1 Like
1 Like
Noted. I’m posting here about more options for reference in case a challenger appears who could and cares to handle such a project.
IO_uring is a new IO subsystem and is a veritable vuln dumpster fire. The Goog has disabled it on its systems and OSs.
A new 6.6 sysctl is developed just to disable it on boot which we should take advantage of ASAP.
1 Like
Overall, a very interesting set of discussions and suggestions!
I am also trying to catch up on the all details to see whether I can offer any feedback.
2 Likes
This was merged.
How about Speculative Return Stack Overflow (SRSO) — The Linux Kernel documentation?
Quote https://www.kernel.org/doc/Documentation/admin-guide/kernel-parameters.txt
spec_rstack_overflow=
[X86] Control RAS overflow mitigation on AMD Zen CPUs
off - Disable mitigation
microcode - Enable microcode mitigation only
safe-ret - Enable sw-only safe RET mitigation (default)
ibpb - Enable mitigation by issuing IBPB on
kernel entry
ibpb-vmexit - Issue IBPB only on VMEXIT
(cloud-specific mitigation)
See also:
cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow