Support for validation of cpu vulnerabilities

[artem-sidorenko]

Is your feature request related to a problem? Please describe.

There are several CPU vulnerabilities, where the fixes expose via sysfs the state of protection. E.g. /sys/devices/system/cpu/vulnerabilities/mds for new MDS vulnerability.

Describe the solution you'd like

This baseline should include the validation of this options.

[artem-sidorenko]

@chris-rock @atomic111 @rndmh3ro @mcgege opinions on this?

[chris-rock]

+1 on that

[mcgege]

+1 good idea!

[rndmh3ro]

I also like the idea!

Should be as easy as searching for "Vulnerable" on all files in the folder:

root:~$ grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion
/sys/devices/system/cpu/vulnerabilities/mds:Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling

[atomic111]

+1