Re: [PATCH v2 1/7] sysfs/cpu: Add "Unknown" vulnerability state

Thu, 03 Jan 2019 08:47:30 -0800 

Hi,

On 01/03/2019 10:37 AM, Dave Martin wrote:

On Wed, Jan 02, 2019 at 06:49:15PM -0600, Jeremy Linton wrote:

There is a lot of variation in the Arm ecosystem. Because of this,
there exist possible cases where the kernel cannot authoritatively
determine if a machine is vulnerable.

Rather than guess the vulnerability status in cases where
the mitigation is disabled or the firmware isn't responding
correctly, we need to display an "Unknown" state.

Signed-off-by: Jeremy Linton <jeremy.lin...@arm.com>
Cc: Thomas Gleixner <t...@linutronix.de>
Cc: Greg Kroah-Hartman <gre...@linuxfoundation.org>
Cc: Rafael J. Wysocki <rafael.j.wyso...@intel.com>
Cc: Konrad Rzeszutek Wilk <konrad.w...@oracle.com>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Dave Hansen <dave.han...@intel.com>
Cc: Borislav Petkov <b...@alien8.de>
Cc: David Woodhouse <d...@amazon.co.uk>
---
  Documentation/ABI/testing/sysfs-devices-system-cpu | 1 +
  1 file changed, 1 insertion(+)

diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu 
b/Documentation/ABI/testing/sysfs-devices-system-cpu
index 9605dbd4b5b5..876103fddfa4 100644
--- a/Documentation/ABI/testing/sysfs-devices-system-cpu
+++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
@@ -495,6 +495,7 @@ Description:        Information about CPU vulnerabilities
                "Not affected"          CPU is not affected by the vulnerability
                "Vulnerable"    CPU is affected and no mitigation in effect
                "Mitigation: $M"  CPU is affected and mitigation $M is in effect
+               "Unknown"       The kernel is unable to make a determination


Do some of the "Unknown" cases arise from the vulnerability detection
code being compiled out of the kernel?



Yes,


I wonder whether at least the detection support should be mandatory.
sysfs is not very useful as a standard vulnerability reporting interface
unless we make best efforts to always populate it with real information. >

Also, does "Unknown" convey anything beyond what is indicated by the
sysfs entry being omitted altogether?
I'm not sure about this one. I tend to think the "unknown" case encourages users that really want an answer to dig deeper and call their hardware/os/whoever to get an answer. I would tend to think that if the entry is missing it would tend to encourage the behavior that Greg KH mentions where the user assumes "hey the system doesn't have a sysfs entry for $VUNLERABILITY, that probably means that its not possible on the architecture".

Reply via email to