On Mon, Jun 23, 2025 at 12:21:05PM +0200, Borislav Petkov wrote: > On Mon, Jun 23, 2025 at 11:17:02AM +0300, Kirill A. Shutemov wrote: > > What about this: > > > > LASS provides protection against a class of speculative attacks, such as > > SLAM[1]. Add the "lass" flag to /proc/cpuinfo to indicate that the feature > > is supported by hardware and enabled by the kernel. This allows userspace > > to determine if the setup is secure against such attacks. > > Yeah, thanks. > > I'm still not fully on board with userspace determining whether they're > mitigated or not but that's a general problem with our mitigations. > > Also, I haven't looked at the patchset yet but I think it should be also > adding code to bugs.c to make all those vulns which it addresses, report that > they're mitigated by LASS now in > > grep -r . /sys/devices/system/cpu/vulnerabilities/ > > output. > > Which makes your cpuinfo flag not really needed as we already have a special > method for the mitigations reporting. > > But ok, it has gotten kernel enablement so stating so in cpuinfo is ok. Due to SLAM, we decided to postpone LAM enabling, until LASS is landed. I am not sure if we want to add static /sys/devices/system/cpu/vulnerabilities/slam with "Mitigation: LASS". There might be other yet-to-be-discovered speculative attacks that LASS mitigates. Security features have to visible to userspace independently of known vulnerabilities. -- Kiryl Shutsemau / Kirill A. Shutemov
