git.kernel.dk Git - linux-2.6-block.git/commit

author	David Kaplan <david.kaplan@amd.com>
	Wed, 9 Jul 2025 15:57:31 +0000 (10:57 -0500)
committer	Borislav Petkov (AMD) <bp@alien8.de>
	Fri, 11 Jul 2025 15:51:43 +0000 (17:51 +0200)
commit	1caa1b0509eaec2ea111b875da4eddb44edc9ea5
tree	8eea120741fa55458ea1c0245e39f241a1732160	tree
parent	fde494e9058dce6240bc746657f005c3aa51e2e8	commit \| diff

Documentation/x86: Document new attack vector controls

Document the 5 new attack vector command line options, how they
interact with existing vulnerability controls, and recommendations on when
they can be disabled.

Note that while mitigating against untrusted userspace requires both
user-to-kernel and user-to-user protection, these are kept separate.  The
kernel can control what code executes inside of it and that may affect the
risk associated with vulnerabilities especially if new kernel mitigations
are implemented.  The same isn't typically true of userspace.

In other words, the risk associated with user-to-user or guest-to-guest
attacks is unlikely to change over time.  While the risk associated with
user-to-kernel or guest-to-host attacks may change.  Therefore, these
controls are separated.

Signed-off-by: David Kaplan <david.kaplan@amd.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/20250709155731.3279419-1-david.kaplan@amd.com

Documentation/admin-guide/hw-vuln/attack_vector_controls.rst	[new file with mode: 0644]	blob
Documentation/admin-guide/hw-vuln/index.rst		diff \| blob \| blame \| history
Documentation/admin-guide/kernel-parameters.txt		diff \| blob \| blame \| history