xref: /linux/Documentation/admin-guide/hw-vuln/attack_vector_controls.rst (revision 5c3b3264e5858813632031ba58bcd6e1eeb3b214) 
1.. SPDX-License-Identifier: GPL-2.0
2
3Attack Vector Controls
4======================
5
6Attack vector controls provide a simple method to configure only the mitigations
7for CPU vulnerabilities which are relevant given the intended use of a system.
8Administrators are encouraged to consider which attack vectors are relevant and
9disable all others in order to recoup system performance.
10
11When new relevant CPU vulnerabilities are found, they will be added to these
12attack vector controls so administrators will likely not need to reconfigure
13their command line parameters as mitigations will continue to be correctly
14applied based on the chosen attack vector controls.
15
16Attack Vectors
17--------------
18
19There are 5 sets of attack-vector mitigations currently supported by the kernel:
20
21#. :ref:`user_kernel`
22#. :ref:`user_user`
23#. :ref:`guest_host`
24#. :ref:`guest_guest`
25#. :ref:`smt`
26
27To control the enabled attack vectors, see :ref:`cmdline`.
28
29.. _user_kernel:
30
31User-to-Kernel
32^^^^^^^^^^^^^^
33
34The user-to-kernel attack vector involves a malicious userspace program
35attempting to leak kernel data into userspace by exploiting a CPU vulnerability.
36The kernel data involved might be limited to certain kernel memory, or include
37all memory in the system, depending on the vulnerability exploited.
38
39If no untrusted userspace applications are being run, such as with single-user
40systems, consider disabling user-to-kernel mitigations.
41
42Note that the CPU vulnerabilities mitigated by Linux have generally not been
43shown to be exploitable from browser-based sandboxes.  User-to-kernel
44mitigations are therefore mostly relevant if unknown userspace applications may
45be run by untrusted users.
46
47*user-to-kernel mitigations are enabled by default*
48
49.. _user_user:
50
51User-to-User
52^^^^^^^^^^^^
53
54The user-to-user attack vector involves a malicious userspace program attempting
55to influence the behavior of another unsuspecting userspace program in order to
56exfiltrate data.  The vulnerability of a userspace program is based on the
57program itself and the interfaces it provides.
58
59If no untrusted userspace applications are being run, consider disabling
60user-to-user mitigations.
61
62Note that because the Linux kernel contains a mapping of all physical memory,
63preventing a malicious userspace program from leaking data from another
64userspace program requires mitigating user-to-kernel attacks as well for
65complete protection.
66
67*user-to-user mitigations are enabled by default*
68
69.. _guest_host:
70
71Guest-to-Host
72^^^^^^^^^^^^^
73
74The guest-to-host attack vector involves a malicious VM attempting to leak
75hypervisor data into the VM.  The data involved may be limited, or may
76potentially include all memory in the system, depending on the vulnerability
77exploited.
78
79If no untrusted VMs are being run, consider disabling guest-to-host mitigations.
80
81*guest-to-host mitigations are enabled by default if KVM support is present*
82
83.. _guest_guest:
84
85Guest-to-Guest
86^^^^^^^^^^^^^^
87
88The guest-to-guest attack vector involves a malicious VM attempting to influence
89the behavior of another unsuspecting VM in order to exfiltrate data.  The
90vulnerability of a VM is based on the code inside the VM itself and the
91interfaces it provides.
92
93If no untrusted VMs, or only a single VM is being run, consider disabling
94guest-to-guest mitigations.
95
96Similar to the user-to-user attack vector, preventing a malicious VM from
97leaking data from another VM requires mitigating guest-to-host attacks as well
98due to the Linux kernel phys map.
99
100*guest-to-guest mitigations are enabled by default if KVM support is present*
101
102.. _smt:
103
104Cross-Thread
105^^^^^^^^^^^^
106
107The cross-thread attack vector involves a malicious userspace program or
108malicious VM either observing or attempting to influence the behavior of code
109running on the SMT sibling thread in order to exfiltrate data.
110
111Many cross-thread attacks can only be mitigated if SMT is disabled, which will
112result in reduced CPU core count and reduced performance.
113
114If cross-thread mitigations are fully enabled ('auto,nosmt'), all mitigations
115for cross-thread attacks will be enabled.  SMT may be disabled depending on
116which vulnerabilities are present in the CPU.
117
118If cross-thread mitigations are partially enabled ('auto'), mitigations for
119cross-thread attacks will be enabled but SMT will not be disabled.
120
121If cross-thread mitigations are disabled, no mitigations for cross-thread
122attacks will be enabled.
123
124Cross-thread mitigation may not be required if core-scheduling or similar
125techniques are used to prevent untrusted workloads from running on SMT siblings.
126
127*cross-thread mitigations default to partially enabled*
128
129.. _cmdline:
130
131Command Line Controls
132---------------------
133
134Attack vectors are controlled through the mitigations= command line option.  The
135value provided begins with a global option and then may optionally include one
136or more options to disable various attack vectors.
137
138Format:
139	| ``mitigations=[global]``
140	| ``mitigations=[global],[attack vectors]``
141
142Global options:
143
144============ =============================================================
145Option       Description
146============ =============================================================
147'off'        All attack vectors disabled.
148'auto'       All attack vectors enabled, partial cross-thread mitigations.
149'auto,nosmt' All attack vectors enabled, full cross-thread mitigations.
150============ =============================================================
151
152Attack vector options:
153
154================= =======================================
155Option            Description
156================= =======================================
157'no_user_kernel'  Disables user-to-kernel mitigations.
158'no_user_user'    Disables user-to-user mitigations.
159'no_guest_host'   Disables guest-to-host mitigations.
160'no_guest_guest'  Disables guest-to-guest mitigations
161'no_cross_thread' Disables all cross-thread mitigations.
162================= =======================================
163
164Multiple attack vector options may be specified in a comma-separated list.  If
165the global option is not specified, it defaults to 'auto'.  The global option
166'off' is equivalent to disabling all attack vectors.
167
168Examples:
169	| ``mitigations=auto,no_user_kernel``
170
171	Enable all attack vectors except user-to-kernel.  Partial cross-thread
172	mitigations.
173
174	| ``mitigations=auto,nosmt,no_guest_host,no_guest_guest``
175
176	Enable all attack vectors and cross-thread mitigations except for
177	guest-to-host and guest-to-guest mitigations.
178
179	| ``mitigations=,no_cross_thread``
180
181	Enable all attack vectors but not cross-thread mitigations.
182
183Interactions with command-line options
184--------------------------------------
185
186Vulnerability-specific controls (e.g. "retbleed=off") take precedence over all
187attack vector controls.  Mitigations for individual vulnerabilities may be
188turned on or off via their command-line options regardless of the attack vector
189controls.
190
191Summary of attack-vector mitigations
192------------------------------------
193
194When a vulnerability is mitigated due to an attack-vector control, the default
195mitigation option for that particular vulnerability is used.  To use a different
196mitigation, please use the vulnerability-specific command line option.
197
198The table below summarizes which vulnerabilities are mitigated when different
199attack vectors are enabled and assuming the CPU is vulnerable.
200
201=============== ============== ============ ============= ============== ============ ========
202Vulnerability   User-to-Kernel User-to-User Guest-to-Host Guest-to-Guest Cross-Thread Notes
203=============== ============== ============ ============= ============== ============ ========
204BHI                   X                           X
205ITS                   X                           X
206GDS                   X              X            X              X            *       (Note 1)
207L1TF                  X                           X                           *       (Note 2)
208MDS                   X              X            X              X            *       (Note 2)
209MMIO                  X              X            X              X            *       (Note 2)
210Meltdown              X
211Retbleed              X                           X                           *       (Note 3)
212RFDS                  X              X            X              X
213Spectre_v1            X
214Spectre_v2            X                           X
215Spectre_v2_user                      X                           X            *       (Note 1)
216SRBDS                 X              X            X              X
217SRSO                  X              X            X              X
218SSB                                  X
219TAA                   X              X            X              X            *       (Note 2)
220TSA                   X              X            X              X
221=============== ============== ============ ============= ============== ============ ========
222
223Notes:
224   1 --  Can be mitigated without disabling SMT.
225
226   2 --  Disables SMT if cross-thread mitigations are fully enabled  and the CPU
227   is vulnerable
228
229   3 --  Disables SMT if cross-thread mitigations are fully enabled, the CPU is
230   vulnerable, and STIBP is not supported
231
232When an attack-vector is disabled, all mitigations for the vulnerabilities
233listed in the above table are disabled, unless mitigation is required for a
234different enabled attack-vector or a mitigation is explicitly selected via a
235vulnerability-specific command line option.
236