A post was merged into an existing topic: IO_uring security / vulnerabilties?
Noted. I’m posting here about more options for reference in case a challenger appears who could and cares to handle such a project.
IO_uring is a new IO subsystem and is a veritable vuln dumpster fire. The Goog has disabled it on its systems and OSs.
A new 6.6 sysctl is developed just to disable it on boot which we should take advantage of ASAP.
Overall, a very interesting set of discussions and suggestions!
I am also trying to catch up on the all details to see whether I can offer any feedback.
This was merged.
spec_rstack_overflow= [X86] Control RAS overflow mitigation on AMD Zen CPUs off - Disable mitigation microcode - Enable microcode mitigation only safe-ret - Enable sw-only safe RET mitigation (default) ibpb - Enable mitigation by issuing IBPB on kernel entry ibpb-vmexit - Issue IBPB only on VMEXIT (cloud-specific mitigation)