Linux Kernel 6.17 Revolutionizes CPU Security with “Attack Vector Controls” from AMD
Linux kernel version 6.17 introduces a new processor vulnerability management system—Attack Vector Controls—engineered by AMD’s David Kaplan. This enhancement aims to streamline the configuration of CPU vulnerability mitigations for system administrators and advanced Linux users.
Previously, administrators were required to enable or disable each mitigation manually, navigating a complex landscape of patches related to speculative execution vulnerabilities. The new framework introduces centralized control, categorizing vulnerabilities by attacker type and intended target.
The system delineates attack vectors into five distinct groups:
- user-to-kernel — attacks originating from user space targeting the kernel
- user-to-user — between user-level processes
- guest-to-host — from virtualized guests to the host system
- guest-to-guest — between virtual machines
- cross-thread — between execution threads
Users can now utilize the mitigations= kernel boot parameter to disable entire vulnerability classes with options such as no_user_kernel, no_guest_host, and others. Multiple options can be chained using commas, for example:
mitigations=no_user_kernel,no_cross_thread.
In addition, Linux 6.17 refines and simplifies several existing mitigation mechanisms. Notably, the defense against Speculative Return Stack Overflow (SRSO) has been clarified, and Retbleed protections have been decoupled from ITS stuffing, a mitigation specific to Intel CPUs. This decoupling permits enabling ITS independently of Retbleed, offering greater configurational flexibility.
The relevant patches were merged into the x86/bugs branch last week. The official documentation for Attack Vector Controls can be found in the Linux kernel repository.
This newly introduced system is poised to simplify system administration, bolster security where it matters most, and reclaim performance in scenarios where specific classes of attacks are deemed irrelevant.
