Speaker
David Kaplan
(AMD)
Description
The kernel command line is an awkward place for CPU mitigation settings especially in environments where security policy needs aren’t known until user-space loads. Dynamic mitigations solve this problem by enabling re-selection of CPU mitigation settings at runtime via sysfs. In response to new settings, the kernel re-patches alternatives, retpolines, etc. just like if it was booted with the new options. This allows for the system to boot securely but later disable mitigations (and regain performance) if they turn out to not be required. This talk will discuss the recent dynamic mitigation RFC and advantages of this approach to mitigation policy management.
Primary author
David Kaplan
(AMD)