On Tue, Aug 13, 2019 at 11:28:29PM +0300, Kernel User wrote: > Hi, > > 'ls /sys/devices/system/cpu/vulnerabilities/' doesn't show all known > CPU vulnerabilities and their variants. Only some of them: > > l1tf mds meltdown spec_store_bypass spectre_v1 spectre_v2 > > Wikipedia shows more variants: > > https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)#Speculative_execution_security_vulnerabilities > > It would be good to have a full list with statuses. Then one won't need to > use external (potentially non-safe) tools like > https://github.com/speed47/spectre-meltdown-checker to find out the > vulnerabilities of a system. >
You have to consider that some of those are addressed by a single mitigation like MDS; the mitigation for others like lazy FPU restore is not even present in /sys/devices/system/cpu/vulnerabilities/. Also, depending on the CPU, some are not even affected. So maintaining this in the kernel is unnecessary to say the least. We could use a writeup somewhere which maps each vulnerability name - and they're a gazillion by now - to the respective mitigation and what is required but I'm not aware of such a writeup. Documentation/admin-guide/hw-vuln/ could be a good start and Documentation/admin-guide/hw-vuln/mds.rst could be a good example how one should document the vulnerabilities and their mitigation. But that would need to be exhaustive. IMHO of course. -- Regards/Gruss, Boris. Good mailing practices for 400: avoid top-posting and trim the reply.