Attack Vector Controls Could Be Ready For Linux 6.17 Introduction
The AMD engineering led work on Attack Vector Controls for the Linux kernel could be mainlined with the upcoming Linux 6.17 kernel with the remaining patches now being queued within a TIP branch.
Sent out last year were the original patches for Attack Vector Controls as a way to re-think CPU security mitigation handling. With Attack Vector Controls it becomes easier for Linux system/server administrators to control which CPU mitigations are applied based upon the intended role of the system, rather than worrying about enabling/disabling individual security mitigations.
Attack Vector Controls allow much easier mitigation management by classifying CPU securirty mitigations in areas of user-to-kernel, user-to-user, guest-to-host, guest-to-guest, and cross-thread mitigations. Depending upon whether the server(s) are running any virtual machines, whether the server is running all trusted VMs or a mix of VMs from different untrusted users, and similar scenarios allow for more effective control of these security mitigations across different AMD and Intel processors.
Back in Linux 6.15 some of the preparation patches were merged while it looks like for Linux 6.17 the actual enablement could be upstreamed.
Merged today via the tip/tip.git's x86/bugs branch are the Attack Vector Controls patches. Now that the patches are in a TIP branch, they will presumably be submitted for the next kernel cycle: the upcoming Linux 6.17 merge window opening around the end of July / early August.
See the current Attack Vector Controls documentation for more information around these upcoming controls for managing CPU security mitigations on Linux systems.
Sent out last year were the original patches for Attack Vector Controls as a way to re-think CPU security mitigation handling. With Attack Vector Controls it becomes easier for Linux system/server administrators to control which CPU mitigations are applied based upon the intended role of the system, rather than worrying about enabling/disabling individual security mitigations.
Attack Vector Controls allow much easier mitigation management by classifying CPU securirty mitigations in areas of user-to-kernel, user-to-user, guest-to-host, guest-to-guest, and cross-thread mitigations. Depending upon whether the server(s) are running any virtual machines, whether the server is running all trusted VMs or a mix of VMs from different untrusted users, and similar scenarios allow for more effective control of these security mitigations across different AMD and Intel processors.
👁 Attack Vector Controls table
Back in Linux 6.15 some of the preparation patches were merged while it looks like for Linux 6.17 the actual enablement could be upstreamed.
Merged today via the tip/tip.git's x86/bugs branch are the Attack Vector Controls patches. Now that the patches are in a TIP branch, they will presumably be submitted for the next kernel cycle: the upcoming Linux 6.17 merge window opening around the end of July / early August.
See the current Attack Vector Controls documentation for more information around these upcoming controls for managing CPU security mitigations on Linux systems.