the stale vector register data. 2622 + 2613 2623 config MITIGATION_RFDS 2614 2624 bool "RFDS Mitigation" 2615 2625 depends on CPU_SUP_INTEL
+2 -1
arch/x86/kernel/cpu/bugs.c
··· 735 735 GDS_MITIGATION_HYPERVISOR, 736 736 }; 737 737 738 - static enum gds_mitigations gds_mitigation __ro_after_init = GDS_MITIGATION_FULL; 738 + static enum gds_mitigations gds_mitigation __ro_after_init = 739 + IS_ENABLED(CONFIG_MITIGATION_GDS) ? GDS_MITIGATION_FULL : GDS_MITIGATION_OFF; 739 740 740 741 static const char * const gds_strings[] = { 741 742 [GDS_MITIGATION_OFF] = "Vulnerable",